Versions Compared

Old Version 16

changes.mady.by.user Former user

Saved on

compared with

New Version 17

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

AAL3 Review

  • Richard explained that it was adopted the multiple parties practice from the FAL2 to work into the IAL and AAL SACs, in doing so we have pulled out those criteria which relates specifically to federal agencies or might also apply to RPs, in order to take the AAL criteria to their fullest implementation responding to absolutely normative criteria.
  • He has updated all the tags because it's a substantial change. There is a new contiguous set, and the old ones will be here at least for a year or so while we transition to the new ones.
  • Changes are in red text; there have been a few changes which have affected level 2 because we've been more inclusive this time with federal agencies. 
  • We have around 30 to 40 new discrete criteria of AAL3.
  • It was decided to defer the approval to the next week.


FAL3 FAL3 Approval

  • Basically, two criteria, one of them has three subparts.what this is requiring as a question of whether this is an accurate replication of essentially these criteria here, which you will find minimal change.

...

  • Richard: We don't assess subscribers, but we could assess an RP

...

  • .

...

  • Therefore, we would require the RP

...

  • to require the subject to prove possession

...

  • , etc. And that's going to be the reason why we've made these changes.

Motion : IAWG to approve the FAL3 criteria as presented. Moved: Mark King Seconded: Mark Hapner. Unanimous Approval.

  • The xAL3 SACs will go as a package for 45-day Public Comment and IPR Review.
  • Mark Hapner asked if in terms of the overall impact

...

  • there are

...

  • improvements or extensions

...

  • ; What

...

  • was the actual objective for the changes in general?

...

  • Richard responded that we have to go back to the

...

  • NIST requirement for that.

...

  • He thinks it's a question of demanding greater rigor or in some cases denying some of the authentication techniques that might be allowed at level 2 because they were not considered to be strong enough for level 3.

...

  • As you move from one

...

  • assurance level to the next stronger higher level

...

  • , it's all a question of removing weak

...

  • solutions and increasing the rigor.


Kantara comments on how SP 800-63-3 could be revised for NIST’s consideration in developing Revision 4 

...