Andrew,

 

I am assuming you refer to lines 768/769.  That being so, I would agree with you IF one was talking about an Approved CSP, i.e., the fact that it has undergone an assessment has established confidence that its service can be relied-upon, i.e. its outputs are ‘credible’.

However, I’d say that is wrong in the context of what it takes to be an identity-proofing service iaw 63A rev.4 since the ‘credible sources’ must surely be external to the service which is seeking conformity against the requirements of that standard ?  Those ‘credible sources’ are what allows the CSP’s identity-proofing operations able to validate the evidence being offered by the Applicant. 

And what would be the regulatory oversight?  I don’t think the IAF would qualify as ‘regulatory’.

Do you have your tongue in your cheek? J

 

Richard G. WILSHER
CEO & Founder,  Zygma Inc.
www.Zygma.biz
+1 714 797 9942

 

From: Andrew Hughes [mailto:andrewhughes3000@gmail.com]
Sent: Wednesday, September 18, 2024 16:33
To: Marc L. Aronson
Cc: Richard G. WILSHER (@Zygma Inc.); yehoshua@proof.com; wg-idassurance@kantarainitiative.org
Subject: [WG-IDAssurance] Re: Working on 63-4 comments; authoritative and credible sources

 

Reading 63A 2.4.2.4 about validation sources.

It occurs to me that a "credible source" is, in effect, a CSP that is subject to regulatory oversight. Am I wrong?

 


————————

Andrew Hughes CISM 
m +1 250.888.9474
AndrewHughes3000@gmail.com 

 

 

On Wed, Sep 18, 2024 at 5:27 AM Marc L. Aronson via WG-IDAssurance <wg-idassurance@kantarainitiative.org> wrote:

Is this what you are looking for: https://www.dhs.gov/real-id

 

So where does one go to retrieve the REAL-ID information

 

Marc Aronson

 

We'd love to hear about your experience with us here!

Marc L. Aronson
President & CEO

Pennsylvania Association of Notaries

p: 800-944-8790 x113 | f: 800-707-7075
maronson@notary.org | www.notary.org 
One Gateway Center, Suite 401
420 Fort Duquesne Blvd., Pittsburgh, PA 15222-1498

    

This message (including any attachments) is confidential and may be privileged. If you have received it by mistake, please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. The Pennsylvania Association of Notaries (PAN) shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. PAN does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference.

From: Lorrayne Auld <lorraynejs@gmail.com>
Sent: Wednesday, September 18, 2024 06:36
To: 'Richard G. WILSHER (@Zygma Inc.)' <RGW@Zygma.biz>; yehoshua@proof.com; 'Jimmy Jung' <jimmy.jung@slandala.com>
Cc: wg-idassurance@kantarainitiative.org
Subject: [WG-IDAssurance] Re: Working on 63-4 comments; authoritative and credible sources

 

So where does one go to retrieve the REAL-ID information as well as for those states AAMVA doesn’t have a connection agreement with those states? Perhaps AAMVA is more of an attribute service, or a trusted intermediary, going to each of the authoritative data sources (DMV) to obtain the data requested of the CSP.

 

From: Richard G. WILSHER (@Zygma Inc.) <RGW@Zygma.biz>
Sent: Tuesday, September 17, 2024 2:14 PM
To: 'Lorrayne Auld' <lorraynejs@gmail.com>; yehoshua@proof.com; 'Jimmy Jung' <jimmy.jung@slandala.com>
Cc: wg-idassurance@kantarainitiative.org
Subject: RE: [WG-IDAssurance] Re: Working on 63-4 comments; authoritative and credible sources

 

Isn’t it authoritative to the extent that issuers allow it to access their data?  It just isn’t authoritative across all 54 (55?) issuing sources.
But it isn’t authoritative about REAL-ID status, so caveat.

