[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [trust-el] New NIST 800-63-2
Abbie, Here is a summary of the changes from one of the authors: From: Sarbari Gupta [mailto:sarbari@electrosoft-inc.com] Hello Judy, A couple of us at Electrosoft were provided an option to review and provide input towards the draft version of SP 800-63-2. Here is a summary of the changes: 1) Section 5.1 - Clarified the relationship between the RA (Registration Authority) and the CSP (Credential Service Provider) when these are implemented as separate entities. This relationship could be contractual or based on law (e.g. notary). 2) Section 5.3.1 - Clarified that remote identity proofing mechanisms are designed for full automation. However, online mechanisms such as call centers can also be used to complement the automated mechanisms. 3) Section 5.3.1 Table 3 - Provided some examples of what constitutes "current primary government picture ID". 4) Section 5.3.1 Table 3 - Tightened the language of remote identity proofing at Level 3 to require that both IDs be linked to the Applicant's name and address of record. Also, added a technique for address confirmation that allows the use of electronic mechanisms such as SMS, phone or email as long as these are tied to the Applicant's physical address in records. 5) Section 5.3.1 - Clarified that a phone (cell or landline) account can be used as a "financial" account for identity proofing purposes as long as the account can be linked with the Applicant's name and address in records. However, in this case, address confirmation cannot be done using the same phone number. 6) Section 5.3.2 - Added text to allow the identity proofing step to skipped for issuance of credentials to Applicants who are licensed under certain federal or state laws (such as doctors, nurses, pharmacists, etc.) in a manner that meets a set of defined requirements. For levels 2 and 3, such credentials may be issued remotely as long as it confirms the address of record for that Applicant. Our understanding is that these changes were driven by the following goals: a) To make it easier to issue credentials to Applicants that are already part of a licensing regime that included a rigorous identity proofing step. b) To tighten some gaps in the remote identity proofing process for Level 3 c) To facilitate full automation for remote identity proofing and to remove delays related to address confirmation step Hope this is helpful. Please pass on as you see fit. Best regards, - Sarbari ============================================================== From: trust-el@lists.oasis-open.org [mailto:trust-el@lists.oasis-open.org] On Behalf Of Barbir, Abbie All NIST is updating their Electronic Authentication Guideline and it is up for public review and comment See http://csrc.nist.gov/publications/drafts/800-63-2/sp800_63_2_draft.pdf regards Abbie This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]