Versions Compared

Old Version 7

changes.mady.by.user Former user

Saved on

compared with

New Version 8

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Richard noticed that somebody started commenting on criteria (IAL2) that are already approved and published. This document will be reviewed Given that there is a provision in the document to review it every twelve months, Richard proposed to revise these comments in under that opportunityreview option.
  • Richard commented that this document is almost ready, last week meeting he realized that there were some changes he had to make. Moreover, there were additional criteria that needed to be checked.
  • Richard explained he has arranged logically rather than strictly by source section.
  • Richard said that the comment in row 98 was accepted with modification.
  • Richard added that he will have to work out the appropriate text for section 5.3.2.
  • He is planning to replace all of the old text with a new text, by starting the number sequence again. To account to the fact it is the new IAL3 criteria. Until he applies new text in pending new 63A tag, he cannot resolve references in the criterion (rows 121-125).
  • Martin expressed he likes the requirements’ language on line 125.
  • Martin asked Ruth what the plan with this document at tomorrow’s meeting is. Ruth said that if it is finished, it can be presented but just that. The idea is to introduce documents for presentation and then, it will be needed one week for comments.
  • Andrew commented about line 125 that it is clarification of the SHALL be expected to be known only. He suggested to take that out and make it guidance in 123. Richard added that comment in row 123.
  • Andrew proposed to leave it and have the CSP prove that this is entropy and they can figure it out (Row 130). Richard said it is a good idea.
  • About rows 134-135, Richard explained that you cannot include the SHALL unless you accommodate the SHOULD / MAY. Row 135 criterion was modified as “require responses which are not based on selection from a pre-determined list”.
  • Andrew commented that line 137 reduces the fact of the entropy anyways. Richard said he found that disturbing himself.
  • Row 138 was corrected according to the comment.
  • Row 142 criterion was modified as “no question SHALL provide the Applicant the opportunity to infer answers to any other KBQs in any subsequent session.” Andrew commented it is an impossible requirement anyways, he said that the challenge with these criteria is that the only scenario where it would work is when the attacker has linkability between sessions because they are doing multiple sessions, it requires the CSP to also keep track in link the application attempts.
  • About 145, Andrew said that the reality is that anyone using KBV will have to apply to Kantara’s approval.
  • Andrew stressed that the IAWG should be informed by the Sub-Group that this set of criteria are very problematic. Richard said these criteria are meant to provide a normalized interpretation of 63 rev.3 but do not invent any alternatives. Andrew asked Martin if he would raise this point to the IAWG, Martin said he would do so. Andrew pointed out it is necessary to say watch out, they are really hard and problematic to achieve. Richard said that whether liked it or not, it was agreed that they are some correct and acceptable interpretations of what NIST is asking.
  • Ruth mentioned she posted on the chat the link to the NIST answer and that includes the use of KBV. She said that David’s answer is quite clear and also in light of a review within the ARB that was criticized. It was pointed out that something else was needed.
  • Richard explained that the Group is trying to do its own representation of what NIST is asking for.
  • About line 169, Richard clarified that TR is a Trusted Referee, it is somebody who is on the applicant’s side of the process, not a supervisor who is on the CSP’s side of the process overseeing application. Richard added he does not understand the comment in there. The Trusted Referee has gone through the proofing process at the same level at which the person for whom they are acting as a referee does.

...