Assurance

["Michael R. Gettes" <>]

Folks, this is where I offer caution about 800-63.  800-63 is a useful document.  It is intended for USGov agencies and NGOs.  We are not they.  When we say Silver is 800-63, even in certain respects, I completely disagree.   We are NOT they.  If there are parts of 800-63 we believe are useful, we include them in whole, part or by reference to the appropriate sections of 800-63.  This is why we go through a process of seeing how Silver maps into 800-63 by working with FICAM.  What Nick cites here is problematic for many institutions of Higher Ed.  The issue becomes what can we do that is sufficient and congruent to what the feds are seeking but also satisfies our biz processes.  We should incorporate 800-63 and any other process or document developed in other communities for consideration on what InCommon should be doing.  We should not be led by the nose by what the feds have done but we should certainly use their fine work where appropriate.

Nick, my comments should not be construed as directed at you - I am combining your email with the others I have seen over the last several days and believe there is confusion about 800-63 versus InCommon bronze and silver.

/mrg

On Aug 8, 2012, at 12:10, Roy, Nicholas S wrote:

Table 3 on page 33 for remote proofing:

 

“RA inspects both ID number and account

number supplied by Applicant (e.g., for correct

number of digits). Verifies information provided

by Applicant including ID number OR account

number through record checks either with the

applicable agency or institution or through credit

bureaus or similar databases, and confirms that:

name, DoB, address and other personal

information in records are on balance consistent

with the application and sufficient to identify a

unique individual.  For utility account numbers,

confirmation shall be performed by verifying

knowledge of recent account activity.  (This

technique may also be applied to some financial

accounts.)”

 

http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf

 

From:  [mailto:] On Behalf Of Jones, Mark B
Sent: Wednesday, August 08, 2012 10:37 AM
To: 
Subject: RE: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches

 

Do you have 800-63 document references for some of the things that are left out of the IAP?  I tried to find the requirement to validate documents at the time of registration and can’t find it.  I have not stumbled on any obvious omissions.

 

From:   On Behalf Of Roy, Nicholas S
Sent: Wednesday, August 08, 2012 8:49 AM
To: 
Subject: RE: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches

 

From what I can deduce (perhaps completely inaccurately, but it “feels” like this to me, and I’ve been a reviewer on a couple revisions of the IAP) about the drafting process , there is a strong reason for not documenting or explicitly stating some of the things that are “left out” of the IAP/IAAF, things which exist in 800-63.  I think the requirement to validate the documents at registration time is one of these things.  I think nearly every omission of this type was made in the interest of making it possible to achieve Silver in a typical higher education setting.  Almost all of the “omissions” that make things less clear in the InCommon assurance documents also make them less proscriptive in a way that makes them easier to achieve in the real world.  Some people suggest this makes the IAPs “weaker” than 800-63.  I’d argue it makes them more useful in that they can actually be implemented.

 

Nick

 

From:  [] On Behalf Of Ann West
Sent: Tuesday, August 07, 2012 10:00 AM
To: 
Subject: Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches

 

Well Nick is correct. Silver is not a carbon copy of 800-63. It contains additional information about InCommon's trust model, certification requirements, HE comparable solutions (See 4.2.2.4.1 Existing Relationship for instance), etc. 

 

However, you're correct too, Mark, in the case of the identity proofing requirements. Silver is comparable and in some cases, uses the same language. 800-63-1 does provide more background about the process, however, that might be useful to folks, which is why we strongly recommend it as prerequisite reading and as a reference. 

 

Ann

---

Where did "Silver is not 800-63 level 2, Silver is Silver" come from?  I’m confused why people seem to want to distance Silver from 800-63.

 

From what I read, 800-63 level 2 is exactly what Silver is with respect to identity proofing and credential issuance.

 

“InCommon Bronze and Silver are intended to be compatible with US federal government Identity, Credential, and Access Management (ICAM) Trust Framework Provider Adoption Process (TFPAP) Levels of Assurance 1 and 2.”

http://www.incommon.org/docs/assurance/IAP_V1.1.pdf

 

and

 

800-63 is a core ICAM document.  http://www.idmanagement.gov/pages.cfm/page/ICAM

 

If that is not enough…

 

Sections §4.2.2.4.2 and §4.2.2.4.3 of the IAP describing ‘in-person’ and ‘remote’ proofing are taken verbatim from the 800-63 table that describes “Identity Proofing Requirements” for NIST level 2.  http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf

 

When we are discussing identity proofing and credential issuance for Silver we are talking 800-63.

 

 

From:   
Sent: Monday, August 06, 2012 5:01 PM
To: Jones, Mark B
Subject: [confluence] InC-Assurance > Remote-Proofing Approaches

 

Remote-Proofing Approaches

Page comment added by 

 

I got some feedback from the Big Ten auditor community.  Their feedback was (generalized):

1) The notary approach might work

2) They don't like the video approach, but did not give specific reasons why

3) They think the eVerify process used for I9 stuff in HR processes is good enough to use for proofing (not remote, really, but OK I think this is good news for existing relationship stuff)

4) Quote:

"I don't know how InCommon relates to NIST 800-63, but 800-63 seems clearer.  It says that remote proofing for Level 2 or 3 requires validation of the gov't ID and/or financial acct, plus address validation.  The latter is not a substitute for the former."

To me that says if you take this to be 800-63 rules, then you also need to validate the ID at LoA2/Silver.  But then again, "Silver is not 800-63 level 2, Silver is Silver."

Stop watching page | Change email notification preferences

View Online | Reply To This