Skip to Content.
Sympa Menu

assurance - Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches

Subject: Assurance

List archive

Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches


Chronological Thread 
  • From: "Michael R. Gettes" <>
  • To: "<>" <>
  • Subject: Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches
  • Date: Wed, 8 Aug 2012 16:21:01 +0000
  • Accept-language: en-US

Folks, this is where I offer caution about 800-63.  800-63 is a useful document.  It is intended for USGov agencies and NGOs.  We are not they.  When we say Silver is 800-63, even in certain respects, I completely disagree.   We are NOT they.  If there are parts of 800-63 we believe are useful, we include them in whole, part or by reference to the appropriate sections of 800-63.  This is why we go through a process of seeing how Silver maps into 800-63 by working with FICAM.  What Nick cites here is problematic for many institutions of Higher Ed.  The issue becomes what can we do that is sufficient and congruent to what the feds are seeking but also satisfies our biz processes.  We should incorporate 800-63 and any other process or document developed in other communities for consideration on what InCommon should be doing.  We should not be led by the nose by what the feds have done but we should certainly use their fine work where appropriate.

Nick, my comments should not be construed as directed at you - I am combining your email with the others I have seen over the last several days and believe there is confusion about 800-63 versus InCommon bronze and silver.

/mrg

On Aug 8, 2012, at 12:10, Roy, Nicholas S wrote:

Table 3 on page 33 for remote proofing:
 
“RA inspects both ID number and account
number supplied by Applicant (e.g., for correct
number of digits). Verifies information provided
by Applicant including ID number OR account
number through record checks either with the
applicable agency or institution or through credit
bureaus or similar databases, and confirms that:
name, DoB, address and other personal
information in records are on balance consistent
with the application and sufficient to identify a
unique individual.  For utility account numbers,
confirmation shall be performed by verifying
knowledge of recent account activity.  (This
technique may also be applied to some financial
accounts.)”
 
 
From:  [mailto:] On Behalf Of Jones, Mark B
Sent: Wednesday, August 08, 2012 10:37 AM
To: 
Subject: RE: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches
 
Do you have 800-63 document references for some of the things that are left out of the IAP?  I tried to find the requirement to validate documents at the time of registration and can’t find it.  I have not stumbled on any obvious omissions.
 
From:   On Behalf Of Roy, Nicholas S
Sent: Wednesday, August 08, 2012 8:49 AM
To: 
Subject: RE: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches
 
From what I can deduce (perhaps completely inaccurately, but it “feels” like this to me, and I’ve been a reviewer on a couple revisions of the IAP) about the drafting process , there is a strong reason for not documenting or explicitly stating some of the things that are “left out” of the IAP/IAAF, things which exist in 800-63.  I think the requirement to validate the documents at registration time is one of these things.  I think nearly every omission of this type was made in the interest of making it possible to achieve Silver in a typical higher education setting.  Almost all of the “omissions” that make things less clear in the InCommon assurance documents also make them less proscriptive in a way that makes them easier to achieve in the real world.  Some people suggest this makes the IAPs “weaker” than 800-63.  I’d argue it makes them more useful in that they can actually be implemented.
 
Nick
 
From:  [] On Behalf Of Ann West
Sent: Tuesday, August 07, 2012 10:00 AM
To: 
Subject: Re: [Assurance] RE: [confluence] InC-Assurance > Remote-Proofing Approaches
 
Well Nick is correct. Silver is not a carbon copy of 800-63. It contains additional information about InCommon's trust model, certification requirements, HE comparable solutions (See 4.2.2.4.1 Existing Relationship for instance), etc. 
 
However, you're correct too, Mark, in the case of the identity proofing requirements. Silver is comparable and in some cases, uses the same language. 800-63-1 does provide more background about the process, however, that might be useful to folks, which is why we strongly recommend it as prerequisite reading and as a reference. 
 

Ann


Where did "Silver is not 800-63 level 2, Silver is Silver" come from?  I’m confused why people seem to want to distance Silver from 800-63.
 
From what I read, 800-63 level 2 is exactly what Silver is with respect to identity proofing and credential issuance.
 
InCommon Bronze and Silver are intended to be compatible with US federal government Identity, Credential, and Access Management (ICAM) Trust Framework Provider Adoption Process (TFPAP) Levels of Assurance 1 and 2.
 
and
 
800-63 is a core ICAM document.  http://www.idmanagement.gov/pages.cfm/page/ICAM
 
If that is not enough…
 
Sections §4.2.2.4.2 and §4.2.2.4.3 of the IAP describing ‘in-person’ and ‘remote’ proofing are taken verbatim from the 800-63 table that describes “Identity Proofing Requirements” for NIST level 2.  http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf
 
When we are discussing identity proofing and credential issuance for Silver we are talking 800-63.
 
 
From:   
Sent: Monday, August 06, 2012 5:01 PM
To: Jones, Mark B
Subject: [confluence] InC-Assurance > Remote-Proofing Approaches
 

Remote-Proofing Approaches

Page comment added by 

 

I got some feedback from the Big Ten auditor community.  Their feedback was (generalized):

1) The notary approach might work

2) They don't like the video approach, but did not give specific reasons why

3) They think the eVerify process used for I9 stuff in HR processes is good enough to use for proofing (not remote, really, but OK I think this is good news for existing relationship stuff)

4) Quote:

"I don't know how InCommon relates to NIST 800-63, but 800-63 seems clearer.  It says that remote proofing for Level 2 or 3 requires validation of the gov't ID and/or financial acct, plus address validation.  The latter is not a substitute for the former."

To me that says if you take this to be 800-63 rules, then you also need to validate the ID at LoA2/Silver.  But then again, "Silver is not 800-63 level 2, Silver is Silver."





Archive powered by MHonArc 2.6.16.

Top of Page