Let’s not complicate things by inventing new terms unless we absolutely have to. The basic problem here is that NIST has created definitions which are hard to fulfil in an operational context: not all ‘issuing sources’ are enabling access to meet those definitions, plus it is hard to establish the inner workings of these ‘issuing sources’. If NIST cannot be persuaded to use workable terms, i.e. if they present obstacles to workable solutions, then I believe that it is up to Kantara to adopt workable interpretations of NIST’s terms, and operate accordingly. We already do that against -63 rev.3 (for parts A, B and C) and by doing so have developed effective and realistic criteria against which to assess services. That itself is evidenced by the adoption of some of those interpretations being adopted in rev.4. I think that the IAWG, with its full span of membership and representative views, has a better hold on what can and should be done than does NIST. Kantara is the reference standard in practical operations. I’m not trashing NIST’s efforts, and it is valuable to have a technical framework specification from which to work, but I think I see a few reflections off an ivory tower, no? Richard G. WILSHER CEO & Founder, Zygma Inc. www.Zygma.biz +1 714 797 9942 From: Marc L. Aronson via WG-IDAssurance [mailto:wg-idassurance@kantarainitiative.org] Sent: Wednesday, September 18, 2024 12:27 To: Lorrayne Auld; 'Richard G. WILSHER (@Zygma Inc.)'; yehoshua@proof.com; 'Jimmy Jung' Cc: wg-idassurance@kantarainitiative.org Subject: [WG-IDAssurance] Re: Working on 63-4 comments; authoritative and credible sources Is this what you are looking for: https://www.dhs.gov/real-id So where does one go to retrieve the REAL-ID information Marc Aronson We'd love to hear about your experience with us here <https://notaryne.ws/feedback> ! Marc L. Aronson President & CEO Pennsylvania Association of Notaries p: 800-944-8790 x113 | f: 800-707-7075 maronson@notary.org | www.notary.org <https://www.notary.org?utm_medium=email&utm_source=direct&utm_campaign=employee> One Gateway Center, Suite 401 420 Fort Duquesne Blvd., Pittsburgh, PA 15222-1498 <https://www.linkedin.com/company/pennsylvania-association-of-notaries> <https://www.facebook.com/PaAssocNotaries> <https://www.instagram.com/paassocnotaries/> <https://www.tiktok.com/@panotaries> <https://www.youtube.com/user/PaAssocNotaries> This message (including any attachments) is confidential and may be privileged. If you have received it by mistake, please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. The Pennsylvania Association of Notaries (PAN) shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. PAN does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. From: Lorrayne Auld <lorraynejs@gmail.com> Sent: Wednesday, September 18, 2024 06:36 To: 'Richard G. WILSHER (@Zygma Inc.)' <RGW@Zygma.biz>; yehoshua@proof.com; 'Jimmy Jung' <jimmy.jung@slandala.com> Cc: wg-idassurance@kantarainitiative.org Subject: [WG-IDAssurance] Re: Working on 63-4 comments; authoritative and credible sources So where does one go to retrieve the REAL-ID information as well as for those states AAMVA doesn’t have a connection agreement with those states? Perhaps AAMVA is more of an attribute service, or a trusted intermediary, going to each of the authoritative data sources (DMV) to obtain the data requested of the CSP. From: Richard G. WILSHER (@Zygma Inc.) <RGW@Zygma.biz> Sent: Tuesday, September 17, 2024 2:14 PM To: 'Lorrayne Auld' <lorraynejs@gmail.com>; yehoshua@proof.com; 'Jimmy Jung' <jimmy.jung@slandala.com> Cc: wg-idassurance@kantarainitiative.org Subject: RE: [WG-IDAssurance] Re: Working on 63-4 comments; authoritative and credible sources Isn’t it authoritative to the extent that issuers allow it to access their data? It just isn’t authoritative across all 54 (55?) issuing sources. But it isn’t authoritative about REAL-ID status, so caveat. Richard G. WILSHER CEO & Founder, Zygma Inc. www.Zygma.biz <https://link.edgepilot.com/s/fd5f0c55/wq7TYlZNLUaIuIdZco6reA?u=http://www.zygma.biz/> +1 714 797 9942 From: Lorrayne Auld [mailto:lorraynejs@gmail.com] Sent: Tuesday, September 17, 2024 17:39 To: yehoshua@proof.com; 'Jimmy Jung' Cc: wg-idassurance@kantarainitiative.org Subject: [WG-IDAssurance] Re: Working on 63-4 comments; authoritative and credible sources I just finished reviewing this section of 63A this morning so is fresh in my mind. I view AAMVA as a credible source for physical