Versions Compared

Old Version 9

changes.mady.by.user Former user

Saved on

compared with

New Version 10

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Richard said that if it is needed to recommend a maximum period between these periodic re-assessments, that could be three years. Nevertheless, every year Kantara would have to say, are you meeting up your three-year obligation? This aspect must be defined by the Fed Authority. 
  • Richard remarked that NIST text does not say when the vetting should be performed.
  • Martin added that sometimes it is granted a conditional approval subject to specific remedial actions.
  • Richard suggested that we need to think on 3 aspects:  1) Should this requirement be made such that they have to be vetted and sufficiently meet the requirements prior to participation?.  2) Frequency of assessment: 1 off or periodically (no greater than 6 months). 3) To what extent does one allow less than 100% conformant to be found subject to corrective actions within an acceptable time period?
  • Ken suggested to add a note/guidance that Federation Agreement might consider defining: period of re-assessment (before joining the Fed or at any time during participation); what level of sufficiency of conformance is to be achieved. It was agreed with adding a note reflecting that and . Therefore, Richard added the note on column R ". 
  • Nathan commented that the Self-assessment part (column R) was bothering him in extreme. Does asked if the source text allow allows self-assessment? . Richard said not, it actually excludes the possibility of self-assessment by Federation participants. When you consider this text here, a federation could vet each participant. It does not allow self-assessment; it would be inconsistent with Kantara.
  • Ken's suggestion (My vote: “As for additional requirements to the Fed Agreement “As Necessary” for Testing, and “SHALL be done” for frequency of re-assessment”), raised no objection. was accepted by the group. 

Richard proposed to go through continue with Martin’s comments and to address SATO comments .Richard and said that everything in green is what has been already resolved.

...

  • Richard said it is a good idea, but not feasible. Richard added that the Service Provider would need to be individually assessed. He also pointed out that there are no means to assess -?- (min 39:20)  exclusively at the moment, a similar process could be created.

-Richard W. also sees a problem because a meaningful federation will
have multiple CSPs (IdPs), so assessing the Federation Authority with only (either) a
single CSP or (alternatively) ALL CSPs seems either pointless or
alternatively very burdensome.

...