OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

trust-el message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [trust-el] New NIST 800-63-2



Here is a summary of the changes from one of the authors:


From: Sarbari Gupta [mailto:sarbari@electrosoft-inc.com]
Sent: Thursday, February 07, 2013 8:11 PM
To: Judy Fincher
Cc: Nasim Ali; Amila Ranasinghe
Subject: RE: NIST Released DRAFT Special Publication 800-63-2, Electronic Authentication Guideline

Hello Judy,

A couple of us at Electrosoft were provided an option to review and provide input towards the draft version of SP 800-63-2. Here is a summary of the changes:

1) Section 5.1 - Clarified the relationship between the RA (Registration Authority) and the CSP (Credential Service Provider) when these are implemented as separate entities. This relationship could be contractual or based on law (e.g. notary).

2) Section 5.3.1 - Clarified that remote identity proofing mechanisms are designed for full automation. However, online mechanisms such as call centers can also be used to complement the automated mechanisms.

3) Section 5.3.1 Table 3 - Provided some examples of what constitutes "current primary government picture ID".

4) Section 5.3.1 Table 3 - Tightened the language of remote identity proofing at Level 3 to require that both IDs be linked to the Applicant's name and address of record. Also, added a technique for address confirmation that allows the use of electronic mechanisms such as SMS, phone or email as long as these are tied to the Applicant's physical address in records.

5) Section 5.3.1 - Clarified that a phone (cell or landline) account can be used as a "financial" account for identity proofing purposes as long as the account can be linked with the Applicant's name and address in records. However, in this case, address confirmation cannot be done using the same phone number.

6) Section 5.3.2 - Added text to allow the identity proofing step to skipped for issuance of credentials to Applicants who are licensed under certain federal or state laws (such as doctors, nurses, pharmacists, etc.) in a manner that meets a set of defined requirements. For levels 2 and 3, such credentials may be issued remotely as long as it confirms the address of record for that Applicant.

Our understanding is that these changes were driven by the following goals:

a) To make it easier to issue credentials to Applicants that are already part of a licensing regime that included a rigorous identity proofing step.

b) To tighten some gaps in the remote identity proofing process for Level 3

c) To facilitate full automation for remote identity proofing and to remove delays related to address confirmation step

Hope this is helpful. Please pass on as you see fit. Best regards,

- Sarbari

Sarbari Gupta

(703) 437-9451 Ext 12 (office); (703) 437-9452 (fax); (703)217-8475 (cell)
sarbari@electrosoft-inc.com (Email); http://www.electrosoft-inc.com (Web)



From: trust-el@lists.oasis-open.org [mailto:trust-el@lists.oasis-open.org] On Behalf Of Barbir, Abbie
Sent: Monday, February 11, 2013 5:37 AM
To: trust-el@lists.oasis-open.org
Subject: [trust-el] New NIST 800-63-2



NIST is updating their  Electronic Authentication Guideline and it is up for public review and comment













This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]