Certification of capabilities and services as a prelude to procurement, especially in the public sector, is an interesting high wire act.
It often pits two perspectives against each other:
- The acquirer (business owner) seeks a minimum viable product that is certified to a baseline criteria and is focused on results and outcomes.
- The certification authority which utilizes auditors and evaluators who, with very rare exceptions, are not focused on outcomes but on a yes/no/checkbox approach.
It is a minor miracle and an occasion for celebration when something useful actually comes out the end of a certification pipeline.
++ Kantara Initiative Awards SUNET CSP Trustmark Grant at Assurance Level 1 and 2. Don't believe they used the FICAM extensions to their trustmark profile for this approval, but this is a great start to cross-jurisdictional trust.
Financial pixie dust
++ The financial sector is the most natural source of credentials for consumers but they tend to be motivated by the transaction flow volume in their primary business line, and minimizing account opening risk - not by public sector authentication payment pixie dust.
++ The addition of Barclays and Paypal to GOV.UK Verify, which gives excellent reach into an established population, is probably motivated by some additional transaction volume opportunity or access to the GOV.UK Verify document checking service
- The document checking services is a classic example of identity validation as a public sector service which can reduce risk.
cyberforge: random and relevant
++ Google detected and blocked unauthorized digital certificates for several Google domains.