assurance - RE: [Assurance] Independent Organizations Performing Remote Id Proofing
Subject: Assurance
List archive
- From: "Jones, Mark B" <>
- To: "" <>
- Subject: RE: [Assurance] Independent Organizations Performing Remote Id Proofing
- Date: Fri, 3 Aug 2012 13:07:06 -0500
- Accept-language: en-US
- Acceptlanguage: en-US
Seems to me that: "The RA can be a part of the CSP, or the RA can be a
separate and independent entity" means that the RA can be a notary and that:
"The RA or CSP maintain records of the registration" would be satisfied by
storing the notarized documents. We just need to make sure that the actual
credentials are issued according to "the methods described in Section 5.3.1".
I continue to be of the opinion that the use of a notary can (if done
correctly) be considered 'in-person'.
Regarding the use of video chat as a means of 'in-person' proofing I think
this hinges on a subjective opinion. The 'in-person' RA actions described in
Table 3 include a requirement that the RA 'inspect' the presented photo-ID.
The subjective question in my opinion is if video chat is sufficient for an
RA to 'inspect' a photo-ID to determine if it "appears valid and the photo
matches".
If the subjective determination is that video chat is not sufficient, then
the remote proofing requirements would in my opinion still apply and it would
be easier to just skip the video chat. On the other hand, if video chat IS
deemed sufficient then it would be a very convenient way to satisfy the
'in-person' requirements.
Personally I have doubts that video chat will be considered by auditors as
equal to the physical proximity that is normally thought of as 'in-person'.
-----Original Message-----
From:
[mailto:]
On Behalf Of Ann West
Sent: Friday, August 03, 2012 11:44 AM
To:
Subject: [Assurance] Independent Organizations Performing Remote Id Proofing
All,
On the Implementers call on Wednesday, we talked about whether our current id
proofing models should be categorized as remote proofing or in person
proofing done remotely by another organization.
One of the questions that arose is whether FICAM would allow organizations
independent from the IdPO (not the same legal entity) to perform Id Proofing.
In rereading 800-63-1 today, I suggest we all review their Registration and
Issuance Processes. I've included the primary sections below. How would you
answer our question from Wednesday?
Ann
800-63-1
Page 27 Registration and Issuance Processes
The RA can be a part of the CSP, or the RA can be a separate and independent
entity; however, a trusted relationship always exists between the RA and CSP.
The RA or CSP maintain records of the registration. The RA and CSP can
provide services on behalf of an organization or may provide services to the
public. The processes and mechanisms available to the RA for identity
proofing may differ as a result. Where the RA operates on behalf of an
organization, the identity proofing process may be able to leverage a
preexisting relationship (e.g., the Applicant is an employee or student).
Where the RA provides services to the public, the identity proofing process
is generally limited to confirming publicly available information and
previously issued credentials.
And later in that section...
In models where the registration and identity proofing take place separately
from credential issuance, the CSP is responsible for verifying that the
credential is being issued to the same person who was identity proofed by the
RA. In this model, issuance must be strongly bound to registration and
identity proofing so that an Attacker cannot pose as a newly registered
Subscriber and attempt to collect a token/credential meant for the actual
Subscriber. This attack, and similar attacks, can be thwarted by the methods
described in Section 5.3.1 (below Table 3), which describes which techniques
are considered appropriate for establishing the necessary binding at the
various assurance levels.
- [Assurance] Independent Organizations Performing Remote Id Proofing, Ann West, 08/03/2012
- Re: [Assurance] Independent Organizations Performing Remote Id Proofing, Michael R. Gettes, 08/03/2012
- Re: [Assurance] Independent Organizations Performing Remote Id Proofing, Michael R. Gettes, 08/03/2012
- Re: [Assurance] Independent Organizations Performing Remote Id Proofing, Michael R. Gettes, 08/03/2012
- Re: [Assurance] Independent Organizations Performing Remote Id Proofing, Michael R. Gettes, 08/03/2012
- RE: [Assurance] Independent Organizations Performing Remote Id Proofing, Jones, Mark B, 08/03/2012
- Re: [Assurance] Independent Organizations Performing Remote Id Proofing, Michael R. Gettes, 08/03/2012
Archive powered by MHonArc 2.6.16.