[WG-IDAssurance] Probable 800-63A rev.3 mis-interpretation
Richard G. WILSHER (@Zygma Inc.)
IAWG Members,
In an attempt to distract you from Carin [sic] about -63 rev.4 criteria, may I please bring to your attention the following matter which I believe requires a correction of the MATERIAL kind.
In regard to the attached, please review the NIST source text for 63A#0350 b) - (col. D) - and note that, within the red text, there is a clear separation between ‘One piece of SUPERIOR evidence’ without qualification and ‘one piece of STRONG evidence’ which is subject to two distinct qualifiers (which therefore manifestly apply only to the STRONG evidence).
Then compare this to the NIST source text for 63A#0180 a) - (col. D) - and note that while the same inherent separation was in all likelihood (and I now believe certainly was) intended by NIST, it is far less clear grammatically in this case.
I would suggest that this interpretation is supported by the fact that since #0180 is at IAL2 and #0350 is at IAL3, the lesser rigour required for IAL2 supports the choice between one SUPERIOR form of evidence or, as an alternative, a single piece of STRONG evidence which fulfills the consequent qualifiers (red text to highlight key elements). It would be nonsensical to have those qualifications apply also to the SUPERIOR evidence when the assurance level is lower than IAL3 where these qualifiers are clearly not intended to apply to the SUPERIOR evidence.
Here’s where it gets bad: some clever criteria drafter thought that, at IAL2, the qualifiers applied to both the SUPERIOR and the STRONG forms of evidence, and then ‘optimised’ the Kantara criterion by reasoning that if STRONG would do then SUPERIOR was redundant (and, in his defence, not one reviewer then or since has cried ‘foul’). This text is cited as presently published in col. Q for #0180, in the attached doc.
I have now been obliged to accept that (perhaps with NIST’s help), 63A#0180 is incorrectly constructed and I suggest that the necessary amendment is to publish it as phrased in 63A#0180 a), a) i) and a) ii), in cols. J/K/L. Since this is a fundamental mis-statement of a criterion describing the fundamental evidential requirements for a proofing at IAL2 this has to be a material revision, but hopefully one that requires little debate.
Since this is a matter of Kantara’s primary interest I request that this be given attention at this week’s meeting above any agenda items concerning other parties’ concerns.
Thanks for your time,
Richard G. WILSHER
CEO & Founder, Zygma Inc.
www.Zygma.biz
+1 714 797 9942
Jimmy Jung
I think we can all agree that 63-3 could often be clearer, but I cannot help but feel that if they intended what you suggest it would have read:
4.4.1.2 Evidence Collection Requirements
The CSP SHALL collect the following from the applicant:
1. One piece of SUPERIOR evidence
2. One piece of STRONG evidence if the evidence’s issuing source, during its identity proofing event, confirmed the claimed identity by collecting two or more forms of SUPERIOR or STRONG evidence and the CSP validates the evidence directly with the issuing source; OR
3. Two pieces of STRONG evidence; OR
4. One piece of STRONG evidence plus two pieces of FAIR evidence
Instead of:
Or have I missed your point completely?
Richard G. WILSHER (@Zygma Inc.)
Richard G. WILSHER
CEO & Founder, Zygma Inc.
www.Zygma.biz
+1 714 797 9942
Richard G. WILSHER (@Zygma Inc.)
Richard G. WILSHER
CEO & Founder, Zygma Inc.
www.Zygma.biz
+1 714 797 9942
Scott Shorter
We're talking about a user base that is elderly and subject to 9/11 related illnesses, so adherence to 800-63-3 requirements is not something that can be expected for this user community.
Richard G. WILSHER (@Zygma Inc.)
Reality looms large, eh? I guess that any standards writers (I include myself in this oblique criticism) are somewhat idealistic and there will always be outlier / edge cases which do not/cannot fit the ‘norm’ (used without implication) but which deserve to be accommodated. Difficult o accommodate in an IS / EN / SP.
I agree that specific circumstances should be accommodated but there still needs to be a process which weeds out the fraudsters, whatever the sensitivity of the cause (subject sub-population – and I did look at the web site you referenced), because there are those who will seek to gain illegitimately from any situation, if they can.
“We're talking about a user base that is elderly and subject to 9/11 related illnesses, so adherence to 800-63-3 requirements is not something that can be expected for this user community”. Perhaps this is an instance where the provisions of 63 rev.3 
5.4 ‘Risk acceptance and Compensating Controls’ needs to be invoked. Presumably if the qualification as a 9/11 victim or as otherwise provided-for on that web-site can be (sensitively) established (perhaps an instance where a genuine ‘Trusted Referee, i.e. someone vouching obo the Applicant can be a contributing participant) such that that itself is an adequate determination of identity which should be accepted as equivalent / comparable to the ‘theoretically pure’ (but often difficult if not impossible to precisely accomplish) IAL2 requirements. I’d love to see how an assessor and the ARB would handle that. J
An interesting contribution Scott – good to hear from you and find you still engaged in this stuff. Keep well.