Thank you for this opportunity to comment. These comments are derived from a review period involving Kantara Initiative leadership and staff, the chair and vice-chair of the Identity Assurance Working Group and the editor of the Identity Assurance Framework.  Comment and questions are grouped by document below.

Guidance Document 3 - Privacy, Security and Confidentiality

3.1 We note a selection of specific security controls are identified in the Privacy, Security and Confidentiality guidance document.  We recommend consideration of the NIST SP 800-63-3 approach, which requires security controls from NIST SP 800-53 at a baseline corresponding to the assurance level, rather than explicitly listing the security controls in the IMSAC guidance.

3.2. With respect to the classification of identity information, at what level of organization is this taking place?  Would individual operators make this determination, or would the classification methods be standard for each identity trust framework?

Guidance Document 6 - Certification

6.1 We suggest that diagram that shows the relationships between the different types of actors identified in the guidance (e.g. CSP, IDP, RP, identity trust framework operator, certification authority) would be very helpful.

6.2 We appreciate the idea behind the law - the limitation of liability is an excellent incentive for organizations to operate in accordance with the identified standards.  Please clarify whether this limitation of liability extends to certification authorities as well as identity trust framework operators?

6.3 What is the process for determining certification authority eligibility or requisite standing?  We understand that the list of ten functional requirements are applicable, but what is the process for evaluating and approving certification authorities?

6.4 Would the notification process required in item 9 extend to the level of reporting compromised credentials, or is the intention to report on system level breaches?

Guidance Document 7 - Trustmarks

7.1 Is it mandatory to implement trustmarks in order to obtain the liability protections under the law?  Or is the purpose of this document to state the minimum standards and specification if trustmarks are utilized? 

7.2 Who is the intended user of a trustmark for an identity trust framework operator or identity provider?  Could the guidance document include use cases demonstrating trustmark verification?