...
b. GSA question about Kantara criteria referencing "presentation attack detection" (PAD), and possible clarification of the relevant Kantara criteria. Ken provided brief background on the question from GSA (Phil Lam, speaking with Kay C.) that came up since the last WG meeting, and said this might be an opportunity to enhance our relationship with GSA. He asked for any thoughts from the WG. Roger Q. said several vendors had come up with ideas for detecting/mitigating presentation attacks, and so focus on this by Kantara is timely. Jimmy J. said he has applied PAD, but that it's a bit different from regular assessment activity and may be more like a laboratory standards issue. Roger Q. agreed, and said he'd been very interested in seeing the language Richard has come with so far. Ken suggested we should defer this issue also to the next meeting when Richard should be available. Ken confirmed that if IAWG were to develop new or clarifying criteria language related to GSA's question he would expect to make it part of the package of revisions we are working to submit for approval this summer. Kay C. mentioned that she is meeting again with Phil Lam, but has other issue to discuss and would not raise this; Ken suggested that if Phil raised it, she might tell him the IAWG is actively considering it and expects to be able to get back to him soon.
a. Review the roadmap for moving a consolidated set of criterion changes through the Kantara approval process. Ken provided an overview of the process, indicating that the total Kantara approval timeline is about 2 1/2 months. Given that, he believes the WG should aim for publication of the updated criteria in mid-November, which implies having a package ready to submit by the end of August. The package would consist of at least one "substantive" update – the "comparable alternative control" criteria we have been discussing – plus several non-substantive revisions that Richard has been accumulating. If the PAD issue results in revised criteria language, that would also be included. He pointed out that one important consideration is to avoid frequent changes to the criteria as that has an impact on CSP's (as well as all Kantara reviewers.) NIST's update of SP 800-63 to version 4 will definitely required another revision of the Kantara criteria, but he believes
A. Ken: roadmap. process requires 45 + 15 + LC approval. So maybe 2 1/2 months. Nice to get published by October. So, beginning of August. Impossible. November then. So prepped by and of August. "Comparables" plus maybe PAD plus misc by end August of possible.
...