Versions Compared

Old Version 3

changes.mady.by.user Martin Smith

Saved on

compared with

New Version 4

changes.mady.by.user Martin Smith

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Non-voting participants: Jimmy Jung, , Pradheep Sampath, , Roger Quint, Eric Thompson

Invited Guests:  Jeremy Haynes, Blake Hall, Rohan Pinto, Pete EskewChris Lee

Staff: Kay Chopard,  Ruth Puente

Agenda:

  1. Administration:
    1. Roll Call and quorum determination
    2. Agenda Confirmation
    3. Minute approval (DRAFT minutes of 2021-06-24)
    4. Staff reports and updates
    5. LC reports and updates
    6. Call for Tweet-worthy items to feed (@KantaraNews)
  2. Discussion
    1. Consideration of 'comparable alternatives' - See: https://groups.google.com/g/idassurance/c/GIGLjValdg4
    2. Australian Digital Identity Legislation Consultation Phase 2 - See: Public consultation on Australia’s Digital Identity legislation
    3. Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity. See: https://digital-strategy.ec.europa.eu/en/library/trusted-and-secure-european-e-id-regulation
    4. d. Component Service Consumer criteria.

...

Minutes approval: Mark Hapner moved approval of the the draft Minutes of the IAWG meeting of June 24; Richard W seconded.  The Minutes were approved unanimously, as written.   

Staff reports and updates: .ED Kay Chopard. Focus is replacement for Ruth as PM for Assurance. First pair of finalist candidates both dropped. Back to LinkedIn, starting interviews. Looking for more junior PM rather than trying to replicate Ruth's deep experience out-of-the-box. Best case for new IAF PM to be on-board is some time in August. Still open to getting more applicants referred by WG members.

...

Ken reminded WG participants that Kantara staff is ready to help them publicize their newsworthy activities and via the @KantaraNews Twitter handle. Or send to Ken or Kay. 

Discussion:

Consideration Continued consideration of 'comparable alternatives' - See: https://groups.google.com/g/idassurance/c/GIGLjValdg4

Ken notes listserv discussion and accessible via a link in the Agenda emailed before the meeting. He then invites Richard W to lead resumed discussion.

Richard W: believe we should do something in this space; may not be just for Fed agencies. Suggests we need a capability to assess alternative controls, based on a thorough process based on evidence regarding risk, etc. 

Eric:  agree that there's a need and opportunity here, to provide some rigor around alternative controls. Key thing is needing to quantify risk being controlled.  Need to remember that service providers want to let appropriate people in, not just keep inappropriate people out.  Agencies / orgs don't have ability themselves to do this themselves. the rigorous analysis develop and document use of "comparable alternative controls."  

Mark H: Agree. Broader There is a broader need than Govt agenciesjust for CSPs serving Govt agency customers

Kay C: Other Fed agencies I talk to feel they need unbiased technical , neutral help to make their decisions on IAM risk.  Believe NIST (David T) is very wary about Kantara involvement but believe this his concern can be reconciled. Richard W: Anil John was concerned about lack of communication between government and industry, but didn't have results

RQ:  If we do work in this area, will NIST welcome or oppose?  Richard W.  –  we should respond to our customers and work on getting acceptance if not support from NIST. 

Ken:  Maybe and approach to GSA would work–they owned FICAM.  We need a Federal central-agency customersupporter of our work in this area.  Kay says Kantara still meeting with GSA--Phil. New PM will do that when they arrive. Might Just her (Kay) until the new IAF PM is on-board. IN any event, things might be slow for a bit as everyone in Government seems to be planning deferred vacations.  

RQ: Need Kantara needs some awareness and at least tolerance . at NIST and/or GSA for anything we do in this area.   

ET:  Is there an oppty opportunity for IAWG to help move this forward by putting out guidance related to quantifying risk and effectiveness of alternatives controls for ID proofing systems?

RW: Another point is , if we have Notes that Kantara having a set of criteria , for assessors have customers for evaluating risk and control effectiveness would be useful assessors who have customers (e.g., private sector,or non-US) that are not strictly locked in to (very conservative, tech-basedfocused) NIST stdsstandards

Mark K:  Is this just a US issue?  Will (He will check a bit with to see if he can locate any EU-developed materials for risk analysis/quantification and controls effectiveness

JJ:  Believe many US Fed agencies are thinking "I need IAL2", and would not buy want to get involved with something "comparable.." 

RW:  We have been asked by a Member CSP working with a real Fed agency that has a business need to identify public clients who cannot provide proofing documents required by NIST standards, We should respond to these needs

JJ:  No sure every KI assessor is going to be able to make making and documenting these judgments about risk and effectiveness. Might Inconsistent assessments would create a risk to Kantara's reputation. 

MH:  If K states Kantara is transparent about this and shows we are doing this analysis of alternative controls' effectiveness on reasonable criteria, then I believe risk to Kantara can be reduced. 

JJ:  Believe RW's suggested added IAF criteria seem a reasonable basis to begin developing a process for evaluating alternative controls

Ken: Notes that the NIST language seems directed at Agencies, not CSPs. Not sure how to put the onus on the Agency. 

...

RW:  We assess CSPs. Not RPs. We (But we have criteria for federations, and federations that would presumably impose various requirements on their member RPs.) 

JJ: How would we express the results of an assessment based on use of a comparable alternative control?

...

Ken:  good discussion. Summary:  seems worth pursuing, incorporating building on RW's draft criteria. 

RW, ET, KD, MH. – agree.  Ken: asks RW to when he can be ready to discuss initial draft criteria. , But RW: I may not be available for a couple of meeting in August. 

Ken Next week's meeting is the 15th. RW: Can , can you have something for the 15thIAWG to look at then? RW: Yes

JJ: Does ARB need to get involved?  What's the process where an alternative control is involved?  RW: agrees there needs to be a process to communicate the decision to SP and to the (RP) customer

RQ: yes we We need to coordinate and communicate with NIST to avoid appearance of going around them. RW: Yes, but we are not asking permission. 


Other Business:

MK: Australia: individual submissions only  only?  Ken: yes. Deadline 7/14. 

Ken:  Pan-Can framework new doc Canadian Framework has a new document out for comment by   28 July    revisiting by 28 July. Seems to be revisiting the "vectors of thrust" concept. Doesn't seem too relevant to orelevant IAWG but wil will send around, and WG can decide at next meeting if we want to submit comments. CLose meeitng

Next meeting July 15th, 1PM US Eastern as usual. 

Ken closed the meeting at 2:05. Next meeting 15ht





JJ: 


Next Meeting: Next Thursday, July ??  at 1PM US Eastern