In my mind, a key distinction between what could potentially be IAL2 and IAL3 is the physical location and physical controls over the equipment. In the case of a kiosk, is the location of the kiosk in a public location (is it in a shopping mall with limited human oversight [I deem this as IAL2]) or in a closed environment (such as a badging area that has human oversight where one has higher assurance the equipment hasn’t been tampered with that would be appropriate for IAL3). I think it could be helpful to identify use cases for supervise remote for IAL2 and IAL3. Sent from my iPhone

On Aug 7, 2023, at 2:24 PM, Jimmy Jung wrote:



Folks,

It sounds like the Supervised Remote Criteria is the next big hurdle.

The first question I would ask is what is our guiding philosophy regarding tracking with 800-63. I recognize that we offer a Kantara 800-63 certification; not just an 800-63 certification. But I was also listening last week, when we got into the weeds about ONLY including “SHALL” statements and always skipping the “MAYs” and “COULDs.” So, it would seem that we often cling very closely to the 800-63. With that in mind, my initial proposal would be that the Supervised Remote Criteria should ONLY be applicable to IAL3. IAL2 vendors who offer more, are to be lauded; but should we be in the position of telling an applicant that they cannot be IAL2, because they meet 800-63, but they do NOT meet Kantara?

That’s my position; although I cannot promise I am sticking to it. As has been noted, some of the Supervised Remote Criteria seems reasonable for any IAL; if we really felt we wanted to apply some of these criteria to IAL2, I think I could get behind 520, 530, 560 and 580. In my mind, 570 is the distinction between IAL2 and IAL3 and I am not sure 550 makes sense without 570. 540 just makes me nervous because I don’t know how to measure it. Do I require the CSP to NOT perform with applicants using an iPhone 8, because I don’t think the camera is clear enough?

I welcome your thoughts

Jimmy

63A#0520 – Proofing Supervisor participates entirety of the remote session, applicant doesn’t depart 63A#0530 – Proofing Supervisor participates entirety of the remote session 63A#0540 – clearly witness all applicant actions 63A#0550 – integrated scanners and sensors 63A#0560 – Training 63A#0570 – Tamper detection and resistance features at its Remote proofing terminal 63A#0580 – Secure Communications

As I mentioned yesterday, I'm not going to be on the IAWG call next week. I'm hoping Denny/Andrew will meet with me on Tuesday for a planning call so I can prep them on what still needs to be discussed - but I'm not sure if they're available yet. These criteria are one of those things. If you have time (unlikely, I know, lol) and want to have some proposed suggestions it might help the conversation move along.

Like we've said - some can stay IAL2/IAL3 and some should be only IAL3 - but we need to say which ones in particular. And then if we remove IAL2, the follow-up question is do we need to add something that would fill a gap for those CSPs? Airside & ID.me both voiced that it would be important to ensure they're process is being assessed even at IAL2.

I attached a word doc that has just the criteria I'm referring to. Just a simpler form than the full criteria.

Thanks & enjoy your weekend,

<supervised remote identity proofing criteria.docx> _______________________________________________ WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org To unsubscribe send an email to wg-idassurance-leave@kantarainitiative.org

