[WG-IDAssurance] NIST Roadmap
mhae...@freeuk.com
but presumably comments from Kantara would not be advertising Kantara
services?)
Comments Due 1st July
https://www.nist.gov/system/files/documents/2023/04/21/NIST%20IAM%20Roadmap_FINAL_For%20Publicaiton_04212023.pdf
The conflation of items of issues by ‘and’ in most paragraph titles and
bullet points is in danger of either over-simplification or hiding
conflicts that need to be resolved.
Guidelines:
“Enhance privacy and security”: just ‘enhancing’ anything is not a
sensible aim since if the result is still inadequate then it is
unacceptable and if there is already sufficient then it is a waste of
resources.
“Foster equity and individual choice” suggests that choice is with
individuals, when the management has been done by organisations, often
in response to legislation or regulation. Individuals required to deal
with a monopoly provider (often but not exclusively in the public
sector) do not have choice. Where ‘self-service’ or
do-your-own-management is envisaged this imposition which could be
divisive, introduce new vectors for fraud, extortion, or malevolent
control; it is naive to present as good thing for all, even if dearly
and genuinely wanted by some, not just those answering leading questions
or with something to sell.
Drivers:
“Increasing fraud and sophistication of attackers:” these are very
different aspects; e.g. fraud can be increased by having more attackers
(possible using many more less sophisticated attacks).
“include updates” brings in the issue of transition of evaluated
services from using one standard to another version. Historic models for
products (such as cars or wiring tested and approved to be compliant
with the standards at the time of manufacture of installation) can no
longer be used.
MDL
ISO/IEC 18013:2021 Personal identification — ISO-compliant driving
licence (sic)
The international name has significant connotations of controlling the
activity (driving) not controlling people. (NIST may not adopt the ISO
spelling, but the different emphasis make it less unwelcoming for
non-drivers.) Driving has been the motivator, but is far from being the
only useful context; this should be made clear.
“an interoperable wallet” (singular) seems to be a significant but
likely unintended restriction, so either use plural or spell out the
intended uniqueness.
“set the foundation for agencies and organizations that may choose to
offer attribute services at varying levels” The setting (and possible
changing) of the levels themselves are a critical part, and the
multiplicity of levels is a significant complication for users,
cost-models (who makes the choice), interoperability, and transition
(e.g. many people have the same wet signature for signing in to a club
and buying a house). Levels also presumes a one-dimensional measurement.
What metric is envisaged? (log 1971-dollars, micromorts, votes,…) It is
the (risk or compliance) needs of the relying parties that should be the
starting point since without those there is simply no ‘user’ need.
Missing: value for money. The physical access management benefit was the
primary measurable (and positive) benefit from the federal PKI
programme. Internationally, the claims in this area have been so
absurdly inflated as to lack credibility. Getting funding should be
facilitated by identifying where savings will be made, and push back
against complaints from those who will see costs and no direct benefit.
Data protection is not mentioned, and should not be conflated with (some
interpretations of) privacy. This matters when it comes to
public/private collaboration, where the US public sector’s high
standards are not imposed on all of industry (potential relying
parties), unlike the EU position where the regulated high standards are
demanded of everyone except the ‘emanations of the Union’.
_______________________________________________
WG-IDAssurance mailing list
WG-IDAs...@turing.kantarainitiative.org
https://turing.kantarainitiative.org/mailman/listinfo/wg-idassurance