Address of record position & EU-US mapping feedback
Good morning everyone! For those who have not had a chance to review, please see the attached document with our address of record position and provide any feedback via email before our next call on February 8. I also want to remind everyone to share their thoughts and feedback on the EU-US Trade and Technology Council Digital Identity Mapping Exercise Report https://www.nist.gov/identity-access-management/eu-us-ttc-wg-1-digital-ident... via email before the next call as the deadline to provide comments is February 29. Any and all feedback is welcome. Best, Yehoshua -- Yehoshua Silberstein | Associate Counsel, Core Product yehoshua@proof.com (857) 577-8144 Notarize is now a Proof https://www.proof.com/blog/our-vision brand 🎉 We hope you love our new look and feel as much as we do! -- *NOTICE: This email may contain proprietary, business-confidential, and/or privileged material. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. This email does not constitute a signed writing for purposes of a binding contract.*
IAWG –
I like the characterization of "address of record" as an attribute which can be attached to a verified identity, but which is itself not evidence of identity. The definition of this attribute sems to be "a one-way channel (in the form of an email or postal address, perhaps a telephone number) using which the CSP can send a message to a subscriber." This is a one-way channel: presumably the CSP would not rely on messages received via the channel, since the sender would not be authenticated. The subscriber would presumably be required to use an authenticated channel to communicate with the CSP. Who is the "authoritative source" of this attribute? It seems clearly to be the subscriber, though the CSP might want to confirm (verify? validate?) that the "address of record" channel is working by sending a message and requiring the subscriber to respond back via the CSP's authenticated channel. Recourse for failure of the subscriber to respond would be for the CSP to invalidate—permanently or temporarily-- the credentials issued to the subscriber. The subscriber would use the CSP's authenticated channel to provide updates to the "address of record".
I don't know how this might translate into language for a recommendation to NIST, if at all: just trying to work out the limitations of what the address-of-record should be used for, and the extent to which any assessment of conformance might be needed (which appears to be minimal.)
Martin
---
Martin Smith
703 389-3224
________________________________
From: Yehoshua Silberstein via WG-IDAssurance
Chiming in here.
*An Address of Record* should be an attribute that is referenceable in GLB
compliant records (e.g. phone number, mailing address, email address, etc).
In that sense, once the user confirms they have possession of the address,
which is also in records and can happen in a variety of ways, then it is
useful both as evidence and for communications.
*A Communications or Notifications Address* is something the user
could choose to bind to their profile post-authentication and
identity proofing. In terms of lifecycle, this address would then be
designated as a Communications/Notifications Address -- and also an Address
of Record if a proofed user entered it (that's how most GLB data
originates) -- whereas a user might not wish to get notifications at other
Addresses of Record.
There is almost certainly more nuance here but I believe very strongly
address of record and the user's ability to confirm possession is a key
component of evidence & proofing.
On Sun, Jan 21, 2024 at 10:17 AM Martin Smith
IAWG – I like the characterization of "address of record" as an attribute which can be attached to a verified identity, but which is itself not evidence of identity. The definition of this attribute sems to be "a one-way channel
IAWG –
I like the characterization of "address of record" as an attribute which can be attached to a verified identity, but which is itself not evidence of identity. The definition of this attribute sems to be "a one-way channel (in the form of an email or postal address, perhaps a telephone number) using which the CSP can send a message to a subscriber." This is a one-way channel: presumably the CSP would not rely on messages received via the channel, since the sender would not be authenticated. The subscriber would presumably be required to use an authenticated channel to communicate with the CSP. Who is the "authoritative source" of this attribute? It seems clearly to be the subscriber, though the CSP might want to confirm (verify? validate?) that the "address of record" channel is working by sending a message and requiring the subscriber to respond back via the CSP's authenticated channel. Recourse for failure of the subscriber to respond would be for the CSP to invalidate—permanently or temporarily-- the credentials issued to the subscriber. The subscriber would use the CSP's authenticated channel to provide updates to the "address of record".
I don't know how this might translate into language for a recommendation to NIST, if at all: just trying to work out the limitations of what the address-of-record should be used for, and the extent to which any assessment of conformance might be needed (which appears to be minimal.)
Martin
--- *Martin Smith* 703 389-3224 ------------------------------ *From:* Yehoshua Silberstein via WG-IDAssurance < wg-idassurance@kantarainitiative.org> *Sent:* Friday, January 19, 2024 11:13 AM *To:* IAWG
*Subject:* [WG-IDAssurance] Address of record position & EU-US mapping feedback Good morning everyone!
