...
b. Although IdPs are required by 800-63C to meet stringent security requirements, none are placed specifically on RPs. He's just basically saying that there should be relevant operational security requirements placed on RPs as well as the IdPs. Richard said that there are quite a few requirements on RPs in 63c. Tom Jones added that he believe this shouldn't be in C. It was clarified that IdP is a subset of what Kantara defines as a CSP. Tom Jones remarked that the fundamental question for the group is whether or not the ideas of mirroring the CSP with the IdP are the right way to go, or whether it would be better to just take that out of 63C, which would be his suggestion. It was agreed that for version 4, the recommendation is that they consistently use those the roles and functions terms when they write their normative or even even the informative requirements, in other words be clear and consistent in their use across the documents and the example is IdP and CSP.