usnistgov / 800-63-3

Home to public development of NIST Special Publication 800-63-3: Digital Authentication Guidelines
https://pages.nist.gov/800-63-3/
Other
701 stars 102 forks source link

Issuing Source #1069

Closed KantaraInitiative-IAWG closed 7 years ago

KantaraInitiative-IAWG commented 7 years ago

All Fields Are Required

Organization Name (N/A, if individual): Kantara Initiative Inc.

Organization Type (see below for codes): 3

Document (63-3, 63A, 63B, or 63C): SP 800-63A

Reference (Include section and paragraph number): 4.4.1.2; 4.5.2; 5.2.1.1 Table 5-1; 5.2.2.1 Table 5-2

Comment (Include rationale for comment): NIST has classified the levels of evidence that can be used into four categories (Weak, Fair, Strong, and Superior). Each category indicates that information is validated against the “issuing source”. Most data validations today are not performed directly against an issuing source (such as a bank for credit card or a DMV for driver’s license) but against an authoritative source (such as a credit bureau) that affirms the information and assumes that the process the “issuing source” used to create the data performed proper vetting of identification at the time the data was created. For example, the process of obtaining a new Driver’s license requires in-person verification along with providing many forms of identification before the new Driver’s License is issued. Kantara believes requiring validations using the “issuing source” is unrealistic and many Identity Proofing solutions will not be able to provide this level of validation. As mentioned in issue #1068 , document verification will be required for all IAL2 transactions. In today’s environment, the pieces of documentation that contain both PII and photo/image/biometric data are extremely limited. For the majority of the U.S. consumers, that would be either a driver’s license or a passport or possibly a US Resident Card. Although information contained in these documents can be validated, today the data typically cannot be verified directly against the issuing source. Meaning there is not a method of directly going to neither the state that issued the Driver’s License nor the State Department that issued the Passport document. Document verification technology today is looking at the ‘correctness’ of the document, meaning it is looking at format, holographic images, watermarks, positioning of text and abnormalities of the physical document. It is not looking at the PII data and comparing it directly against a database (of sorts) to confirm that the state or country actually issued this document.

Suggested Change:

Recommendation: NIST should either provide further clarification on this requirement or make prevision for the use of an authoritative source for verification of PII information contained in the document. Using an authoritative source allows verification of the PII using validated and verified data to confirm that the PII information is accurate while still allowing the document verification technology to verify the validity of the document.


Organization Type: 1 = Federal, 2 = Industry, 3 = Academia, 4 = Self, 5 = Other

paul-grassi commented 7 years ago

Will be resolved via #582