I like the characterization of "address of record" as an attribute which can be attached to a verified identity, but which is itself not evidence of identity. The definition of this attribute sems to be "a one-way channel (in the form of an email or postal address, perhaps a telephone number) using which the CSP can send a message to a subscriber." This is a one-way channel: presumably the CSP would not rely on messages received via the channel, since the sender would not be authenticated. The subscriber would presumably be required to use an authenticated channel to communicate with the CSP. Who is the "authoritative source" of this attribute? It seems clearly to be the subscriber, though the CSP might want to confirm (verify? validate?) that the "address of record" channel is working by sending a message and requiring the subscriber to respond back via the CSP's authenticated channel. Recourse for failure of the subscriber to respond would be for the CSP to invalidate—permanently or temporarily-- the credentials issued to the subscriber. The subscriber would use the CSP's authenticated channel to provide updates to the "address of record".

I don't know how this might translate into language for a recommendation to NIST, if at all: just trying to work out the limitations of what the address-of-record should be used for, and the extent to which any assessment of conformance might be needed (which appears to be minimal.)

From: Yehoshua Silberstein via WG-IDAssurance <wg-idassurance@kantarainitiative.org>
Sent: Friday, January 19, 2024 11:13 AM
To: IAWG <wg-idassurance@kantarainitiative.org>
Subject: [WG-IDAssurance] Address of record position & EU-US mapping feedback

Good morning everyone!

For those who have not had a chance to review, please see the attached document with our address of record position and provide any feedback via email before our next call on February 8.

I also want to remind everyone to share their thoughts and feedback on the EU-US Trade and Technology Council Digital Identity Mapping Exercise Report via email before the next call as the deadline to provide comments is February 29. Any and all feedback is welcome.

Best,

Yehoshua

Yehoshua Silberstein | Associate Counsel, Core Product

yehoshua@proof.com

(857) 577-8144

Notarize is now a Proof brand 🎉 We hope you love our new look and feel as much as we do!

NOTICE: This email may contain proprietary, business-confidential, and/or privileged material. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. This email does not constitute a signed writing for purposes of a binding contract.