To respond to both your points,

I agree with Martin that an address of record is attached to a verified identity, but that it need not be evidence of the identity, and that the subscriber uses their authentication factors, not their address of record, to authorize the CSP to act on their behalf. The address of record is a communication channel for the applicant/subscriber to receive important communications from the CSP (e.g. proofing notifications) and as a delivery channel for the subscriber's authenticators.

As it relates to validation and verification, it is reasonable to argue that an address can be validated by confirming deliverability (i.e. by sending mail either physically or electronically to the address and having it reach the expected destination) and that it can be verified through the applicant's return of the enrollment code. Also, because an address of record is not used to establish the core identity, it does not need to be on the identity evidence. (See 800-63A § 4.4.1.6(2) which allows a CSP to confirm address of record by validating information supplied by the applicant that's not on their identity evidence and pages 37 & 38 of the current Conformance Criteria which allow an enrollment code to both validate and verify an address, establishing it as the applicant's address of record.)

Regarding Blake's point, I interpret the previously cited Conformance Criteria as supporting the position that validation with external records separate from an enrollment code should not be required. I am also unclear about the relevance of GLB to this discussion. GLB requires financial institutions to protect consumer PII which includes addresses, but does not touch on the reliability of records for confirming addresses. (It is also not referenced in 800-63 regarding addresses of record.)

Whether addresses of record can also serve as identity evidence to prove the actual identity, such as through a phone carrier lookup confirming the applicant's ownership of the phone number is not necessary to fulfill the purpose of an address of record and should not be required by the 800-63 standards. While you are absolutely correct that an address of record must be established as a part of the identity proofing process, the definition of address of record and its associated requirements point to its primary function as a communication/delivery channel, rather than a form of identity evidence.

On Sun, Jan 21, 2024 at 11:17 AM Blake Hall <blake@id.me> wrote:

Chiming in here.

An Address of Record should be an attribute that is referenceable in GLB compliant records (e.g. phone number, mailing address, email address, etc). In that sense, once the user confirms they have possession of the address, which is also in records and can happen in a variety of ways, then it is useful both as evidence and for communications.

A Communications or Notifications Address is something the user could choose to bind to their profile post-authentication and identity proofing. In terms of lifecycle, this address would then be designated as a Communications/Notifications Address -- and also an Address of Record if a proofed user entered it (that's how most GLB data originates) -- whereas a user might not wish to get notifications at other Addresses of Record.

There is almost certainly more nuance here but I believe very strongly address of record and the user's ability to confirm possession is a key component of evidence & proofing.

On Sun, Jan 21, 2024 at 10:17 AM Martin Smith <martin@bfcmclean.com> wrote:

IAWG – I like the characterization of "address of record" as an attribute which can be attached to a verified identity, but which is itself not evidence of identity. The definition of this attribute sems to be "a one-way channel

IAWG –

I like the characterization of "address of record" as an attribute which can be attached to a verified identity, but which is itself not evidence of identity. The definition of this attribute sems to be "a one-way channel (in the form of an email or postal address, perhaps a telephone number) using which the CSP can send a message to a subscriber." This is a one-way channel: presumably the CSP would not rely on messages received via the channel, since the sender would not be authenticated. The subscriber would presumably be required to use an authenticated channel to communicate with the CSP. Who is the "authoritative source" of this attribute? It seems clearly to be the subscriber, though the CSP might want to confirm (verify? validate?) that the "address of record" channel is working by sending a message and requiring the subscriber to respond back via the CSP's authenticated channel. Recourse for failure of the subscriber to respond would be for the CSP to invalidate—permanently or temporarily-- the credentials issued to the subscriber. The subscriber would use the CSP's authenticated channel to provide updates to the "address of record".

I don't know how this might translate into language for a recommendation to NIST, if at all: just trying to work out the limitations of what the address-of-record should be used for, and the extent to which any assessment of conformance might be needed (which appears to be minimal.)

Martin

---

Martin Smith

703 389-3224

From: Yehoshua Silberstein via WG-IDAssurance <wg-idassurance@kantarainitiative.org>
Sent: Friday, January 19, 2024 11:13 AM
To: IAWG <wg-idassurance@kantarainitiative.org>
Subject: [WG-IDAssurance] Address of record position & EU-US mapping feedback

Good morning everyone!

For those who have not had a chance to review, please see the attached document with our address of record position and provide any feedback via email before our next call on February 8.

I also want to remind everyone to share their thoughts and feedback on the EU-US Trade and Technology Council Digital Identity Mapping Exercise Report via email before the next call as the deadline to provide comments is February 29. Any and all feedback is welcome.

Best,

Yehoshua

--

Yehoshua Silberstein | Associate Counsel, Core Product

yehoshua@proof.com

(857) 577-8144

Notarize is now a Proof brand 🎉 We hope you love our new look and feel as much as we do!

NOTICE: This email may contain proprietary, business-confidential, and/or privileged material. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. This email does not constitute a signed writing for purposes of a binding contract.

_______________________________________________
A Community Group mailing list of KantaraInitiative.org
WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org
To unsubscribe send an email to staff@kantarainitiative.org
List archives -- https://urldefense.com/v3/__https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantarainitiative.org/__;!!AVdDjg!qeWojU_gj776bbaqr5DI0Jy7x702qGsd6hos8q2ymcqQYJGjDS7CKvnklFh9ase-HyBFso49hTXx$
______
Group wiki -- https://urldefense.com/v3/__https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance__;!!AVdDjg!qeWojU_gj776bbaqr5DI0Jy7x702qGsd6hos8q2ymcqQYJGjDS7CKvnklFh9ase-HyBFsp8q3ihs$

--
Blake Hall
Founder & CEO
Mobile: 615-293-4702
blake@ID.me

ID.me | We're hiring!

Veterans Get Secure Single-Sign On for Benefits: http://go.id.me/2iKDM6j
President's National Strategy for Trusted Identities in Cyberspace: http://go.id.me/2hZzUKr
Building the Trust Graph: http://go.id.me/trust-graph

This message (including any attachments) may contain confidential and privileged information belonging to the sender, for a specific individual and purpose, and is legally privileged. If you are not the intended recipient, you should delete this message and any disclosure, copying, forwarding or distribution of this message, or the taking of any action based on it, by you is strictly prohibited.

Yehoshua Silberstein | Associate Counsel, Core Product

yehoshua@proof.com

(857) 577-8144

Notarize is now a Proof brand 🎉 We hope you love our new look and feel as much as we do!