Jimmy, I have seen a need for IAL2-capable kiosks for significant numbers of individuals who apply for benefits. A number of physical conditions can make a kiosk easier to use than a phone, and quite a few people lack the devices or bandwidth needed for biometric verification. The use of kiosks, should they become more readily available, also adds friction to the process which can be useful when organizations are dealing with high levels of fraud during their IAL2 processes. Maria Maria E. Vachinohttps://www.linkedin.com/in/mariavachino/ President Calvert Consulting, LLC Mobile: +1 (410) 849-9033 Email: maria@icam.consultingmailto:maria@icam.consulting Time Zone: EDT/UTC-4 This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review; use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail, delete and then destroy all copies of the original message. From: Jimmy Jung Sent: Tuesday, August 8, 2023 5:52 AM To: Lorrayne Auld Cc: IAWG Subject: [WG-IDAssurance] Re: Supervised Remote Criteria Thanks Lorrayne, I imagine that the use case separation between IAL2 and IAL3 is going to be who owns the “remote terminal.” Taking on the cost and logistics of deploying CSP controlled kiosks is probably not merited unless you are shooting for IAL3. Supervised Remote In-person at IAL2 is going to be via the applicant’s phone or laptop. Combing our thoughts, it seems unlikely that a CSP would deploy a kiosk that in a location that did not meet IAL3, when IAL2 could be performed on the phone. Hence, my thinking that 63A#0570 – Tamper detection and resistance features at its Remote proofing terminal is the criteria that is the real distinction between IAL2 and IAL3; and also my hesitancy at including 63A#0450 - clearly witness all applicant actions, when this is dependent on the applicants equipment. At IAL2, we could define this as the supervisor being satisfied with the clarity; while at IAL3 this could be a technical criteria; but one is subjective and neither clings to 800-63 as written. jimmy From: Lorrayne Auld mailto:lorraynejs@gmail.com> Sent: Monday, August 7, 2023 2:47 PM To: Jimmy Jung mailto:jimmy.jung@slandala.com> Cc: Lynzie Adams mailto:lynzie@kantarainitiative.org>; IAWG mailto:wg-idassurance@kantarainitiative.org> Subject: Re: [WG-IDAssurance] Supervised Remote Criteria In my mind, a key distinction between what could potentially be IAL2 and IAL3 is the physical location and physical controls over the equipment. In the case of a kiosk, is the location of the kiosk in a public location (is it in a shopping mall with limited human oversight [I deem this as IAL2]) or in a closed environment (such as a badging area that has human oversight where one has higher assurance the equipment hasn’t been tampered with that would be appropriate for IAL3). I think it could be helpful to identify use cases for supervise remote for IAL2 and IAL3. Sent from my iPhone On Aug 7, 2023, at 2:24 PM, Jimmy Jung mailto:jimmy.jung@slandala.com> wrote:  Folks, It sounds like the Supervised Remote Criteria is the next big hurdle. The first question I would ask is what is our guiding philosophy regarding tracking with 800-63. I recognize that we offer a Kantara 800-63 certification; not just an 800-63 certification. But I was also listening last week, when we got into the weeds about ONLY including “SHALL” statements and always skipping the “MAYs” and “COULDs.” So, it would seem that we often cling very closely to the 800-63. With that in mind, my initial proposal would be that the Supervised Remote Criteria should ONLY be applicable to IAL3. IAL2 vendors who offer more, are to be lauded; but should we be in the position of telling an applicant that they cannot be IAL2, because they meet 800-63, but they do NOT meet Kantara? That’s my position; although I cannot promise I am sticking to it. As has been noted, some of the Supervised Remote Criteria seems reasonable for any IAL; if we really felt we wanted to apply some of these criteria to IAL2, I think I could get behind 520, 530, 560 and 580. In my mind, 570 is the distinction between IAL2 and IAL3 and I am not sure 550 makes sense without 570. 540 just makes me nervous because I don’t know how to measure it. Do I require the CSP to NOT perform with applicants using an iPhone 8, because I don’t think the camera is clear enough? I welcome your thoughts Jimmy 1. 63A#0520 – Proofing Supervisor participates entirety of the remote session, applicant doesn’t depart 2. 63A#0530 – Proofing Supervisor participates entirety of the remote session 3. 63A#0540 – clearly witness all applicant actions 4. 63A#0550 – integrated scanners and sensors 5. 63A#0560 – Training 6. 63A#0570 – Tamper detection and resistance features at its Remote proofing terminal 7. 63A#0580 – Secure Communications As I mentioned yesterday, I'm not going to be on the IAWG call next week. I'm hoping Denny/Andrew will meet with me on Tuesday for a planning call so I can prep them on what still needs to be discussed - but I'm not sure if they're available yet. These criteria are one of those things. If you have time (unlikely, I know, lol) and want to have some proposed suggestions it might help the conversation move along. Like we've said - some can stay IAL2/IAL3 and some should be only IAL3 - but we need to say which ones in particular. And then if we remove IAL2, the follow-up question is do we need to add something that would fill a gap for those CSPs? Airside & ID.me both voiced that it would be important to ensure they're process is being assessed even at IAL2. I attached a word doc that has just the criteria I'm referring to. Just a simpler form than the full criteria. Thanks & enjoy your weekend, <supervised remote identity proofing criteria.docx> _______________________________________________ WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.orgmailto:wg-idassurance@kantarainitiative.org To unsubscribe send an email to wg-idassurance-leave@kantarainitiative.orgmailto:wg-idassurance-leave@kantarainitiative.org

