Colleagues,
I’d like to remind you about this request. We are able to extend the deadline to provide feedback to the list until 5/19, so I would urge you to please take time to review and send along feedback.
If you are interested in providing feedback, but aren’t sure where to start, I would encourage you to review these questions pulled from the Note to Reviewers:
Note to Reviewers:
To facilitate this review, we have compiled a number of topics of interest to which we would like reviewers to respond. While we would like reviewers to respond to as many of these as they wish, it is not necessary to answer all of them. Furthermore, reviewers
should feel free to suggest other areas of revision or enhancement to the document. Recommendations for revisions that are not within the scope of SP 800-63 may be considered; however NIST cannot ensure the recommendations will be included in a potential update.
-
What schemas for establishing identity assurance have proven effective in providing an appropriate amount of security, privacy, usability, and trust based on the risk level of the online service
or transaction? How do they differentiate trust based on risk? How is interoperability of divergent identity solutions facilitated?
-
Could identity assurance processes and technologies be separated into distinct components? If so, what should the components be and how would this provide appropriate level of identity assurance?
-
What innovative approaches are available to increase confidence in remote identity proofing? If possible, please share any performance metrics to corroborate increased confidence levels.
-
What privacy considerations arising from identity assurance should be included in the revision? Are there specific privacy-enhancing technologies, requirements or architectures that should be
considered?
-
What requirements, processes, standards, or technologies are currently excluded from 800-63-2 that should be considered for future inclusion?
-
Should a representation of the confidence level in attributes be standardized in order to assist in making authorization decisions? What form should that representation take?
-
What methods can be used to increase the trust or assurance level (sometimes referred to as “trust elevation”) of an authenticated identity during a transaction? If possible, please share any
performance metrics to corroborate the efficacy of the proposed methods.
From: Farmer, Jacob
Sent: Tuesday, April 14, 2015 1:10 PM
To:
Subject: Collecting commends on NIST SP 800-63-2
Colleagues,
As you know, NIST is requesting comments on SP 800-63-2 [1] by May 22, with the goal of gathering requirements for a substantial update of the spec. Please see the call for comments, and especially the "Note to Reviewers"
here:
http://csrc.nist.gov/groups/ST/eauthentication/sp800-63-2_call-comments.html
The InCommon Assurance Advisory Committee (AAC) will be preparing comments and would appreciate your input. Please share your thoughts on the assurance email list at
. I hope that we can have a robust and productive conversation around our desired changes to this important document.
Please provide any feedback to the list by 5/8. After that time, the AAC will work with InCommon to create a draft response, which we will share with the list for one final round of comments
before the May 22nd deadline.
Best regards,
Jacob Farmer
Chair, InCommon Assurance Advisory Committee
[1]
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
=========================
Jacob Farmer
Identity Management Systems