...
Richard W.-- But Kantara can't make the RP do something. We might further insure the RPs attention via things we already do, like requiring a statement of criteria applicability; we might also consider requiring that use of a CAC is mentioned explicitly at least in their published material. noted in the publicly publishable part of the SPA, which Kantara will publish.
Martin S.: Assuming we do want to take account of David T's viewpoint, it seems we need to find some way to make sure the RP is specifically alerted to the use of a CAC.
...
Richard W: Maybe mod language to make avail : publish how you determined CAC and config requirements to make sure it is CAC. Fact of use in S3A could be noted.
Ken: with that addaddition-- is group OK with this resolution?
Mark H: Ok with current language but CAC ; my concern is that the concept of comparable is so poorly defined in 800-63-3 hard to understand reason about how an assessor should proceed.
RWRichard W: We did try in sub-clause a-c to add some specificity.
MH: still uncomfyThey (NIST) don't define criteria or what information should be communicated. I am still uncomfortable, but don't see what else we can do.
RW: without Without any documentation of the NIST risk assessment for the specified controls, how can assessor establish "comparable."? Difficult situation.
KD:
KD: asks for motion Moves to approve language for the package: KD, MHseconded by Mark Hapner.
KD: approvedApproved without objection or abstention.
Finalize proposed text (if any) regarding use of "presentation attack detection" (PAD.)
...