Here is a fun bit of nonsense.
I gave NIST’s notional strength of evidence page to a client to help them expand on their approaches to IAL2, thinking that the notional strength of evidence page, which we have adopted; identifies and classifies many additional options
for identity evidence. But as we dug in, things got murky.
https://pages.nist.gov/800-63-3-Implementation-Resources/63A/resolution/
SP 800-63 and Kantara require that “The CSP SHALL validate identity evidence with a process that can achieve the same strength as the evidence presented. For example, if two forms of STRONG identity evidence are presented, each piece of
evidence will be validated at a strength of STRONG.(63 4.4.1.3; see also 63A#0200)” This is compared with verification which is only compared to the strongest piece of identity evidence. (63 5.3.1))
And, validating evidence at STRONG requires having “all personal details and evidence details confirmed as valid by comparison with information held or published by the issuing source or authoritative source(s).”
Thank god for AAMVA, but out of curiosity, what issuing, authoritative, or even credible source would validate a Permanent Resident Card, Native American Enhanced Tribal Card, “Enhanced ID cards,” U.S. Military ID, Permanent Resident Card
or Native American Tribal Photo Identification Cards? Calling them SUPERIOR or STRONG isn’t really meaningful, if they cannot be validated that way.
There are some cool implementations that can read a passport and verify digital signatures, but for PIV, CAC, PIV-I (and TWIC?) you are going to need a card reader, so that mostly leaves out unsupervised. I think validating a digital signature
is a fairly strong validation, even if it does not really COMPARE information with an issuing or authoritative source?
Things really seemed odd to me, when we came to the conclusion that you would have to consider a US Navy CAC card a “FAIR” piece of evidence, because the DoD doesn’t validate CAC cards.
For an unsupervised proofing, and working from NIST’s notional strength of evidence page, which TWO items can you compare with information held by an issuing or authoritative source?
|
US Passport |
SUPERIOR |
|
Foreign e-Passport |
SUPERIOR |
|
Personal Identity Verification (PIV) card |
SUPERIOR |
|
Common Access card (CAC) |
SUPERIOR |
|
Personal Identity Verification Interoperable (PIV-I) card |
SUPERIOR |
|
Transportation Worker Identification Credential (TWIC) |
SUPERIOR |
|
Permanent Resident Card |
SUPERIOR |
|
Native American Enhanced Tribal Card |
SUPERIOR |
|
REAL ID cards |
STRONG+ |
|
Enhanced ID cards |
STRONG+ |
|
U.S. Uniformed Services Privilege and Identification Card (U.S. Military ID) |
STRONG+ |
|
Permanent Resident Card |
STRONG |
|
Native American Tribal Photo Identification Card |
STRONG |
|
Driver’s License or ID card (REAL ID non-compliant) |
STRONG |
Jimmy