driver's licenses as it’s a private corporation and not a government entity. Also of note is their DLDV that was noted in the document. To my knowledge, not all states participate in this service so how can this be deemed authoritative? AAMVA may eventually become an authoritative source for mDLs if and when the States look to them as the issuer of the Digital Trust Service (DTS). mDL implementation and DTS participation by state is here near the bottom of the page: https://www.aamva.org/jurisdiction-data-maps <https://link.edgepilot.com/s/e6f06a76/ZIYs2hnA6EeXB6OvwGuRWA?u=https://www.aamva.org/jurisdiction-data-maps> From: Yehoshua Silberstein via WG-IDAssurance <wg-idassurance@kantarainitiative.org> Sent: Tuesday, September 17, 2024 12:54 PM To: Jimmy Jung <jimmy.jung@slandala.com> Cc: wg-idassurance@kantarainitiative.org Subject: [WG-IDAssurance] Re: Working on 63-4 comments; authoritative and credible sources Two points - 1. The Social Security Number Verification Service is another authoritative source. 2. Arguably, being subject to regulatory oversight isn't clear enough to mean anything substantial. All these entities are subject to numerous privacy-related regulations, and depending on the specific database, can be subject to regulations related to KYC/AML or FTC data security requirements to name a few. On Tue, Sep 17, 2024 at 12:17 PM Jimmy Jung <jimmy.jung@slandala.com> wrote: .. but there was one I kind of wanted to get out there early. CSPs SHOULD collect core attributes, but SHALL validate them with authoritative or credible sources, which seems to point to some perverse incentives. But more critically, looking at the definitions of authoritative and credible sources; am I mistaken, but is AAMVA the ONLY accessible authoritative source? And does linking “regulatory oversight” to the credible sources severely limit it to the big 3 credit bureaus and maybe a few more? (did MNO aggregators just drop out?) jimmy 2.4.2.4. Validation Sources The CSP SHALL use authoritative or credible sources that meet the following criteria. 760 An authoritative source is the issuing source of identity evidence or attributes, or has 761 direct access to the information maintained by issuing sources, such as state DMVs for 762 driver’s license data and the Social Security Administration for Social Security Cards 763 and Social Security Numbers. An authoritative source may also be one that provides or 764 enables direct access to issuing sources of evidence or attributes, such as the American 765 Association of Motor Vehicle Administrators’ Driver’s License Data Verification (DLDV) 766 Service. 767 A credible source is an entity that can provide or validate the accuracy of identity 768 evidence and attribute information. In addition to being subject to regulatory oversight 769 (such as the Fair Credit Reporting Act (FCRA)), a credible source has access to attribute 770 information that can be traced to an authoritative source, or maintains identity attribute 771 information obtained from multiple sources that is correlated for accuracy, consistency, 772 and currency. Examples of credible sources are credit bureaus that are subject to the 773 FCRA. 774 13 _______________________________________________ A Community Group mailing list of KantaraInitiative.org WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org To unsubscribe send an email to staff@kantarainitiative.org List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantara... (-> events.trustifi.com) ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance (-> events.trustifi.com) -- Yehoshua Silberstein | Senior Counsel, Product Compliance R&D yehoshua@proof.com (857) 577-8144 <https://lh3.googleusercontent.com/7nPoP42JZWBh2Tlgr4Pk7-Xw-dNkaxwcdqDAvNQRyg6qsp8AF5yG2dS_GVGlTxN6HOjmQLy9Gz7BLQ6Mof1AGW2HvWNr9qo5ClraeV3cMw3mbQNSeXhW9MXLV7riSDcQQdKXYCRwkHzOaTP8sxWYhmo> Notarize is now a Proof brand 🎉 We hope you love our new look and feel as much as we do! NOTICE: This email may contain proprietary, business-confidential, and/or privileged material. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. This email does not constitute a signed writing for purposes of a binding contract. Links contained in this email have been replaced. If you click on a link in the email above, the link will be analyzed for known threats. If a known threat is found, you will not be able to proceed to the destination. If suspicious content is detected, you will see a warning.