Folks,

 

It sounds like the Supervised Remote Criteria is the next big hurdle.

 

The first question I would ask is what is our guiding philosophy regarding tracking with 800-63.  I recognize that we offer a Kantara 800-63 certification; not just an 800-63 certification.  But I was also listening last week, when we got into the weeds about ONLY including “SHALL” statements and always skipping the “MAYs” and “COULDs.”  So, it would seem that we often cling very closely to the 800-63.  With that in mind, my initial proposal would be that the Supervised Remote Criteria should ONLY be applicable to IAL3.  IAL2 vendors who offer more, are to be lauded; but should we be in the position of telling an applicant that they cannot be IAL2, because they meet 800-63, but they do NOT meet Kantara?

 

That’s my position; although I cannot promise I am sticking to it.  As has been noted, some of the Supervised Remote Criteria seems reasonable for any IAL; if we really felt we wanted to apply some of these criteria to IAL2, I think I could get behind 520, 530, 560 and 580.  In my mind,  570 is the distinction between IAL2 and IAL3 and I am not sure 550 makes sense without 570.  540 just makes me nervous because I don’t know how to measure it.  Do I require the CSP to NOT perform with applicants using an iPhone 8, because I don’t think the camera is clear enough?

 

I welcome your thoughts

 

Jimmy

 

 

 

 

 

 

  • 63A#0520 – Proofing Supervisor participates entirety of the remote session, applicant doesn’t depart
  • 63A#0530 – Proofing Supervisor participates entirety of the remote session
  • 63A#0540 – clearly witness all applicant actions
  • 63A#0550 – integrated scanners and sensors
  • 63A#0560 – Training
  • 63A#0570 – Tamper detection and resistance features at its Remote proofing terminal
  • 63A#0580 – Secure Communications

 

 

As I mentioned yesterday, I'm not going to be on the IAWG call next week. I'm hoping Denny/Andrew will meet with me on Tuesday for a planning call so I can prep them on what still needs to be discussed - but I'm not sure if they're available yet. These criteria are one of those things. If you have time (unlikely, I know, lol) and want to have some proposed suggestions it might help the conversation move along. 

 

Like we've said - some can stay IAL2/IAL3 and some should be only IAL3 - but we need to say which ones in particular. And then if we remove IAL2, the follow-up question is do we need to add something that would fill a gap for those CSPs? Airside & ID.me both voiced that it would be important to ensure they're process is being assessed even at IAL2. 

 

I attached a word doc that has just the criteria I'm referring to. Just a simpler form than the full criteria. 

 

Thanks & enjoy your weekend,