Versions Compared

Old Version 18

changes.mady.by.user Former user

Saved on

compared with

New Version 19

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Mark K: Line 1157 "However, there appear to be two solutions: anything or “two-factor” authentication". What "anything" means?, he believes a word is missing. 
  • Mark K: Lines 624-626  "Two major forms of digital signatures are DSA and PKI. However, Merkle signatures schemes are often used for blockchain protection against change". 


63B_SAC issues 

 

ARB questions on two 63B_SAC criteria, 63B#0030 and 63B#0150.

1.Re 63B#0030 – The KI criterion and NIST source text says this criterion is limited to Agencies. ARB wonders if this could be considered for any CSP.

  • Richard explained that originally, when they did 63B_SAC, they didn't have the choice of roles. They only had the assumption that it was a CSP. They introduced this new criterion with the last revision, stimulated by the creation of the 63C criteria, which assigns criteria to various roles within the Federation. So, the four roles are derived directly from the roles identified in 63C. For consistency reasons, they chose to replicate those four roles in 63A and B SACs.
  • IAWG does not want to change this because they don't have any grounds for making it applicable to CSP or maybe RPs as well, because the NIST requirement clearly says “Agencies”.

2. Re 63B#150 63B#0150 - ARB pointed out that they are separate re-authentication requirements, not optional. 

...

  1. a) prior to a period of session inactivity reaching 30 minutes; OR
  2. b) prior to an extended usage session reaching 12 hours since the last successful re-authentication, regardless of user activity”.

NIST text:

 


  • Response from IAWG and Note added to the 63B#0150 criteria:

[Note that EITHER of the conditions in a) or b) is grounds for the termination of the session and therefore the CSP must continue to check BOTH conditions in order to determine whether either has been breached.
The NIST text makes three separate statements but the third is conditional upon EITHER of the two preceding requirements being unsuccessful, but in fact is poorly expressed since termination is implicitly conditional on it not being possible to reauthenticate the user but this qualification is not stated - s written it could be found that termination SHALL occur after either 30 mins or 12 hrs (and the second case would never be true).  This third 'SHALL' expression needs to be qualified by stating "if reauthentication fails", hence the Kantara clause is constructed as is and needs no change].

...

  • It was clarified that the 0150 63B#0150 only apply for RPs and not CSPs. 
  • Richard explained how they made that determination when developing the criteria: They have turned the NIST text around a little bit and had to invert the sentence structure of NIST text to better understand the requirement. IAWG analyzed the requirements and came up with a workable solution, because the goal is to have a reason to terminate. The RP shall terminate the session, whenever it is unable to receive affirmative re-authentication. So, if they don't get positive re-authentication either by not allowing a session to go beyond 30 minutes, or not allowing an extended section to go beyond 12 hours, then you terminate it. So although it says “either”, in order to accomplish the termination if either of these is achieved, or it becomes true, you actually have to test for each of them all the time. It was sustained that in this case, KI criteria are consistent and more accurate than the NIST requirement.  Once authentication has been provided by the CSP, the RP has no participation in what that session is about. So it has to be the RP that stimulates the re-authentication and then terminates according to whether it does or does not get a successful response to that authentication.

...