Page Comparison

...

1. Administration:
   1. Roll Call and quorum determination
   2. Agenda Confirmation
   3. Minute approval (DRAFT minutes of 2021-07-08)
   4. Staff reports and updates
   5. LC reports and updates
   6. Call for Tweet-worthy items to feed (@KantaraNews)
2. Discussion 
   1. Continued discussion of SP-800-63 'comparable alternative controls' - Review Richard W. alternative-controls process draft updated based on comments at last IAWG meeting , and discussion of next steps. 
      
   2. Decision on undertaking comments on the recent Pan-Canadian Trust Framework (PCTF) document, comments due 7/28. 
3. Mark K – may want to make other aware, No other proposal for comments. 
4. RQ:  are we going to be compatible. MK:  many are simply missing international issue.  K has commented along those lines. 
5. JJ:  Joni's thing? IS DIACC going to KI type service . RQ: Value of framework to end-users - would enhance sevice to side-by -side. WOuld bneed paying sponsor for KI to do that. 
6.  
   1. Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity. See: https://digital-strategy.ec.europa.eu/en/library/trusted-and-secure-european-e-id-regulation
7. Formal proposal and wanted to ask if IAWG wanted to comment. Time and channel TBD.
8.  
   1. Component Service Consumer criteria.
9. Any Other Business and Next Meeting Date

...

1. Continued consideration of 'comparable alternatives': discuss revised DRAFT Kantara criteria/process (Wilsher), and next steps 

Richard presents and reviews proposed revisions to draft "Alternative Controls" process.  

Goal is to achieve an appropriate balance between false positives and false negatives or other ways for the CSP to define the risk accepted in the alternative control. 

JJ: seems we should be either less or more specific. 

KD: HOw about "risk profile is defined. "?

MH: not good to talk about false negatives. HAs to be a way to resolve "false negative."  

KD: But are there other types of risk. Those need to be documented as well as fp/fn.  A "risk profile" 

RW:  CSPs ,might provide a slide control on FP/FN. 

RQ:  pushback. When RP gets CSP metrics, they will not know whether to believe the CSP. Martin:  that's K assor's job. 

KD: is this stuff assessible? 

MH:  don't think so, too many RP use-case variations. 

KD:  Not impact CSP's ability to document and estimate control's performance. KI assessor would evaluate CSP's justifications. 

JJ; I do think this type of assessment is that much different from the existing KI IAF assessments. 

MH:  Question is: what is the CSP doing to mitigate

KD: Over time at 2:03. 

RW: recap: CSP reviews risks of alternative controls, including maybe new risks, documented. CSP's top management is aware of use of comparable alternatives and does deploy them. For each, make RP client aware of the alt control and extra things needed because of new control. 

RW: don't want to include hard number in criteria. 

MS: re-usable?  

RW:  don't think so: confidential.  KD: agree. not KI job. 

JJ: RQ:  need to protect KI if we approve a non-std control. Otherwise we look like a black box, and credibility might suffer. 

JJ: Or brand says we assess the criteria. If we don't, what will they think. 

RW: we ask CSPs to publish their "applicable controls" publicly. SO that's a clue for others that there must be an alternative control in use. 

MH:  also , added info for agencies about their clients. 

KD: need to focus on getting Richard's draft to the point KI can use it. 

KD: finalize draft, and then go through material criteria change process. About 70-90 days total. 

RW: have a pile of non-material change we should bundle in the package for review. I will be out for next 2-3 meetings. Can I dump Editor on someone? KD. 

KD: not meet next week, then again two wwks after

29th of July. 

2:18 PM

2. Decision on undertaking comments on the recent Pan-Canadian Trust Framework (PCTF) document, comments due 7/28. 

...