NIST SP800-64-4 2nd Public Draft (2pd) was made available a week ago. This was the first of a series of workshops planned and goes over the some of the most important changes since the initial public draft.
Meeting Summary
Introduction and Housekeeping
- The workshop on the NIST Special Publication 800-63 Revision 4 second public draft began with housekeeping notes, including the recording of the session, the availability of slides, and the use of the Q&A function for questions. [00:00]
- Today’s Agenda is as follows:
Overview of NIST Special Publication 800-63 Revision 4
- The workshop focused on the second public draft of the Digital Identity Guidelines, covering major changes, the public comment period, and how to submit comments. [02:00]
- The guidelines are foundational requirements for digital identity management across the federal government, published in four volumes: a base volume and Volumes A, B, and C. [05:00]
Key Motivations for Change
- The primary motivations include improving equitable access to government services, addressing emerging threats and technologies, and incorporating real-world lessons from previous implementations. [07:00]
Major Changes in the First Public Draft
- Changes included revamped risk management, updated biometric requirements, new identity proofing processes, and considerations for privacy, usability, and equity. [09:00]
Timeline and Public Comment Period
- The timeline for the revision process was reviewed, highlighting the issuance of the first public draft in December 2022 and the second public draft in August 2023. The public comment period for the second draft is 45 days. [12:00]
Major Changes in the Base Volume
- Connie Lassalle discussed the incorporation of the user-controlled wallet model, the inclusion of an initial step in the identity risk management process, and the introduction of metrics for continuous evaluation and improvement. [16:00]
- Notably, subscriber-controlled wallet, which is a variation of an IdP, and an “issuer” is captured as a “CSP” was introduced.
- The updated digital identity risk management process includes defining the online service, conducting an initial impact assessment, and tailoring controls based on ongoing risk assessments. [20:00]
- Continuous evaluation and improvement are emphasized, with recommended performance metrics and redress practices to handle issues fairly. [25:00]
Major Changes in Volume A (Identity Proofing and Enrollment)
- David Temoshok highlighted updates to proofing roles and types, rebalancing of IAL 1, new identity verification pathways, fraud management requirements, and updated evidence validation requirements. [30:00]
- Proofing roles now include proofing agents, trusted referees, process assistants, and applicant references. [32:00]
- IAL 1 rebalancing focuses on reducing friction and increasing optionality for applicants and credential service providers. [35:00]
- New identity verification pathways at IAL 2 include non-biometric options and digital evidence verification. [38:00]
- The new fraud management section includes requirements for credential service providers and relying parties, mandatory fraud checks, and communication channels for suspected fraud cases. [42:00]
- Updated evidence validation requirements include performance metrics for document authentication systems and training for proofing agents. [45:00]
Major Changes in Volume B (Authenticators and Authentication)
- Andy Regenscheid discussed incremental refinements, new requirements for syncable authenticators, and clarified guidelines for subscriber-controlled digital accounts. [50:00]
- The revamped account recovery section provides clearer paths and more flexibility for implementing account recovery processes. [55:00]
- Syncable authenticators like passkeys are now accommodated, with additional requirements for sync fabrics. [52:00]
- The use of digital wallets as authenticators is clarified, and new account recovery methods are introduced, including saved recovery codes and trusted recovery contacts. [57:00]
Major Changes in Volume C (Federation and Assertions)
- Ryan Galuzo explained the updated structure of 863 C, modifications to Federation Assurance Level 3, and the introduction of protocol-based examples. [01:00:00]
- The new structure includes core common federation requirements and separate sections for general-purpose IDP federation and user-controlled wallet federation. [01:02:00]
- Federation Assurance Level 3 now includes Holder-of-Key assertions and bound authenticators. [01:05:00]
- Protocol-based examples provide high-level illustrations for implementing federation protocols like OpenID Connect and SAML. [01:08:00]
Public Comment Period and Next Steps
- The public comment period closes on October 7th. Comments can be submitted via email or using an Excel spreadsheet. The timeline for finalization depends on the volume of comments received. [01:15:00]
- The team emphasized the importance of public feedback and encouraged participation in the review process. [01:20:00]
- Feedback sought especially on the following fields:
- This will be the last public consultation and the publication is expected in the new year.
- You can engage through the following channels:
Q&A Session
- Various questions were addressed, including those on document false acceptance rates, biometric performance, and the use of passkeys. [01:25:00]
- The team provided clarifications on specific requirements and encouraged further comments and feedback from participants. [01:30:00]
Closing Remarks
- The workshop concluded with a reminder to submit comments and participate in future workshops. The team expressed gratitude for the participants’ time and feedback. [01:35:00]