Versions Compared

Old Version 15

changes.mady.by.user Former user

Saved on

compared with

New Version 16

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Ken explained that yesterday it was accomplished a set of Service Assessment Criteria for 63C that the Working Group subgroup is happy with. The next steps in the process to get those adopted by Kantara is for IAWG to approve those. Since it only came out yesterday, Ruth sent a note yesterday afternoon with a request for comments.
  • After the draft is approved by the IAWG, it will enter a 45-day Public Comment and IPR Review; after which it should be approved by Kantara All-Member Ballot.
  • It is still 60 days away to approve it.
  • The idea is to get comments by next Tuesday at CoB. Ken asked the group to let Ruth and him know if there are major concerns or comments to be addressing them in a future meeting.

Richard presented the 63C FAL2 draft: KIAF-1450 SP 800-63C Service Assessment Criteria v0.13.0.xlsx

  • Richard explained that a decade back, the criteria was written in Word. Now, with 63C rev.3 it is being used Excel.
  • In columns A to H, it has been replicated the source, the reference text from 800-63C. From A to F, it is clause structure from that document.
  • H is the extracted Normative text. It is not the whole text; this only include those statements which are clearly normative because they have the word “SHALL or required”. All the statements saying “may” or “should”, have been omitted and have not contributed to writing the criteria.
  • The other thing that is different about 63C is that it very clearly refers to specific entities (Columns I to L), like RP, IdP, FA and US Fed Agcy.
  • Column M contains a tag to each criterion. Index is sub-criteria (column N-P). Then, there is the KI Criterion (Column Q). This was written with consistent terminology.
  • Finally, in column R are the editor’s comments and queries.
  • Column S: Determines the status of each criteria.
  • Richard said that comments will be appreciated, the idea is to write those in the Comments column. He asked to please add the initials (name) and a number. The idea is to , and add comments with reasons supporting them. The idea is to avoid comments like “I don’t like it”. 
  • Ken added that Classes of Approval could be an RP getting an assessment, CSP and IdP could get an assessment, a Federation Authority can get an assessment or any combination of those can get an assessment. That is important because if it is an already stablished Federation and if an RP wants to join it, and there is a specific set of criteria that they have to meet, similarly if a CSP wishes to join an already existing Federation, there is maybe a set of criteria that they have to meet. It will open up the Assessment business.
  • Richard pointed out that having described the vertical perspective of what this is all about, he highlighted a couple of features and explained what has been done in the document. One of the things was a few words about Federation Authorities and Federation Agreements, he thought it would be helpful for reviewers.
  • Richard explained that in column H, it was explained that it contains NIST text, it is true, but it is important to understand that there will be occasions in which will be Kantara’s specific requirements (special shade).
  • Richard commented that in 7.1 NIST talks about Back-Channel Presentation of Assertions and in 7.2 it talks about Front-Channel Presentation of Assertions. Richard said that they basically made a number of reflective statements upon what RPs will do with subscribers and with IdPs, what IdPs will do with RPs and subscribers. Therefore, he wrote all of those comments up into a single or small set of clauses.
  • Richard added that NIST identifies a role as a Federation Authority and it does not much define it. However, NIST also says that it does not have to be one. From a perspective of performing an Assessment for Federation, if you do not know what a Federation is trying to achieve, it is going to be a little tough to assess any of the participants because you do not have a concrete specification. Accordingly, Kantara introduced the idea of a Federation Agreement, being a document or set of documents which define how the participants in the Federation will behave and will construct their assertions, etc. There were also defined sub-criteria that define good practices in establishing a Federation.
  • Mark clarified it is basically a contract among the parties, whether it is issued by the authority or the participants.
  • Ken commented that the other point to make is: Yes, they do not have to have terms and conditions, they have to consciously say to the assessor ‘we considered that, and we do not need it’.
  • Tom asked if when he evaluates this, the IdP in fact is under the control of the subscriber. He said that if he gives weird feedback, it is because he is looking at it from the point of view of the IdP being in the user’s telephone for example. He added that a user can have several identifiers, he also explained that subjects are not looked like humans specifically.
  • Richard explained that in Kantara speak, there are used two terms: Subscriber and Subject. They are very often the same entity, but in the case of a corporate entity having a number of none of a life form identity operated within it, the Subscriber would be the corporate entity and the Subject would be the individual identities for whatever representation that corporation requires.
  • Ken stressed that comments are requested by clause of business. The ideal case would be a few comments that can be fixed up in a day and present it to IAWG next Thursday at the meeting to approve this document for the 45 days IPR Public Review. If more time is needed to go back and rework some criteria, the approval would be delayed.
  • He repeated that the next step is an All-Member ballot within Kantara, at that point the criteria will be approved by Kantara. Publishing will

Next steps: 

  • After the draft is approved by the IAWG, it will enter a 45-day Public Comment and IPR Review; after which it should be approved by Kantara All-Member Ballot.
  • It was explained that publishing 63C FAL 2 will take place at a later date; this work is under contract to one of Kantara’s members. They requested that the level 3 criteria takes place at the same time, therefore both documents will be released at the same time. He Ken pointed out that IAL3, AAL3 and FAL3 will go as separate documents and get them done for public review (IPR Public Review) and then, All-Member Ballot independently. The work who developed the level 3 for FAL, IAL and AAL, it would be good for FAL2 to form a Sub-Group within Kantara to work this through. The drafts of these documents are almost done, IAL3 is the shortest.

...

Preparation of new criteria for each of 63A/63B/63C_SAC, for IAL3, AAL3 and FAL3 respectively (xAL3) - Call for volunteers.

  • Ken mentioned again that there is a Call for Volunteers to review the xAL3 SACs. He asked to let Ruth or him know if someone is going to volunteer or interested people can show up at next Wednesday meeting call. For those who are part of the Sub-Group for FAL2, the same URL will work.
  • Ruth added that she plans to create a new mailing list to avoid confusions, if it is not an issue for the participants. Ken agreed and he said that he will send an email to thank everyone and to inform that Ruth is going to send information about the new mailing list.
  • Ken clarified that this is a Group group for a very specific task.