assurance - Re: [Assurance] Independent Organizations Performing Remote Id Proofing
Subject: Assurance
List archive
- From: "Michael R. Gettes" <>
- To: "<>" <>
- Subject: Re: [Assurance] Independent Organizations Performing Remote Id Proofing
- Date: Fri, 3 Aug 2012 17:15:55 +0000
- Accept-language: en-US
Ann,
I am reading SP800-63V1_0_2 which has the first paragraph you cite in section
7 "Registration and Identity Proofing" on document page 19 and PDF page 29.
I am unable to locate the 2nd paragraph in part or whole in this version of
SP800-63. The first paragraph sheds lots of light on issues related to the
CommIT project but I don't want to comment until we are all literally on the
same page.
1.0.2 is the latest rev of 800-63 and can be found at
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf linked
from the main NIST SP site at http://csrc.nist.gov/publications/PubsSPs.html
Thanks.
/mrg
On Aug 3, 2012, at 12:43, Ann West wrote:
> All,
>
> On the Implementers call on Wednesday, we talked about whether our current
> id proofing models should be categorized as remote proofing or in person
> proofing done remotely by another organization.
>
> One of the questions that arose is whether FICAM would allow organizations
> independent from the IdPO (not the same legal entity) to perform Id
> Proofing.
>
> In rereading 800-63-1 today, I suggest we all review their Registration and
> Issuance Processes. I've included the primary sections below. How would you
> answer our question from Wednesday?
>
> Ann
>
>
>
> 800-63-1
>
> Page 27 Registration and Issuance Processes
>
> The RA can be a part of the CSP, or the RA can be a separate and
> independent entity; however, a trusted relationship always exists between
> the RA and CSP. The RA or CSP maintain records of the registration. The RA
> and CSP can provide services on behalf of an organization or may provide
> services to the public. The processes and mechanisms available to the RA
> for identity proofing may differ as a result. Where the RA operates on
> behalf of an organization, the identity proofing process may be able to
> leverage a preexisting relationship (e.g., the Applicant is an employee or
> student). Where the RA provides services to the public, the identity
> proofing process is generally limited to confirming publicly available
> information and previously issued credentials.
>
> And later in that section...
>
> In models where the registration and identity proofing take place
> separately from credential issuance, the CSP is responsible for verifying
> that the credential is being issued to the same person who was identity
> proofed by the RA. In this model, issuance must be strongly bound to
> registration and identity proofing so that an Attacker cannot pose as a
> newly registered Subscriber and attempt to collect a token/credential meant
> for the actual Subscriber. This attack, and similar attacks, can be
> thwarted by the methods described in Section 5.3.1 (below Table 3), which
> describes which techniques are considered appropriate for establishing the
> necessary binding at the various assurance levels.
- [Assurance] Independent Organizations Performing Remote Id Proofing, Ann West, 08/03/2012
- Re: [Assurance] Independent Organizations Performing Remote Id Proofing, Michael R. Gettes, 08/03/2012
- Re: [Assurance] Independent Organizations Performing Remote Id Proofing, Michael R. Gettes, 08/03/2012
- Re: [Assurance] Independent Organizations Performing Remote Id Proofing, Michael R. Gettes, 08/03/2012
- Re: [Assurance] Independent Organizations Performing Remote Id Proofing, Michael R. Gettes, 08/03/2012
- RE: [Assurance] Independent Organizations Performing Remote Id Proofing, Jones, Mark B, 08/03/2012
- Re: [Assurance] Independent Organizations Performing Remote Id Proofing, Michael R. Gettes, 08/03/2012
Archive powered by MHonArc 2.6.16.