Stream: smart/health-cards
Topic: GG Comment: ID proofing vocabulary
Josh Mandel (Sep 02 2021 at 15:24):
The identity proofing levels for vaccination don't match what's happening here in Australia at GPs: the GPs don't explicitly check your identity when you get the injection, but you're 50% likely to get a person who knows you personally when you turn up, and the GPs talk to you about it before and afterwards. So: no ID was used, but there's actually a pretty good verification system in place (enough? I'll leave that to others to debate)
In practice we've seen very little use of our "IAL" tags in real-world implementations. Policies aren't consistent enough for issuers to hard-code a single value, and nobody takes the time to individually record or assert the identity verification practices used at the time of a specific clinical visit or immunization. I'm not against adding more elements into our vocabulary ("IAL1.2B", or whatever, to capture flavors of "the patient was known to the practitioner") but I'm skeptical about how useful or widely used this will be.
John Moehrke (Sep 02 2021 at 18:37):
(surprise) NOT... security is hard. I suspect this will continue to be more of a theory than real-world. The cases where fraud happens will continue to be handled after-the-fact. https://www.cnn.com/videos/business/2021/09/02/vaccine-fake-card-hawaii-arrest-moos-pkg-vpx.cnn
John Moehrke (Sep 02 2021 at 18:38):
that said, it is useful for the interop standards to support the case where IAL is really used.
Grahame Grieve (Sep 02 2021 at 19:14):
Well, if it's worth including it, it's worth including the case. Though I'd rephrase it more generally as 'identified by routine clinical identification practices'
Julie Maas (Sep 15 2021 at 16:12):
Cross-posting for awareness of this related thread in Identity stream.
Last updated: Apr 12 2022 at 19:14 UTC
