So where does one go to retrieve the REAL-ID information as well as for those states AAMVA doesn’t have a connection agreement with those states? Perhaps AAMVA is more of an attribute service, or a trusted intermediary, going to each of the authoritative data sources (DMV) to obtain the data requested of the CSP. From: Richard G. WILSHER (@Zygma Inc.) <RGW@Zygma.biz> Sent: Tuesday, September 17, 2024 2:14 PM To: 'Lorrayne Auld' <lorraynejs@gmail.com>; yehoshua@proof.com; 'Jimmy Jung' <jimmy.jung@slandala.com> Cc: wg-idassurance@kantarainitiative.org Subject: RE: [WG-IDAssurance] Re: Working on 63-4 comments; authoritative and credible sources Isn’t it authoritative to the extent that issuers allow it to access their data? It just isn’t authoritative across all 54 (55?) issuing sources. But it isn’t authoritative about REAL-ID status, so caveat. Richard G. WILSHER CEO & Founder, Zygma Inc. www.Zygma.biz <http://www.Zygma.biz> +1 714 797 9942 From: Lorrayne Auld [mailto:lorraynejs@gmail.com] Sent: Tuesday, September 17, 2024 17:39 To: yehoshua@proof.com <mailto:yehoshua@proof.com> ; 'Jimmy Jung' Cc: wg-idassurance@kantarainitiative.org <mailto:wg-idassurance@kantarainitiative.org> Subject: [WG-IDAssurance] Re: Working on 63-4 comments; authoritative and credible sources I just finished reviewing this section of 63A this morning so is fresh in my mind. I view AAMVA as a credible source for physical driver's licenses as it’s a private corporation and not a government entity. Also of note is their DLDV that was noted in the document. To my knowledge, not all states participate in this service so how can this be deemed authoritative? AAMVA may eventually become an authoritative source for mDLs if and when the States look to them as the issuer of the Digital Trust Service (DTS). mDL implementation and DTS participation by state is here near the bottom of the page: https://www.aamva.org/jurisdiction-data-maps From: Yehoshua Silberstein via WG-IDAssurance <wg-idassurance@kantarainitiative.org <mailto:wg-idassurance@kantarainitiative.org> > Sent: Tuesday, September 17, 2024 12:54 PM To: Jimmy Jung <jimmy.jung@slandala.com <mailto:jimmy.jung@slandala.com> > Cc: wg-idassurance@kantarainitiative.org <mailto:wg-idassurance@kantarainitiative.org> Subject: [WG-IDAssurance] Re: Working on 63-4 comments; authoritative and credible sources Two points - 1. The Social Security Number Verification Service is another authoritative source. 2. Arguably, being subject to regulatory oversight isn't clear enough to mean anything substantial. All these entities are subject to numerous privacy-related regulations, and depending on the specific database, can be subject to regulations related to KYC/AML or FTC data security requirements to name a few. On Tue, Sep 17, 2024 at 12:17 PM Jimmy Jung <jimmy.jung@slandala.com <mailto:jimmy.jung@slandala.com> > wrote: .. but there was one I kind of wanted to get out there early. CSPs SHOULD collect core attributes, but SHALL validate them with authoritative or credible sources, which seems to point to some perverse incentives. But more critically, looking at the definitions of authoritative and credible sources; am I mistaken, but is AAMVA the ONLY accessible authoritative source? And does linking “regulatory oversight” to the credible sources severely limit it to the big 3 credit bureaus and maybe a few more? (did MNO aggregators just drop out?) jimmy 2.4.2.4. Validation Sources The CSP SHALL use authoritative or credible sources that meet the following criteria. 760 An authoritative source is the issuing source of identity evidence or attributes, or has 761 direct access to the information maintained by issuing sources, such as state DMVs for 762 driver’s license data and the Social Security Administration for Social Security Cards 763 and Social Security Numbers. An authoritative source may also be one that provides or 764 enables direct access to issuing sources of evidence or attributes, such as the American 765 Association of Motor Vehicle Administrators’ Driver’s License Data Verification (DLDV) 766 Service. 767 A credible source is an entity that can provide or validate the accuracy of identity 768 evidence and attribute information. In addition to being subject to regulatory oversight 769 (such as the Fair Credit Reporting Act (FCRA)), a credible source has access to attribute 770 information that can be traced to an authoritative source, or maintains identity attribute 771 information obtained from multiple sources that is correlated for accuracy, consistency, 772 and currency. Examples of credible sources are credit bureaus that are subject to the 773 FCRA. 774 13 _______________________________________________ A Community Group mailing list of KantaraInitiative.org WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org <mailto:wg-idassurance@kantarainitiative.org> To unsubscribe send an email to staff@kantarainitiative.org <mailto:staff@kantarainitiative.org> List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantara... ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance -- Yehoshua Silberstein | Senior Counsel, Product Compliance R&D yehoshua@proof.com <mailto:yehoshua@proof.com> (857) 577-8144 <https://lh3.googleusercontent.com/7nPoP42JZWBh2Tlgr4Pk7-Xw-dNkaxwcdqDAvNQRyg6qsp8AF5yG2dS_GVGlTxN6HOjmQLy9Gz7BLQ6Mof1AGW2HvWNr9qo5ClraeV3cMw3mbQNSeXhW9MXLV7riSDcQQdKXYCRwkHzOaTP8sxWYhmo> Notarize is now a Proof brand 🎉 We hope you love our new look and feel as much as we do! NOTICE: This email may contain proprietary, business-confidential, and/or privileged material. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. This email does not constitute a signed writing for purposes of a binding contract.