FAL2 - storage of subscriber attributes/deprovisioning

[dhs-BI]

Section 10.3.2 of SP800-63Crev4 provides specific guidance on how to store personal attributes of users (subscribers, see #71). This guidance is likely in conflict with how enterprises manage their users (see these comments.)

chair hat off
In order to accommodate different mechanisms for user management, IPSIE SL1 should not follow the NIST requirements and allow IPSIE compliant services to determine the proper model within the constraints of law and policy. This should be documented in the IPSIE SL1 profile.
chair hat on

[deansaxe]

I missed this in the initial draft of the common requirements in the sidecar draft. I'll queue this up for adding to the draft.

[deansaxe]

See updated text at openid/ipsie-common-requirements-profile@fd97b81.

[deansaxe]

I have incorporated this into the common requirements doc. If the doc is adopted, this issue can be closed. Labeled as pending close.

[deansaxe]

Doc was adopted, closing.