...
Incommon Report provided by Tom Barton
- Incommon Baseline Expectations Program: Ongoing processes to improve metadata quality and other aspects of Federation Operations. 75% of Incommon Members fully meet the baseline expectations on metadata quality. The deadline to meet the requirements is December 14th.
- REFEDS: Completed a work on Assurance framework, including single-factor authentication (SFA) and multifactor authentication (MFA) profiles. Also, they have defined two assurance profiles called Cappuccino and Espresso. Cappuccino applied together with the SFA authentication profile match the AARC project’s requirements for low-risk research and Espresso together with the third specification, REFEDS MFA, are aimed to serve research use cases with stronger assurance needs. The specification make use of existing frameworks, such as NIST 800-63b, Kantara Identity assurance framework and eIDAS.
- SIRTIFI is still active.
- Trusted CI, National Science Foundation Cybersecurity Centre of Excellence. Workshop increasing amount of secured data which researchers need to do the work. Meet NIST 800-171 , good baseline what kind of security obligations for research and education in the US. It Profiles 800-63 at a certain level.
Kantara IAWG report provided by Scott Shorter and Colin Wallis
Update the SAC in response to the memos that were issued in the summer, recommendation that when CSP are approved there be some way in addition to the LoA share info about the specific mode of identity proofing that is used, as we find diverging requirments based on supervised and unsupervised id proofing.
Jim Jeere, OMB GSA is awating as well.
Perhaps try to bing together a industry day, like we did in WDC in 2015. Trying to find an opportunity to get infudtry discussing. F2f TFS Sync that we did 3 years ago.
SAFE-BioPharma report provided by Matt King
Policy Authority Meeting for Fed PKI adopted some minor changes around requirements 800-63, clarified that not allowing unsupervised remote identity proofing.
No comments on OMB or progress around TFS Program.
Based on the discussion he had with LaChelle Federal PKI Program, she is focus on the issuance of credentials and security of the systems involved.
They need clear use case and business cases that to show value to the government of using commercially available federated credentials to access government applications.
Encouraged to keep an eye for situations, government agencies that are actively using certified credential from a credential provider, it would be beneficial to explore that further and present that as use case, here is the value proposition.
Coordinated effort to have more impact on the messaging to the government.
Andrew Hughes suggested to create a Users WG or social group for customers of our providers, offer a forum to meet once a quarter to discuss issues and find common cause that may show industry adoption.
Matt liked the concept. Define that further. Value proposition for folks to participate on that.
Show the federal government that insurance banking, state governments are looking at these as requirements, prove that they are asking for that type of certification.
If State and/or industries have made TFS Approval a procurement minimum requirement there will be not pleased if this approval is eliminated or impacted.
Matt suggested to develop justification based on the feedback we can get of our CSPs. Therefore, it would be good that TFPs reach out the issuers (approved providers) and ID proofers that have been certified and ask them: Are the RFPs to which you responded include 800-63-3 as a requirement? If so, can we get a copy of that RFP?