For those who have not had a chance to review, please see the attached document with our address of record position and provide any feedback via email before our next call on February 8.
I also want to remind everyone to share their thoughts and feedback on the EU-US Trade and Technology Council Digital Identity Mapping Exercise Report https://urldefense.com/v3/__https://www.nist.gov/identity-access-management/... via email before the next call as the deadline to provide comments is February 29. Any and all feedback is welcome.
Best,
Yehoshua
-- Yehoshua Silberstein | Associate Counsel, Core Product yehoshua@proof.com
(857) 577-8144
Notarize is now a Proof https://urldefense.com/v3/__https://www.proof.com/blog/our-vision__;!!AVdDjg... brand 🎉 We hope you love our new look and feel as much as we do!
*NOTICE: This email may contain proprietary, business-confidential, and/or privileged material. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. This email does not constitute a signed writing for purposes of a binding contract.* _______________________________________________ A Community Group mailing list of KantaraInitiative.org WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org To unsubscribe send an email to staff@kantarainitiative.org List archives -- https://urldefense.com/v3/__https://mailman.kantarainitiative.org/hyperkitty... ______ Group wiki -- https://urldefense.com/v3/__https://kantara.atlassian.net/wiki/spaces/WG-IDA...
-- *Blake Hall* *Founder & CEO* Mobile: 615-293-4702 blake@ID.me ID.me http://www.id.me/ | We're hiring! http://careers.id.me/ Veterans Get Secure Single-Sign On for Benefits: http://go.id.me/2iKDM6j President's National Strategy for Trusted Identities in Cyberspace: http://go.id.me/2hZzUKr Building the Trust Graph: http://go.id.me/trust-graph -- _ _ _This message (including any attachments) may contain confidential and privileged information belonging to the sender, for a specific individual and purpose, and is legally privileged. If you are not the intended recipient, you should delete this message and any disclosure, copying, forwarding or distribution of this message, or the taking of any action based on it, by you is strictly prohibited._
To respond to both your points,
I agree with Martin that an address of record is attached to a verified
identity, but that it need not be evidence of the identity, and that the
subscriber uses their authentication factors, not their address of record,
to authorize the CSP to act on their behalf. The address of record is a
communication channel for the applicant/subscriber to receive important
communications from the CSP (e.g. proofing notifications) and as a delivery
channel for the subscriber's authenticators.
As it relates to validation and verification, it is reasonable to argue
that an address can be validated by confirming deliverability (i.e. by
sending mail either physically or electronically to the address and having
it reach the expected destination) and that it can be verified through the
applicant's return of the enrollment code. Also, because an address of
record is not used to establish the core identity, it does not need to be
on the identity evidence. (*S**ee **800-63A § 4.4.1.6(2)
https://pages.nist.gov/800-63-3/sp800-63a.html#4-4-1-6 which allows a CSP
to confirm address of record by validating information supplied by the
applicant that's not on their identity evidence and pages 37 & 38 of the
current Conformance Criteria
https://www.nist.gov/system/files/documents/2020/07/02/800-63A%20Conformance...
which
allow an enrollment code to both validate and verify an a**ddress,**
establishing
it as the applicant's address of record.*)
Regarding Blake's point, I interpret the previously cited Conformance
Criteria
https://www.nist.gov/system/files/documents/2020/07/02/800-63A%20Conformance...
as
supporting the position that validation with external records separate from
an enrollment code should not be required. I am also unclear about the
relevance of GLB to this discussion. GLB requires financial institutions to
protect consumer PII which includes addresses, but does not touch on the
reliability of records for confirming addresses. (*It is also not
referenced in 800-63 regarding addresses of record.*)
Whether addresses of record can also serve as identity evidence to prove
the actual identity, such as through a phone carrier lookup confirming the
applicant's ownership of the phone number is not necessary to fulfill the
purpose of an address of record and should not be required by the 800-63
standards. While you are absolutely correct that an address of record must
be established as a part of the identity proofing process, the definition
of address of record and its associated requirements point to its primary
function as a communication/delivery channel, rather than a form of
identity evidence.
On Sun, Jan 21, 2024 at 11:17 AM Blake Hall
Chiming in here.
*An Address of Record* should be an attribute that is referenceable in GLB compliant records (e.g. phone number, mailing address, email address, etc). In that sense, once the user confirms they have possession of the address, which is also in records and can happen in a variety of ways, then it is useful both as evidence and for communications.
