Versions Compared

Old Version 3

changes.mady.by.user Former user

Saved on

compared with

New Version 4

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


IAWG Meeting Minute 2020-06-18

 

Attendees

Ken Dagg

Ruth Puente

...

Richard Wilsher

Pete

 

Agenda

Administration:

  1. Roll Call
  2. Agenda Confirmation
  3. Action Item Review: action item list
  4. Minutes approval 2020-06-11 Draft Minutes
  5. Staff reports and updates - Keeping up with the Kantarians
  6. LC reports and updates
  7. Call for Tweet-worthy items to feed (@KantaraNews)

Discussion

  1. Presentation of KIAF 1430 "Identity Assurance Framework:  NIST SP 800-63A Service Assessment Criteria (at IAL3)" - Please see attached. 
  2. Comments onPCTF Credentials  - Please see the latest version of the IAWG comments attached (Changes to the last version are highlighted in yellow). 
  3. NIST Call for Comments on SP 800-63-3 to ultimately lead to Revision 4 https://csrc.nist.gov/publications/detail/sp/800-63/4/draft.
  4. Revised Glossary terms.
  5. Update on xAL3 Sub-group, which is preparing criteria for 63B at AAL3. 

Any Other Business 

  1. Administration:


 

1.d Minutes Approval 2020-06-11 Draft Minutes:

  • Motion: To approve 2020-06-11 Draft Minutes.

Moved: Martin Smith; Seconded: Mark Hapner. Unanimous Approval.


LC Update 

  • Tom commented that there is a motion approved in the Health Identity Assurance Work Group to look at how IAL2 and AAL2 might be implemented with guidance in Health Industry in the US. The second item is that their proposal was made to the Foundation Board to apply for a grant, in order to set up a registry service that would involve Assurance for device apps. Tom will let IAWG know how that goes, if the Board gives unanimous approval it would move forward.
  1. Discussion:

...


2.a Presentation of KIAF 1430 "Identity Assurance Framework:  NIST SP 800-63A Service Assessment Criteria (at IAL3)":

  • Richard explained that new criteria was added. It was also included criteria specifically related to RPs and Federal Agencies. When FAL criteria was done, the Federation Part of 63 rev.3, 63C, very specifically talks about the IdPs or the CSPs as they are called, RPs, Federation Authorities and Federal Agencies. Now it has been replicated in the Identity Assurance criteria, those for entities; now columns I to L are the four entities to which each criterion might apply. In column M there are the old tags and in column N there are the new tags. Columns S and T indicate the Assurance levels 2 and 3 and they are indicating the level at which every criterion applies. Column U is for comments and guidance, V is for initials and W for comments. Anything that is new is in red text.It was asked if this document is the one Richard sent last night. Richard confirmed it is the same.
  • A question was raised about line 85, is it supposed to be this way what was highlighted in red? Richard answered that in IAL3 the equivalent is high baseline and high impact. It was asked what the difference is between row 85 and 86. Richard explained that the difference is that NIST made this descript differentiation between these selected controls from this baseline sets, but then there are controls which relate to the impact rating of the system to which they are being applied. Therefore, you do need two descript criteria.
  • It was asked what the time for comments is, Ken said that two weeks would be good. Ken asked that if someone is going to take longer than two weeks for comments, to please send an email to him and Ruth.
  • Ken mentioned that July 2nd is not a good time for having the meeting due to Canada’s day and July 4th in the States.
  • The deadline to release the call for comments will be three two weeks from now.
  • There was a question about line 66, is the text faded out not valid anymore? Richard explained that it was created criteria for normative statements, for those that have a SHALL. The ones that say SHOULD or MAY are left aside, there are no criteria created for them. There are some cases where it says “the CSP SHOULD do something and if it does it, it SHALL”, in those cases the criteria created is “If you do this, you SHALL”. The idea is to cover the SHALLs, but essentially it was created criteria for explicitly normative statements.
  • Richard stressed it is not being asked for review of anything which is in black text, it is there, it is published, and it is not up for review at the moment. It is only being asked for feedback on changes in red. It was received comments on published criteria, which brings him to a second point but not related to this review directly. It will be reviewed every twelve months.
  • Ken clarified that then the Sub-Group has three tasks, one is the creation of level 3, the other is to review level 2 and the last one is to note anything that is of interest and might become a suggestion for improving into rev.4.

...