Folks,

Whereas NIST wrote SP 800-63 rev.3 from the perspective of what a complete set of proofing, authentication, federation requirements might be Kantara has, in response to market demand, accommodated within the IAF Approval scheme both Full and Component Services.

Generally speaking the structure and level of granularity of criteria allows a provider of a Component Service to state which criteria apply and which do not.  However, I see some restriction being implied by 63A#0180 by reason of the very high perspective of this criterion and its sub-parts.  By stating what the ‘end game’ (i.e. Full Service) proofing evidence requirements are, and accepting that a criterion is either applicable or not, but there being no provision for ‘partially acceptable’, this criterion does not allow a Component Service provider to support part of the evidence selection and processing of a complete proofing while allowing its Service Consumer to provide the other evidence forms within the overall proofing.

Such a use case might be a provider which provides for proofing a STRONG form of evidence, perhaps because it can resolve the technologically-demanding parts of the end-end process, while it doesn’t supporting the processing of any FAIR evidence.

In full disclosure, I have a client which deploys such a service, handling a STRONG and a single FAIR form of evidence while the Service Consumer handles the second FAIR form of evidence.  In such cases the criteria should be considered ‘not applicable’, yet to do so denies the CSP the recognition for the conformant processing of those forms of evidence which it does handle.

I am therefore proposing to the IAWG a revision to 63A#0180 which, by breaking down the inherent ‘breadth’ of this criterion, allows for more definitive applicability to be denoted.  Please see the attached proposed changes.

Clearly, in the cases of the expanded sub-criteria c) and d), a Full Service would have to indicate ‘applicable’ for all sub-parts of c) and/or d) respectively, whereas a Component Service could be selective, according to its architecture/design.

I will be happy to discuss these at our next IAWG meeting, 04-11.

Richard G. WILSHER
CEO & Founder,  Zygma Inc.
www.Zygma.biz
+1 714 797 9942