There is no “this Thursday’s” meeting Jimmy, Lynzie canned it in favor of meeting next week. Unless I totally messed-up? Richard G. WILSHER CEO & Founder, Zygma Inc. www.Zygma.biz +1 714 797 9942 From: Jimmy Jung [mailto:jimmy.jung@slandala.com] Sent: Wednesday, August 9, 2023 02:34 To: Maria Vachino; Lorrayne Auld Cc: IAWG Subject: [WG-IDAssurance] Re: Supervised Remote Criteria I'll buy that. Then should the IAL2 kiosk meet all the requirements of the IAL3 kiosk; especially if the IAL2 process can be performed on a phone? PS, ideally this conversation is intended to instigate discussion of this criteria and help grease the skids before we take them on in Thursdays meeting. Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: Maria Vachino Date: 8/8/23 9:16 PM (GMT-05:00) To: Jimmy Jung , Lorrayne Auld Cc: IAWG Subject: RE: [WG-IDAssurance] Re: Supervised Remote Criteria Jimmy, I have seen a need for IAL2-capable kiosks for significant numbers of individuals who apply for benefits. A number of physical conditions can make a kiosk easier to use than a phone, and quite a few people lack the devices or bandwidth needed for biometric verification. The use of kiosks, should they become more readily available, also adds friction to the process which can be useful when organizations are dealing with high levels of fraud during their IAL2 processes. Maria https://www.linkedin.com/in/mariavachino/ Maria E. Vachino President Calvert Consulting, LLC Mobile: +1 (410) 849-9033 Email: maria@icam.consulting Time Zone: EDT/UTC-4 This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review; use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail, delete and then destroy all copies of the original message. From: Jimmy Jung Sent: Tuesday, August 8, 2023 5:52 AM To: Lorrayne Auld Cc: IAWG Subject: [WG-IDAssurance] Re: Supervised Remote Criteria Thanks Lorrayne, I imagine that the use case separation between IAL2 and IAL3 is going to be who owns the “remote terminal.” Taking on the cost and logistics of deploying CSP controlled kiosks is probably not merited unless you are shooting for IAL3. Supervised Remote In-person at IAL2 is going to be via the applicant’s phone or laptop. Combing our thoughts, it seems unlikely that a CSP would deploy a kiosk that in a location that did not meet IAL3, when IAL2 could be performed on the phone. Hence, my thinking that 63A#0570 – Tamper detection and resistance features at its Remote proofing terminal is the criteria that is the real distinction between IAL2 and IAL3; and also my hesitancy at including 63A#0450 - clearly witness all applicant actions, when this is dependent on the applicants equipment. At IAL2, we could define this as the supervisor being satisfied with the clarity; while at IAL3 this could be a technical criteria; but one is subjective and neither clings to 800-63 as written. jimmy From: Lorrayne Auld Sent: Monday, August 7, 2023 2:47 PM To: Jimmy Jung Cc: Lynzie Adams ; IAWG Subject: Re: [WG-IDAssurance] Supervised Remote Criteria In my mind, a key distinction between what could potentially be IAL2 and IAL3 is the physical location and physical controls over the equipment. In the case of a kiosk, is the location of the kiosk in a public location (is it in a shopping mall with limited human oversight [I