Thanks Lorrayne,

 

I imagine that the use case separation between IAL2 and IAL3 is going to be who owns the “remote terminal.”  Taking on the cost and logistics of deploying CSP controlled kiosks is probably not merited unless you are shooting for IAL3.  Supervised Remote In-person at IAL2 is going to be via the applicant’s phone or laptop. 

 

Combing our thoughts, it seems unlikely that a CSP would deploy a kiosk that in a location that did not meet IAL3, when IAL2 could be performed on the phone.  Hence, my thinking that 63A#0570 – Tamper detection and resistance features at its Remote proofing terminal is the criteria that is the real distinction between IAL2 and IAL3; and also my hesitancy at including 63A#0450 - clearly witness all applicant actions, when this is dependent on the applicants equipment.  At IAL2, we could define this as the supervisor being satisfied with the clarity; while at IAL3 this could be a technical criteria; but one is subjective and neither clings to 800-63 as written.

 

jimmy

 

 

From: Lorrayne Auld <lorraynejs@gmail.com>
Sent: Monday, August 7, 2023 2:47 PM
To: Jimmy Jung <jimmy.jung@slandala.com>
Cc: Lynzie Adams <lynzie@kantarainitiative.org>; IAWG <wg-idassurance@kantarainitiative.org>
Subject: Re: [WG-IDAssurance] Supervised Remote Criteria

 

In my mind, a key distinction between what could potentially be IAL2 and IAL3 is the physical location and physical controls over the equipment.   

 

In the case of a kiosk, is the location of the kiosk in a public location (is it in a shopping mall with limited human oversight [I deem this as IAL2]) or in a closed environment (such as a badging area that has human oversight where one has higher assurance the equipment hasn’t been tampered with that would be appropriate for IAL3).  

 

I think it could be helpful to identify use cases for supervise remote for IAL2 and IAL3. 

 

Sent from my iPhone



On Aug 7, 2023, at 2:24 PM, Jimmy Jung <jimmy.jung@slandala.com> wrote:



 

Folks,

 

It sounds like the Supervised Remote Criteria is the next big hurdle.

 

The first question I would ask is what is our guiding philosophy regarding tracking with 800-63.  I recognize that we offer a Kantara 800-63 certification; not just an 800-63 certification.  But I was also listening last week, when we got into the weeds about ONLY including “SHALL” statements and always skipping the “MAYs” and “COULDs.”  So, it would seem that we often cling very closely to the 800-63.  With that in mind, my initial proposal would be that the Supervised Remote Criteria should ONLY be applicable to IAL3.  IAL2 vendors who offer more, are to be lauded; but should we be in the position of telling an applicant that they cannot be IAL2, because they meet 800-63, but they do NOT meet Kantara?

 

That’s my position; although I cannot promise I am sticking to it.  As has been noted, some of the Supervised Remote Criteria seems reasonable for any IAL; if we really felt we wanted to apply some of these criteria to IAL2, I think I could get behind 520, 530, 560 and 580.  In my mind,  570 is the distinction between IAL2 and IAL3 and I am not sure 550 makes sense without 570.  540 just makes me nervous because I don’t know how to measure it.  Do I require the CSP to NOT perform with applicants using an iPhone 8, because I don’t think the camera is clear enough?

 

I welcome your thoughts

 

Jimmy

 

 

 

 

 

 

  1. 63A#0520 – Proofing Supervisor participates entirety of the remote session, applicant doesn’t depart
  2. 63A#0530 – Proofing Supervisor participates entirety of the remote session
  3. 63A#0540 – clearly witness all applicant actions
  4. 63A#0550 – integrated scanners and sensors
  5. 63A#0560 – Training
  6. 63A#0570 – Tamper detection and resistance features at its Remote proofing terminal
  7. 63A#0580 – Secure Communications

 

 

As I mentioned yesterday, I'm not going to be on the IAWG call next week. I'm hoping Denny/Andrew will meet with me on Tuesday for a planning call so I can prep them on what still needs to be discussed - but I'm not sure if they're available yet. These criteria are one of those things. If you have time (unlikely, I know, lol) and want to have some proposed suggestions it might help the conversation move along. 

 

Like we've said - some can stay IAL2/IAL3 and some should be only IAL3 - but we need to say which ones in particular. And then if we remove IAL2, the follow-up question is do we need to add something that would fill a gap for those CSPs? Airside & ID.me both voiced that it would be important to ensure they're process is being assessed even at IAL2. 

 

I attached a word doc that has just the criteria I'm referring to. Just a simpler form than the full criteria. 

 

Thanks & enjoy your weekend,

 

 

 

<supervised remote identity proofing criteria.docx>

_______________________________________________
WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org
To unsubscribe send an email to wg-idassurance-leave@kantarainitiative.org