assurance - [Assurance] Independent Organizations Performing Remote Id Proofing
Subject: Assurance
List archive
- From: Ann West <>
- To:
- Subject: [Assurance] Independent Organizations Performing Remote Id Proofing
- Date: Fri, 03 Aug 2012 12:43:33 -0400 (EDT)
All,
On the Implementers call on Wednesday, we talked about whether our current id
proofing models should be categorized as remote proofing or in person
proofing done remotely by another organization.
One of the questions that arose is whether FICAM would allow organizations
independent from the IdPO (not the same legal entity) to perform Id Proofing.
In rereading 800-63-1 today, I suggest we all review their Registration and
Issuance Processes. I've included the primary sections below. How would you
answer our question from Wednesday?
Ann
800-63-1
Page 27 Registration and Issuance Processes
The RA can be a part of the CSP, or the RA can be a separate and independent
entity; however, a trusted relationship always exists between the RA and CSP.
The RA or CSP maintain records of the registration. The RA and CSP can
provide services on behalf of an organization or may provide services to the
public. The processes and mechanisms available to the RA for identity
proofing may differ as a result. Where the RA operates on behalf of an
organization, the identity proofing process may be able to leverage a
preexisting relationship (e.g., the Applicant is an employee or student).
Where the RA provides services to the public, the identity proofing process
is generally limited to confirming publicly available information and
previously issued credentials.
And later in that section...
In models where the registration and identity proofing take place separately
from credential issuance, the CSP is responsible for verifying that the
credential is being issued to the same person who was identity proofed by the
RA. In this model, issuance must be strongly bound to registration and
identity proofing so that an Attacker cannot pose as a newly registered
Subscriber and attempt to collect a token/credential meant for the actual
Subscriber. This attack, and similar attacks, can be thwarted by the methods
described in Section 5.3.1 (below Table 3), which describes which techniques
are considered appropriate for establishing the necessary binding at the
various assurance levels.
- [Assurance] Independent Organizations Performing Remote Id Proofing, Ann West, 08/03/2012
- Re: [Assurance] Independent Organizations Performing Remote Id Proofing, Michael R. Gettes, 08/03/2012
- Re: [Assurance] Independent Organizations Performing Remote Id Proofing, Michael R. Gettes, 08/03/2012
- Re: [Assurance] Independent Organizations Performing Remote Id Proofing, Michael R. Gettes, 08/03/2012
- Re: [Assurance] Independent Organizations Performing Remote Id Proofing, Michael R. Gettes, 08/03/2012
- RE: [Assurance] Independent Organizations Performing Remote Id Proofing, Jones, Mark B, 08/03/2012
- Re: [Assurance] Independent Organizations Performing Remote Id Proofing, Michael R. Gettes, 08/03/2012
Archive powered by MHonArc 2.6.16.