2021-06-22 Identity Binding Drafting Group Meeting Notes
- Todd Gehrke
Attendees
Co-Leads:
- Bryn Robinson-Morgan (Mastercard)
- Paco Garcia (Yoti)
ID2020 PM:
- Todd Gehrke
Participants:
- Dan Bachenheimer
- Elizabeth Evenden-Kenyon
- Rob Haslam
- Kaliya Young
Agenda Items
| Time | Item | Who |
|---|---|---|
| 2 min | Welcome & Antitrust Policy Notice | Chair |
| XY min | Review community feedback on document | TBC |
| 3 min | Wrap up | Chair |
Recording - Link
Notes
1. Welcome and Linux Foundation antitrust policy
Review community feedback
Noam Arzt - HLN Consulting, LLC
5.3.6.1 "Regardless of what form of identity proofing is performed, the Identity Assurance Level MUST be recorded in the transaction so that verifiers can assess the corresponding risk of identity fraud" - I don't see how this is feasible in an EHR to do this. Not currently an EHR functional requirement. 5.3.6.1.1 #2: Not sure what it means. Not sure what a "public healthcare process" is.
Michael O’Connell - Critical Insights Consultancy Ltd.
General Feedback
has a negative tone for Biometrics authentication. Is it possible to change for a more positive tone?
It can be difficult or impossible to use that same information to authenticate an individual
remotely, over a digital connection (such as using a website or a smartphone application).”
Delete “or impossible”
Aggregating all of this identifying information in a digital credential creates an unnecessary
privacy risk vector if that information is not actually needed to perform adequate authentication”
Identifying information should be protected securely under regulation like GDPR.
“they are not always needed or used in healthcare delivery,
which means some of these tools may be difficult, if not impossible, to implement.”
Delete sentence itself.
Please add actual exampleof place for each LOA1-LOA4
It would be good to keep “Airport”/”Emigration” area with Biometrics authentication for Health passport.
LOA 3 = airport, LOA4= emigration?
Also please consider to add the words “biometrics” to the example of Multifactor authentication (LOA3)
“This LOA SHALL employ multi-factor authentication”
“This LOA SHALL employ multi-factor authentication like biometrics”
P60: Is it difficult to change from“may” to “shall” for usage of biometrics at highly secured LOA?
“ This can be done with digital or physical identity credentials where the verifier MAY use biometric
information in the credentials and MAY also review the issuer’s levels of assurance during the identity
process to ensure that it meets the required enrollment LOA and Authentication LOA . where applicable.”
“ This can be done with digital or physical identity credentials where the verifier Shall use biometric
information in the credentials and MAY also review the issuer’s levels of assurance during the identity
process to ensure that it meets the required enrollment LOA and Authentication LOA . where applicable.”
Changes:
- 5.3.1 Added a reference to GDPR under #2 . . .privacy risk
- Rejected suggestions to around biometrics language
We all agree that biometrics can play a very important role in identity binding and made every effort to make it clear that biometrics are analogous with higher levels of assurance while understanding that existing business processes, policies, and risk appetite may outweigh the use of biometrics for verification at the point of vaccination, issuance, and/or verification of health passes and credentials. This is why, in many cases, we use SHOULD instead of MUST – it is up to the verifier to decide whether to accept a health pass or credential with lax identity binding in the any of the ‘zones’.
Action Items
- TBC