FAL2 Compliance - Authentication and Attribute Disclosure

[dhs-BI]

Section 3.6 of SP800-63C rev4 documents the requirements for attribute disclosure between IdPs and RPs. Since IPSIE's scope is enterprises who are expected to have business agreements with their vendors, this section does appear to be applicable to IPSIE since it is not a technical control and is likely impacted by local, national, and supranational laws and regulations.

These requirements are captured in #71. Should IPSIE eliminate the requirements in this section for purposes of SL1?

chair hat off
My personal opinion is that these requirements are unenforceable by IPSIE and should be eliminated from consideration when we discuss FAL2 compliance. Our focus should be on technical controls, not business processes.
chair hat on

[deansaxe]

This issue was discussed at the 2025-05-13 meeting. Based on the discussion, these controls may be included in the side-car document to identify the minimum bar for interop.

I will leave this open until the meeting on June 24 for further feedback.

[deansaxe]

I have published a draft to address this issue. Please see https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html.

[deansaxe]

I have incorporated this into the common requirements doc. If the doc is adopted, this issue can be closed. Labeled as pending close.

[deansaxe]

Doc was adopted, closing.