deem this as IAL2]) or in a closed environment (such as a badging area that has human oversight where one has higher assurance the equipment hasn’t been tampered with that would be appropriate for IAL3). I think it could be helpful to identify use cases for supervise remote for IAL2 and IAL3. Sent from my iPhone On Aug 7, 2023, at 2:24 PM, Jimmy Jung wrote:  Folks, It sounds like the Supervised Remote Criteria is the next big hurdle. The first question I would ask is what is our guiding philosophy regarding tracking with 800-63. I recognize that we offer a Kantara 800-63 certification; not just an 800-63 certification. But I was also listening last week, when we got into the weeds about ONLY including “SHALL” statements and always skipping the “MAYs” and “COULDs.” So, it would seem that we often cling very closely to the 800-63. With that in mind, my initial proposal would be that the Supervised Remote Criteria should ONLY be applicable to IAL3. IAL2 vendors who offer more, are to be lauded; but should we be in the position of telling an applicant that they cannot be IAL2, because they meet 800-63, but they do NOT meet Kantara? That’s my position; although I cannot promise I am sticking to it. As has been noted, some of the Supervised Remote Criteria seems reasonable for any IAL; if we really felt we wanted to apply some of these criteria to IAL2, I think I could get behind 520, 530, 560 and 580. In my mind, 570 is the distinction between IAL2 and IAL3 and I am not sure 550 makes sense without 570. 540 just makes me nervous because I don’t know how to measure it. Do I require the CSP to NOT perform with applicants using an iPhone 8, because I don’t think the camera is clear enough? I welcome your thoughts Jimmy 1. 63A#0520 – Proofing Supervisor participates entirety of the remote session, applicant doesn’t depart 2. 63A#0530 – Proofing Supervisor participates entirety of the remote session 3. 63A#0540 – clearly witness all applicant actions 4. 63A#0550 – integrated scanners and sensors 5. 63A#0560 – Training 6. 63A#0570 – Tamper detection and resistance features at its Remote proofing terminal 7. 63A#0580 – Secure Communications As I mentioned yesterday, I'm not going to be on the IAWG call next week. I'm hoping Denny/Andrew will meet with me on Tuesday for a planning call so I can prep them on what still needs to be discussed - but I'm not sure if they're available yet. These criteria are one of those things. If you have time (unlikely, I know, lol) and want to have some proposed suggestions it might help the conversation move along. Like we've said - some can stay IAL2/IAL3 and some should be only IAL3 - but we need to say which ones in particular. And then if we remove IAL2, the follow-up question is do we need to add something that would fill a gap for those CSPs? Airside & ID.me both voiced that it would be important to ensure they're process is being assessed even at IAL2. I attached a word doc that has just the criteria I'm referring to. Just a simpler form than the full criteria. Thanks & enjoy your weekend, <supervised remote identity proofing criteria.docx> _______________________________________________ WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org To unsubscribe send an email to wg-idassurance-leave@kantarainitiative.org