 

Richard G. WILSHER
CEO & Founder,  Zygma Inc.
www.Zygma.biz
+1 714 797 9942

 

From: Lorrayne Auld [mailto:lorraynejs@gmail.com]
Sent: Tuesday, September 17, 2024 17:39
To: yehoshua@proof.com; 'Jimmy Jung'
Cc: wg-idassurance@kantarainitiative.org
Subject: [WG-IDAssurance] Re: Working on 63-4 comments; authoritative and credible sources

 

I just finished reviewing this section of 63A this morning so is fresh in my mind. I view AAMVA as a credible source for physical driver's licenses as it’s a private corporation and not a government entity. Also of note is their DLDV that was noted in the document. To my knowledge, not all states participate in this service so how can this be deemed authoritative?

 

AAMVA may eventually become an authoritative source for mDLs if and when the States look to them as the issuer of the Digital Trust Service (DTS). mDL implementation and DTS participation by state is here near the bottom of the page: https://www.aamva.org/jurisdiction-data-maps

 

From: Yehoshua Silberstein via WG-IDAssurance <wg-idassurance@kantarainitiative.org>
Sent: Tuesday, September 17, 2024 12:54 PM
To: Jimmy Jung <jimmy.jung@slandala.com>
Cc: wg-idassurance@kantarainitiative.org
Subject: [WG-IDAssurance] Re: Working on 63-4 comments; authoritative and credible sources

 

Two points -

  1. The Social Security Number Verification Service is another authoritative source.
  2. Arguably, being subject to regulatory oversight isn't clear enough to mean anything substantial. All these entities are subject to numerous privacy-related regulations, and depending on the specific database, can be subject to regulations related to KYC/AML or FTC data security requirements to name a few.

 

On Tue, Sep 17, 2024 at 12:17 PM Jimmy Jung <jimmy.jung@slandala.com> wrote:

.. but there was one I kind of wanted to get out there early.

 

CSPs SHOULD collect core attributes, but SHALL validate them with authoritative or credible sources, which seems to point to some perverse incentives.

 

But more critically, looking at the definitions of authoritative and credible sources; am I mistaken, but is AAMVA the ONLY accessible authoritative source?  And does linking “regulatory oversight” to the credible sources severely limit it to the big 3 credit bureaus and maybe a few more?  (did MNO aggregators just drop out?)

 

jimmy

 

 

 

2.4.2.4.  Validation Sources

The CSP SHALL use authoritative or credible sources that meet the following criteria. 760

 

An authoritative source is the issuing source of identity evidence or attributes, or has 761

direct access to the information maintained by issuing sources, such as state DMVs for 762

driver’s license data and the Social Security Administration for Social Security Cards 763

and Social Security Numbers. An authoritative source may also be one that provides or 764

enables direct access to issuing sources of evidence or attributes, such as the American 765

Association of Motor Vehicle Administrators’ Driver’s License Data Verification (DLDV) 766

Service. 767

A credible source is an entity that can provide or validate the accuracy of identity 768

evidence and attribute information. In addition to being subject to regulatory oversight 769

(such as the Fair Credit Reporting Act (FCRA)), a credible source has access to attribute 770

information that can be traced to an authoritative source, or maintains identity attribute 771

information obtained from multiple sources that is correlated for accuracy, consistency, 772

and currency. Examples of credible sources are credit bureaus that are subject to the 773

FCRA. 774

13

_______________________________________________
A Community Group mailing list of KantaraInitiative.org
WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org
To unsubscribe send an email to staff@kantarainitiative.org
List archives --  https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantarainitiative.org/ (-> events.trustifi.com)
______
Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance (-> events.trustifi.com)


 

--

Yehoshua Silberstein | Senior Counsel, Product Compliance R&D

(857) 577-8144

 

 

Notarize is now a Proof brand 🎉 We hope you love our new look and feel as much as we do!


NOTICE: 
This email may contain proprietary, business-confidential, and/or privileged material. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. This email does not constitute a signed writing for purposes of a binding contract.



Links contained in this email have been replaced. If you click on a link in the email above, the link will be analyzed for known threats. If a known threat is found, you will not be able to proceed to the destination. If suspicious content is detected, you will see a warning.

_______________________________________________
A Community Group mailing list of KantaraInitiative.org
WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org
To unsubscribe send an email to staff@kantarainitiative.org
List archives --  https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantarainitiative.org/
______
Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance