Versions Compared

Old Version 1

changes.mady.by.user Lynzie Adams

Saved on

compared with

New Version 2

changes.mady.by.user Lynzie Adams

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Attendees:

Voting Participants: Ken Dagg, Martin Smith, Mark Hapner, Mark King

...

Non-voting participants: Roger Quint, Jimmy Jung, Tim Reiniger

Staff: Kay Chopard, Lynzie Adams


Proposed Agenda

Administration:

  1. Roll call, determination of quorum
  2. Agenda confirmation
  3. Minutes approval -  2021-0809-26 02 DRAFT Minutes
  4. Staff reports and updates
  5. LC reports and updates
  6. Call for Tweet-worthy items to feed (@KantaraNews)

Discussion:

...

a.    Decision to comment on NZ document.

b.    Finalize UK comments.  

 Any Other Business and Next Meeting Date


Meeting notes 

Administrative Items:

The meeting was called to order at about 1:05PM (US Eastern). Roll was called. The meeting was quorate.

Minutes approval:  Mark King noted a correction in the acronym APPG and it was corrected. Mark King moved approval of the draft Minutes of the IAWG meeting of

...

Sept 2. Martin Smith seconded. The minutes

...

, with the correction, were approved unanimously.

Staff reports and Updates:

Kay

...

Ruth Puentes has agreed to be contracted for a few hours a month to continue to provide support in making the transition to the new Assurance Program Manager (Lynzie Adams) as smooth as possible.

In recent talks with some UK government contacts Kay addressed the perception in Kantara that the UK identity program was not interested in Kantara input. They acknowledged there is some validity to that perception, but explained that with new people things should be different. Kay's goal was to ensure they understood our perception and they did acknowledge it. She has a meeting with another official next week and will continue the conversation. 

Kay has been approached by a French organization (OSIA) to submit a proposal regarding third-party assessment of service-providers' implementations of open source standards. She's spoken to some people within Kantara about potentially expanding the assurance program but needs to talk with the assessors regarding their interest level in another line of work. The informal proposal needs to be prepared for the OSIA board meeting at the end of this month.  

There is a call scheduled for next week between GSA and New Zealand and Australia about interoperability. They're looking for ways to let CSPs avoid going through multiple similar certification processes in different countries.

Mark King raised two questions - He asked if Kay was referring to the APPG as an additional UK contact  - if so, he said it seems like the right place to be for contacts with knowledge of views on identity matters in Parliament. He also asked if the potential OSIA work would have to be translated into French. Kay said she doesn't believe so but we are having some language issues in other areas so it is a good question to have confirmed. 

Richard raised a few other questions. Is OSIA trying to get assessments that would conduct testing to validate interfaces, or more of a paper-based review? Kay would need to confirm but she believes it's more paper-based. 

Kay then noted that there has been a lot of work around healthcare recently. We are partnered with the CARIN alliance. A very recent development is that Direct Trust has taken over Safe Identity as of this week. We had an MOU with Safe Identity but as a part of Direct Trust, Safe Identity will apparently not be bound by that agreement. Kay has meetings scheduled to see how we move forward. TEFCA, which is responsible for implementing key identity-related HHS/ONC initiatives, has specific objectives on identity proofing and requires healthcare providers and their vendors to be approved at several levels of assurance. Phil Lam is going to make some introductions so we can alert these groups that Kantara is available for this service. 

Ken thanked Kay for the information and intelligence provided to the working group, as it helps with planning and priorities.

Discussion:

Kay had a call with Phil Lam this morning. Federal agencies are talking to him about the difficulty they're having with pass rates due to facial recognition (AL2). Kay mentioned IAWG is drafting material to offer guidance/information to federal agencies about alternative controls. Phil agreed with David Temoshok that this is not a good move and does not think Kantara should take this position. He commented that it could negatively impact the relationship Kantara has with both NIST and GSA. Phil suggested if agencies reach out that they should be directed to NIST or even to him. Kay wanted to ensure IAWG was aware before moving forward in the current process. 

Richard confirmed that our currently proposed revision is to formalize what is stated in Sec. 5.4 of NIST 800-63. We are not inventing things, just making a stronger case.

Kay suggested it might be worth having further conversations before publishing for public comment. 

Richard suggested drafting a very clear document showing which pieces of text in 800-63 our proposed criteria embody, and if anything was invented, to justify it. That would show that there is rigor applied throughout the entire process we have been discussing. 

It was noted that the first step of the Kantara review process is to make the proposed criterion changes available for public review. There was concern that putting the draft into the public domain could be perceived negatively by GSA and NIST. After further discussion the WG agreed to have further conversations with Phil, and meanwhile to hold off on initiating the Kantara review. This would delay final approval and publication of the revised criteria until after the holidays.

Regarding the anticipated discussion with GSA, Martin suggested asking whether the current language on comparable alternatives in NIST 800-63-3 would be retained in current or modified form in the nest NIST version of the standard (63-4.) Roger concurred. The group agreed that having GSA on board was critical. 

Martin suggested a conversation with the Department of Labor, to validate the our understanding of their intent to explore the use of the alternative controls provision of the current (800-63-3) NIST standard. We have been told they want to enable credentialing of populations who often cannot provide the documentary evidence currently required for identity proofing. He suggested that the current Administration's emphasis on inclusiveness might make it timely to exercise the provisions for comparable alternative controls.  

Richard stated he is currently talking to 3 CSPs who are interested in comparative alternatives because they have federal agencies asking about it and they are having difficulties meeting the NIST criteria. He agreed with much of the prior conversation, including the idea of a meeting with DOL's Eric Thompson, to bring him up to speed. Kay undertook to set up a meeting with Eric. 

Regarding the schedule for revising the current Kantara criteria, it was noted that the group had previously been concerned with not requiring Kantara reviewers, assessors and services providers to deal with frequent updates. When NIST updates the underlying standard from 63-3 to 63-4, Kantara will definitely have to do its own major update of the criteria. Avoiding updating the current Kantara criteria and then having to do another update soon thereafter was the main schedule consideration that led the WG to set a goal of getting the current revisions approved before the 2021 holidays.

Ken D. believes that at this point we are looking at early 2023 before NIST releases 800-63-4, which would mark the start of the conforming Kantara assessment criteria update. Given that outlook, nobody voiced concern in delaying until January 2022 the final approval and publication of the currently proposed updates. The consensus of the group was thus to delay initiating Kantara review, and thus releasing the package for public comment, until further conversations are had with GSA and potentially NIST. Richard agreed to draft a clear comparison of our proposed language vs. the NIST 800-63 language on comparable alternatives, and provide that to Kay as background for her next meeting with Phil.

Roger stressed that the concern is the inflexibility of the existing NIST standards for identity proofing and uncertainty about the process for using comparable alternative controls. 

 Kay will continue to keep Ken and the IAWG up-to-date with progress from the discussions with GSA and others.

UK Response:

Ken put together a draft response and will circulate via the WG mailing list after the meeting. He has had preliminary feedback from Martin and Mark King. He asked all WG members to please review and send comments. The group will discuss at next week's meeting as the response is due back to the UK program on Monday, September 13.

Other Business:

Ken D. reported that we have received a call for comments from New Zealand on their planned Framework, and that input is due September 30th. He thinks at this point that we should provide some comment, and noted that we do have a little time before their deadline.  Ken will send it around after this meeting for discussion at the next IAWG meeting. 

The next IAWG meeting will be Thursday, September 9 at 1pm.

...

will present at the EIC pre-conference workshop on Monday, September 13 at 3am EST to highlight Kantara. The event is hybrid this year if people want to attend.

Kay and Lynzie meet with Phil (GSA) again tomorrow. The items from last week will be addressed in the meeting and a more in-depth update can be provided at the next IAWG meeting. 

No specific updates on the UK or NZ. There are meeting set up but nothing is finalized. Kay and Lynzie were on a call with Australia this morning. They are looking for some type of reciprocal certification that would prevent service providers from having to certify in various nations. Kay will be meeting with the tech person in coming weeks and will know more after that meeting. NZ remains quiet and unresponsive but Kay will continue to try and make contact. Mark King shared an article he'd recently seen about Australia working with Accenture. Kay requested if anything further is learned to please share and she'll inquire with the Australia tech person to learn more. 

LC reports and Updates:

Ken reported that the LC meets next week and he will have more to report after that meeting.

Discussion:

NZ Decision:

Ken asked the group if they would like to submit comments to these questions to the New Zealand government. The group agreed to a submission. 

Mark King sent three comments and one question to New Zealand. The question pertained to the Treaty of Waitangi and the need to rephrase it to not be a barrier to trade. He suggested that Kantara might be more interested in the consent issues around the fraud area - more of the consent area than identification. He believes the Consent group should have a look at this beyond just what IAWG has to say.

Mark King also raised issue with FA 7.05 that states "the FP MUST not provide credential subject information with higher levels of assurance than than requested by the Relying Party, without the consent of the holder." He's worried it might cause problems, might have to do with the economics of the system. Something odd going on, but not an assurance issue - other than than the question about the levels. It's an extra complicating factor they have in there that could have quite significant ramification and seems to be glossed over. Martin suggested asking for more detail. 

Ken believes there are some areas that the IAWG can chime in, not on specifics, but generalities and make comments on our expertise as a group. It will not be a lengthy, technical set of comments, but based on our experience. 

Martin discussed with Ken about the possible value of of having some form of standard text to respond to these inquiries. It allows us to portray a consistent message and ensure we do not contradict ourselves. This will be discussed further at the next meeting when we discuss the NZ comments. Ken will take editorship to draft some comments in preparation for next week's meeting. 

Roger asked about the strategy in responding to these requests. Ken and Martin made it clear that our purpose is to alert them if we see anything that seems to be against what everyone else is doing. The group is looking to alert the federation of any potential inoperability and/or other issues. 

UK Response:

Ken's drafted response to the questions was shared with the group and each individual question was reviewed with an opportunity for question, comment, or concern. It was agreed upon to use gentler wording in some responses but the general context of the responses remained in tact. Ken captured any revisions discussed by the group and will edit the original draft for submission. To promote Kantara and show high-level Kantara approval, the response will be submitted with Kay's name as the contact. 

Other Business:

The next IAWG meeting will be Thursday, September 16 at 1pm EST to discuss NZ comments and the notion of a standard text for submissions. Ken will work on a draft prior to the meeting. 

Ken adjourned the meeting around 2:00pm EST.