...
KC: The background is just the one short email question; and Phil has not followed up on it in other discussions since then. The subject of the email from Phil (cc: David T.) was "Kantara's view on facial biometric comparison and PAD as a 63-3A IAL2 requirement." The text says that 63-3A IAL2 does not have a normative requirements for use of PAD for IAL2 remote, but that NIST's Implementation {SIC} Guidance does require it. Does Kantara require use of PAD at IAL2 remote?
"cc David T: Subj K view of 63-3A IAL requirement.
RQRW: I was puzzled that we got the question since the answer (which is "no") can be seen by looking at the criteria spreadsheet.
RW: Previously, I believe we had decided tentatively to remove draft language in 63A referring to use of PAD, since the only NIST normative requirement seems to be buried under a "SHOULD" and we have generally taken the position that we only include normative requirements ("SHALLs") in our criteria. However, it would be possible to express that if a CSP chose to implement PAD, then it SHALL implement it as specified by the NIST SHALL language.
RW: Our current language on B5.2.3 could probably be clarified to make all the sub-paras conditionally required, only if the SP chose to implement PAD. So, in fact our criteria appear to require PAD but we should make a change to clarify that the requirement is conditional on a choice by the SP.
Roger Q: NIST does not require PAD currently, . I thought the letter might be asking if KI was doing anything more .
MK, MH motion – approved.
To change SAC in 63 a nd b than NIST is now willing to do.
RW: So that's not what Phil's question was. And the answer to his question about whether Kantara requires use of PAD is "no." Of course an SP could go beyond NIST requirements and could ask an assessor to review those extra mitigations.
KD: Since we do have material changes in this package, so we can consider this change material with no extra process.
RQ: Agree with the conditional approach as described. I think that implements the NIST intent
Ken D. asked for a motion to change the SAC in 63A and B to reflect optional nature of PAD, and if used the option is chosen to assess as indicated.against requirements as discussed. Mark K so moved; Mark H. seconded. The motion was approved unanimously.,
Confirmation of other non-substantive changes to criteria to be included in the package to be submitted.
KD: Asks Richard to confirm misc changes.
RW: Can be ready for next week. 5 sets of errata
KD: Ken D noted the time, and said we would defer to the next meeting discussion of the miscellaneous errata to be included in the criteria change package.
Richard W. Noted that all five sets of errata have been reviewed by IAWG at some point and are considered minor, and he confirmed he can pull them together for approval at the next meeting.
Ken D said we will vote next week to complete criteria revisions package for submission.
Other Business:
MK: Any further UK Government response? KC: Still The UK contacts are still on holiday. However, Allison McDowell did respond from vacation and will connect next week. MK: let's add that report to the agenda for next week please.
KD: How about Australia? KC: did have a 1-on-1 with Jon Thorpe. Very high level official. Supportive Jonathan Thorpe, head of the DCA agency, but that was not Colin's contact. He is supportive of Kantara's goals for interop interoperability, and also thinks Kantara can help them because they are generally using NIST standards. Hoping He is hoping companies don't have to go through same assessment process multiple times for different countries. Looking He is looking for KI to provide some leadership in these areas. KD: excellent–may influence other countries
Outreach from Baruku (ph), who wants to talk about their work, but nothing scheduled yet
KD: that's excellent–-nice to hear the Australians are looking to us to coordinate inter-government work. Hope we can use that with other governments–including Canada.
RW: just modified criteria (for PAD?) – I've drafted modifications to PAD criteria we just discussed–hoping for a quick sanity check of revised language.
Ken D.: Sounds OK to me but let's review it next week.
Jimmy J: I'm OK with it, JJ too but would like to have KI "lean forward a bit to credit companies who implement it." KD: We can vote next week. Next Meeting: August 26 I was hoping we could be a little more daring to somehow credit CSPs who use PAD, since it is so important. But I agree Richard's text tracks what NIST says.
KD: We really can't create criteria that go beyond NIST.
RW: We actually have executed some interpretations that strengthen NIST criteria.
Martin S.: Maybe the thing to do is to make sure we include a comment advocating making PAD mandatory when a 63-4 draft comes comes out for review. JJ: I like that idea.
Ken D.: Next week (August 26) we will meet to finalize the criteria change package for submission to Kantara review.
Ken thanked participants for their work and adjourned the meeting at about2about 2:01PM 02PM US Eastern.