*A Communications or Notifications Address* is something the user could choose to bind to their profile post-authentication and identity proofing. In terms of lifecycle, this address would then be designated as a Communications/Notifications Address -- and also an Address of Record if a proofed user entered it (that's how most GLB data originates) -- whereas a user might not wish to get notifications at other Addresses of Record.
There is almost certainly more nuance here but I believe very strongly address of record and the user's ability to confirm possession is a key component of evidence & proofing.
On Sun, Jan 21, 2024 at 10:17 AM Martin Smith
wrote: IAWG – I like the characterization of "address of record" as an attribute which can be attached to a verified identity, but which is itself not evidence of identity. The definition of this attribute sems to be "a one-way channel IAWG –
I like the characterization of "address of record" as an attribute which can be attached to a verified identity, but which is itself not evidence of identity. The definition of this attribute sems to be "a one-way channel (in the form of an email or postal address, perhaps a telephone number) using which the CSP can send a message to a subscriber." This is a one-way channel: presumably the CSP would not rely on messages received via the channel, since the sender would not be authenticated. The subscriber would presumably be required to use an authenticated channel to communicate with the CSP. Who is the "authoritative source" of this attribute? It seems clearly to be the subscriber, though the CSP might want to confirm (verify? validate?) that the "address of record" channel is working by sending a message and requiring the subscriber to respond back via the CSP's authenticated channel. Recourse for failure of the subscriber to respond would be for the CSP to invalidate—permanently or temporarily-- the credentials issued to the subscriber. The subscriber would use the CSP's authenticated channel to provide updates to the "address of record".
I don't know how this might translate into language for a recommendation to NIST, if at all: just trying to work out the limitations of what the address-of-record should be used for, and the extent to which any assessment of conformance might be needed (which appears to be minimal.)
Martin
--- *Martin Smith* 703 389-3224 ------------------------------ *From:* Yehoshua Silberstein via WG-IDAssurance < wg-idassurance@kantarainitiative.org> *Sent:* Friday, January 19, 2024 11:13 AM *To:* IAWG
*Subject:* [WG-IDAssurance] Address of record position & EU-US mapping feedback Good morning everyone!
For those who have not had a chance to review, please see the attached document with our address of record position and provide any feedback via email before our next call on February 8.
I also want to remind everyone to share their thoughts and feedback on the EU-US Trade and Technology Council Digital Identity Mapping Exercise Report https://urldefense.com/v3/__https://www.nist.gov/identity-access-management/... via email before the next call as the deadline to provide comments is February 29. Any and all feedback is welcome.
Best,
Yehoshua
-- Yehoshua Silberstein | Associate Counsel, Core Product yehoshua@proof.com
(857) 577-8144
Notarize is now a Proof https://urldefense.com/v3/__https://www.proof.com/blog/our-vision__;!!AVdDjg... brand 🎉 We hope you love our new look and feel as much as we do!
*NOTICE: This email may contain proprietary, business-confidential, and/or privileged material. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. This email does not constitute a signed writing for purposes of a binding contract.* _______________________________________________ A Community Group mailing list of KantaraInitiative.org WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org To unsubscribe send an email to staff@kantarainitiative.org List archives -- https://urldefense.com/v3/__https://mailman.kantarainitiative.org/hyperkitty... ______ Group wiki -- https://urldefense.com/v3/__https://kantara.atlassian.net/wiki/spaces/WG-IDA...
-- *Blake Hall* *Founder & CEO* Mobile: 615-293-4702 blake@ID.me
ID.me http://www.id.me/ | We're hiring! http://careers.id.me/
Veterans Get Secure Single-Sign On for Benefits: http://go.id.me/2iKDM6j President's National Strategy for Trusted Identities in Cyberspace: http://go.id.me/2hZzUKr Building the Trust Graph: http://go.id.me/trust-graph
*This message (including any attachments) may contain confidential and privileged information belonging to the sender, for a specific individual and purpose, and is legally privileged. If you are not the intended recipient, you should delete this message and any disclosure, copying, forwarding or distribution of this message, or the taking of any action based on it, by you is strictly prohibited.*
-- Yehoshua Silberstein | Associate Counsel, Core Product yehoshua@proof.com (857) 577-8144 Notarize is now a Proof https://www.proof.com/blog/our-vision brand 🎉 We hope you love our new look and feel as much as we do! -- *NOTICE: This email may contain proprietary, business-confidential, and/or privileged material. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. This email does not constitute a signed writing for purposes of a binding contract.*
participants (3)
-
Blake Hall
-
Martin Smith
-
Yehoshua Silberstein