Jimmy, I agree that we should adhere to the NIST criteria as much as possible and avoid introducing additional Kantara-specific requirements. I would also like to highlight the importance of continuing to allow evidence validation via trained personnel without requiring these personnel to act as proofing supervisors. The NIST guidelines allow for the validation of identity evidence via trained personnel and appropriate technologies and state that "*Training requirements for personnel validating evidence SHALL be based on the policies, guidelines, or requirements of the CSP or RP*" separate from the requirements related to operator supervision. As this relates to the Kantara requirements, 560 is referring to the training of operators supervising the entirety of the identity proofing process, and 220 is referring to the training for personnel who do not supervise the entire session and as noted many times in the conformance criteria, can even complete their tasks without the applicant. We should therefore continue to allow evidence validation via trained personnel without requiring them to act as proofing supervisors even if we create proofing supervisor standards for IAL2 identity proofing. Best, Yehoshua On Wed, Aug 9, 2023 at 9:03 AM Richard G. WILSHER (@Zygma Inc.) < RGW@zygma.biz> wrote:

I rescind this email – meeting continues. Mea culpa.

*Richard G. WILSHERCEO & Founder, Zygma Inc.www.Zygma.biz http://www.Zygma.biz+1 714 797 9942*

*From:* Richard G. WILSHER (@Zygma Inc.) [mailto:RGW@Zygma.biz] *Sent:* Wednesday, August 9, 2023 03:15 *To:* 'Jimmy Jung'; 'Maria Vachino'; 'Lorrayne Auld' *Cc:* 'IAWG' *Subject:* RE: [WG-IDAssurance] Re: Supervised Remote Criteria

There is no “this Thursday’s” meeting Jimmy, Lynzie canned it in favor of meeting next week. Unless I totally messed-up?

*Richard G. WILSHERCEO & Founder, Zygma Inc.www.Zygma.biz http://www.Zygma.biz+1 714 797 9942*

*From:* Jimmy Jung [mailto:jimmy.jung@slandala.com] *Sent:* Wednesday, August 9, 2023 02:34 *To:* Maria Vachino; Lorrayne Auld *Cc:* IAWG *Subject:* [WG-IDAssurance] Re: Supervised Remote Criteria

I'll buy that.

Then should the IAL2 kiosk meet all the requirements of the IAL3 kiosk; especially if the IAL2 process can be performed on a phone?

PS, ideally this conversation is intended to instigate discussion of this criteria and help grease the skids before we take them on in Thursdays meeting.

Sent from my Verizon, Samsung Galaxy smartphone

-------- Original message --------

From: Maria Vachino

Date: 8/8/23 9:16 PM (GMT-05:00)

To: Jimmy Jung , Lorrayne Auld < lorraynejs@gmail.com>

Cc: IAWG

Subject: RE: [WG-IDAssurance] Re: Supervised Remote Criteria

Jimmy,

I have seen a need for IAL2-capable kiosks for significant numbers of individuals who apply for benefits. A number of physical conditions can make a kiosk easier to use than a phone, and quite a few people lack the devices or bandwidth needed for biometric verification.

The use of kiosks, should they become more readily available, also adds friction to the process which can be useful when organizations are dealing with high levels of fraud during their IAL2 processes.

Maria

Maria E. Vachino https://www.linkedin.com/in/mariavachino/

President

Calvert Consulting, LLC

Mobile: +1 (410) 849-9033

Email: maria@icam.consulting

Time Zone: EDT/UTC-4

This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review; use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail, delete and then destroy all copies of the original message.

*From:* Jimmy Jung *Sent:* Tuesday, August 8, 2023 5:52 AM *To:* Lorrayne Auld *Cc:* IAWG *Subject:* [WG-IDAssurance] Re: Supervised Remote Criteria

Thanks Lorrayne,

I imagine that the use case separation between IAL2 and IAL3 is going to be who owns the “remote terminal.” Taking on the cost and logistics of deploying CSP controlled kiosks is probably not merited unless you are shooting for IAL3. Supervised Remote In-person at IAL2 is going to be via the applicant’s phone or laptop.

Combing our thoughts, it seems unlikely that a CSP would deploy a kiosk that in a location that did not meet IAL3, when IAL2 could be performed on the phone. Hence, my thinking that 63A#0570 – Tamper detection and resistance features at its Remote proofing terminal is the criteria that is the real distinction between IAL2 and IAL3; and also my hesitancy at including 63A#0450 - clearly witness all applicant actions, when this is dependent on the applicants equipment. At IAL2, we could define this as the supervisor being satisfied with the clarity; while at IAL3 this could be a technical criteria; but one is subjective and neither clings to 800-63 as written.

jimmy

*From:* Lorrayne Auld *Sent:* Monday, August 7, 2023 2:47 PM *To:* Jimmy Jung *Cc:* Lynzie Adams ; IAWG < wg-idassurance@kantarainitiative.org> *Subject:* Re: [WG-IDAssurance] Supervised Remote Criteria

In my mind, a key distinction between what could potentially be IAL2 and IAL3 is the physical location and physical controls over the equipment.

