Sun Sep 14 19:45:53 PDT 2014

Control Architecture: Identity proofing: How are asserted identities proofed after originally identified?


Options:

Alternatives include:

Token types have charactersitics allowing evidence of:

Biometric evidence types include:


Basis:

Identity proofing is a process by which original identity is tied to an individual at a subsequent time. This is typically done through the use of identity tokens of some sort (e.g., a passport, drivers lincese, or other issued identity), an optional biometrics (e.g., picture on the identifier, fingerprint, retiunal print, DNA analysis, etc.), and optional verification against a repository.

From: "Identity proofing: How are asserted identities proofed after originally identified" - the UK government standard - and an excellent description of a workable process.

Key Principles:

Process

Level Details Situation
1

No requirement for the identity of the Applicant to be proved so no declaration of a Claimed Identity is made, no evidence is needed and no proofing is performed. The Applicant provides an Identifier that can be used to confirm an individual as the Applicant. The Identifier is been checked to ensure that it is in the possession and/or control of the Applicant.

Nominal identity check.
2 Identity is a Claimed Identity with evidence that supports the real world existence and activity of that identity. The steps taken to determine that the identity relates to a real person and that the Applicant is owner of that identity. This is intended to give sufficient confidence for identity to be offered in support of civil proceedings.
3 Identity is a Claimed Identity with evidence that supports the real world existence and activity of that identity and physically identifies the person to whom the identity belongs. The steps taken to determine that the identity relates to a real person and that the Applicant is owner of that identity. This is intended to give sufficient confidence for identity to be offered in support of criminal proceedings.
4 Identity that is required to meet all Level 3 requirements AND provide further evidence and is subjected to additional and specific processes, including the use of Biometrics, to further protect the identity from impersonation or fabrication. This is intended for those persons who may be in a position of trust or situations where compromise could represent a danger to life.
Levels of Identity Proofing Assurance
Score Properties of the Identity Evidence
0

No compliant Identity Evidence provided.

1

The issuing source of the Identity Evidence performed no identity checking

The issuing process for the Identity Evidence means that it can reasonably be assumed to have been delivered into possession of an individual.

The issued Identity Evidence contains at least one reference number that uniquely identifies itself or the person to whom it relates.

2

The Issuing Source of the Identity Evidence confirmed the applicant's identity through an identity checking process.

The issuing process for the Identity Evidence means that it can reasonably be assumed to have been delivered into possession of the person to whom it relates.

The issued Identity Evidence contains at least one reference number that uniquely identifies itself or the person to whom it relates.

Where the issued Identity Evidence is, or includes, electronic information that information is protected using cryptographic methods and those methods ensure the integrity of the information and enable the authenticity of the claimed Issuing Source to be confirmed.

Where the issued Identity Evidence is, or includes, a physical object it requires Proprietary Knowledge to be able to reproduce it.

3

The Issuing Source of the Identity Evidence confirmed the applicant's identity in a manner that complies with the identity checking requirements of The Money Laundering Regulations 2007.

The issuing process for the Identity Evidence ensured that it was delivered into the possession of the person to whom it relates.

The issued Identity Evidence contains at least one reference number that uniquely identifies itself or the person to whom it relates.

The Personal Name on the issued Identity Evidence must be the name that the identity was officially known at the time of issuance. Pseudonyms, aliases and initials for forenames and surnames are not permitted.

The issued Identity Evidence contains a photograph/image of the person to whom it was issued OR the issued Identity Evidence can be used to identify its owner through a Knowledge Based Verification.

Where the issued Identity Evidence is, or includes, electronic information that information is protected using cryptographic methods and those methods ensure the integrity of the information and enable the authenticity of the claimed Issuing Source to be confirmed.

Where the issued Identity Evidence is, or includes, a physical object it contains developed security features that requires Proprietary Knowledge and Proprietary Apparatus to be able to reproduce it.

4

The Issuing Source of the Identity Evidence confirmed the applicant's identity in a manner that complies with the identity checking requirements of The Money Laundering Regulations 2007.

The Issuing Source visually identified the applicant and performed further checks to confirm the existence of that identity.

The issuing process for the Identity Evidence ensured that it was delivered into possession of the person to whom it relates.

The issued Identity Evidence contains at least one reference number that uniquely identifies itself or the person to whom it relates.

The Personal Name on the issued Identity Evidence must be the name that the identity was officially known at the time of issuance. Pseudonyms, aliases and initials for forenames and surnames are not permitted.

The issued Identity Evidence contains a photograph/image of the person to whom it was issued.

The issued Identity Evidence contains a Biometric that was captured at registration that can be used to identify the person to whom it was issued.

Where the issued Identity Evidence is, or includes, electronic information that information is protected using cryptographic methods and those methods ensure the integrity of the information and enable the authenticity of the claimed Issuing Source to be confirmed.

Where the issued Identity Evidence is, or includes, a physical object it contains developed security features that requires Proprietary Knowledge and Proprietary Apparatus to be able to reproduce it.

Strength of Evidence of Identity Proof
Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved