Versions Compared

Old Version 5

changes.mady.by.user Former user

Saved on

compared with

New Version 6

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Ken said that Kantara has been asked by the ARB to consider creating guidance around two of the criteria present in the Service Assessment Criteria Token strength and One-Time Password strength.
  • Mark asked if anybody saw that Google announced that they have open source, the software for security Tokens. Soon people will be able to buy their hardware and software separately. Mark will send the link to the group.
  • Richard mentioned that this started to be discussed on the previous meeting. He is concerned after the extent to which the ARB should be phishing for changes in criteria, and it is needed to understand extent to which that is permissible. It seems to him that there are three points of consideration, one is that if it is about the classical class of approval, it tries to follow the principles of 800-63 v. 2 but it has not been tighten to it, which gives it more flexibility than 800-63 v.3 class of approval. There is a separate discussion with David Temoshok, as there are queries of interpretation with 800-63 v.3. There will be discussion within this group, which will lead to change some of the criteria in a way which it meets the new requirements.
  • Ken commented that with respect to the ARB making suggestions, they are making a suggestion like any other body who is able to make it, and those comments and suggestions are welcome, but they have to be evaluated. He does not see anything wrong with it, he sees the ARB making comments as suggestions for improvements that may be made. Ken added that the third point Richard made is quite valid, if it puts the group into a liability position by making some suggestions and not others, then the group has to be careful not to keep just one particular proposer happy. Ken said he agrees with him on this.
  • Richard asked if there has to be guidance provided if the criteria is not changed.
  • Martin added that he wonders if it is the objective to provide something that is able to say if you do this, you are conformant with 63-3 and also you meet our standards for actual security. Richard said it sounds back to the quorum got on this call, it seems to him that do not changing these criteria, if it is wanted to have CSP on this, then it would be reasonable. Martin argued that if it is believed that 63-3 does not cover something adequately, should be there some more requirement that is not there? Ken responded that it comes down to the definition of the classes of approval, and the two new classes of approval that were added with respect to 63-3 are one technical, which is strict, you meet the requirements of 63-3 based on these criteria, and the second is a broader one which is in essence technical plus the CO_SAC. If there is a change it will affect both of them, but it also means that the description of the class of approval has to be changed, because it will no longer be purely technical 63-3 compliant or conformance. It was said it basically is conformance versus actual security.
  • Ruth clarified that the ARB’s aim with this was not to request a change, it was just to raise a question for IAWG to consider if something needs things that need to be done; if the ARB needs to add guidance to the service assessment criteria or the ARB provides guidance on the certification or the approval notes after the review of the application. The ARB has found some issues with two reviews of AL3 CSPs, the shorter action they decided and it was good to provide to the CSP that is a recommendation that is beyond the complaint being compliant to the AL3 service assessment criteria to have in mind that they are not protected against phishing attacks. Basically, their question is if they should keep doing that as an additional note to the approval notification just as an informal or part of the formal stuff, or if something more important in terms of service assessment criteria should be changed. They are just asking the question to the IAWG if something needed to be done, it is not a recommendation to change.
  • Ken agreed with Martin that either something is done, or something is not done. He mentioned that this meeting is agreeing to postpone the discussion until the next time of meeting, this could be delayed for a couple of weeks.
  • Ken also agreed with Richard that CSPs need to be involved in this discussion, ED also agreed. Ruth said that she could invite the CSPs for a special session to discuss these topics, ED said it is a good idea, but he is also thinking on a ‘one on one’ meeting. It was suggested that they (CSPs) should be asked about this, whether if they want to be present in the discussion or not, since it is a business matter.
  • Richard commented from the text of the previous ARB discussion “David highlighted "that is legitimate for Kantara to create guidance for assessors on implementation of specific criteria”, that it is an interesting thought. ED commented it is obvious, not just assessors but the whole group.   Ken clarified it is to provide guidance to assessors on how to do business of products or services and offering guidance on the criteria, they are different focus.
  • It was agreed to read further the text of the ARB issues over the next weeks, in order to continue the discussion during the next meeting.