In the case of a kiosk, is the location of the kiosk in a public location (is it in a shopping mall with limited human oversight [I deem this as IAL2]) or in a closed environment (such as a badging area that has human oversight where one has higher assurance the equipment hasn’t been tampered with that would be appropriate for IAL3).

I think it could be helpful to identify use cases for supervise remote for IAL2 and IAL3.

Sent from my iPhone

On Aug 7, 2023, at 2:24 PM, Jimmy Jung wrote:



Folks,

It sounds like the Supervised Remote Criteria is the next big hurdle.

The first question I would ask is what is our guiding philosophy regarding tracking with 800-63. I recognize that we offer a *Kantara* 800-63 certification; not just an 800-63 certification. But I was also listening last week, when we got into the weeds about ONLY including “SHALL” statements and always skipping the “MAYs” and “COULDs.” So, it would seem that we often cling very closely to the 800-63. With that in mind, my initial proposal would be that the Supervised Remote Criteria should ONLY be applicable to IAL3. IAL2 vendors who offer more, are to be lauded; but should we be in the position of telling an applicant that they cannot be IAL2, because they meet 800-63, but they do NOT meet Kantara?

That’s my position; although I cannot promise I am sticking to it. As has been noted, some of the Supervised Remote Criteria seems reasonable for any IAL; if we *really *felt we wanted to apply some of these criteria to IAL2, I think I could get behind 520, 530, 560 and 580. In my mind, 570 is the distinction between IAL2 and IAL3 and I am not sure 550 makes sense without 570. 540 just makes me nervous because I don’t know how to measure it. Do I require the CSP to NOT perform with applicants using an iPhone 8, because I don’t think the camera is clear enough?

I welcome your thoughts

Jimmy

1. 63A#0520 – Proofing Supervisor participates entirety of the remote session, applicant doesn’t depart 2. 63A#0530 – Proofing Supervisor participates entirety of the remote session 3. 63A#0540 – clearly witness all applicant actions 4. 63A#0550 – integrated scanners and sensors 5. 63A#0560 – Training 6. 63A#0570 – Tamper detection and resistance features at its Remote proofing terminal 7. 63A#0580 – Secure Communications

As I mentioned yesterday, I'm not going to be on the IAWG call next week. I'm hoping Denny/Andrew will meet with me on Tuesday for a planning call so I can prep them on what still needs to be discussed - but I'm not sure if they're available yet. These criteria are one of those things. If you have time (unlikely, I know, lol) and want to have some proposed suggestions it might help the conversation move along.

Like we've said - some can stay IAL2/IAL3 and some should be only IAL3 - but we need to say which ones in particular. And then if we remove IAL2, the follow-up question is do we need to add something that would fill a gap for those CSPs? Airside & ID.me both voiced that it would be important to ensure they're process is being assessed even at IAL2.

I attached a word doc that has just the criteria I'm referring to. Just a simpler form than the full criteria.

Thanks & enjoy your weekend,

<supervised remote identity proofing criteria.docx>

_______________________________________________ WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org To unsubscribe send an email to wg-idassurance-leave@kantarainitiative.org _______________________________________________ WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org To unsubscribe send an email to wg-idassurance-leave@kantarainitiative.org

-- Yehoshua Silberstein | Associate Counsel, Core Product yehoshua@notarize.com (857) 577-8144 It’s a new era at Notarize! We recently announced https://www.notarize.com/blog/meet-proof Proof, our new company brand and identity-assured transaction management platform. -- *NOTICE: This email may contain proprietary, business-confidential, and/or privileged material. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. This email does not constitute a signed writing for purposes of a binding contract.*