Versions Compared

Old Version 6

changes.mady.by.user Former user

Saved on

compared with

New Version 7

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Kantara Initiative Identity Assurance WG Teleconference

...

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Minutes approval: DRAFT IAWG Meeting Minutes 2013-11-21
    4. Action Item Review
    5. Staff reports and updates
    6. LC reports and updates
    7. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
  2. Discussion
    1. IAF-1400 draft for 45 day public review - see linked document:   Kantara IAF-1400 SAC v3-1.docx    
    2. Disposition of 800-63-2 -> SAC Mapping working documents - where/how to store for future reference?
    3. FICAM TFS Program update comments from IAWG members & consolidation
      Link to review documents and comment template here: https://kantarainitiative.org/confluence/x/fYHwAw 
    4. REMINDER: Ad hoc call to continue FICAM TFS discussion Friday December 6, 2013 10:00 Eastern.
  3. AOB
    1.  
  4. Adjourn

 Attendees

Link to IAWG Roster

...

Info

Meeting achieved quorum

Voting

  • Myisha Frazier-McElveen (C)
  • Rich Furr (V-C)
  • Andrew Hughes (S)
  • Scott Shorter
  • Matt Thompson
  • Richard Wilsher
  • Cathy Tilton

...

Administration 

Minutes Approval

DRAFT IAWG Meeting Minutes 2013-11-21

Motion to approve minutes of 2013-11-21: Furr
Seconded: Shorter
Discussion: None
Motion Carried 

...

  • RF: the ATOS seems to be making the CSPs into Attribute Providers - the current requirement is to only maintain core attributes - there seems to be an extension into a new set of attributes - this would increase costs, might knock smaller CSPs out of the running because they may not have the resources to deal with the extra attributes. 
  • RF: Anil John referenced ANSI/NASPO Section 6 
  • MF: Read it as an optional requirement - if they are available then provide the attributes, if not then no issue. 
  • RF: Verbal indications that the attribute provision is leaning towards mandatory provision (because the Federal Agencies might ask for them)
  • SS: There is a section in the RP Guidance on disambiguation of identities - it recommends that the agency goes to an attribute provider without any reference to LOAs.
  • CT: FCCX will broker attribute exchange for account  Anil mentioned that this set of attributes is needed for the RPs to perform account/identity disambiguation and linking to the right agency account
  • MF: most RPs don't identify their clients from these attributes - they know them by other information
  • RF: do the SAML assertions have to include the extra attribute data? If yes, then the CSP will have to capture and maintain the extra attributes.
  • SS: don't these attributes have to be collected and kept as proof of the ID Proofing process?
  • RF: yes. but they do an encrypted hash of the values
  • MF: But there are many attributes that are not currently collected
  • RF: The registration authority does not store the information - the Certificate Authority keeps it if they want to or need to.
  • SS: It appears that Verizon would meet the Bundle 1 requirements.
    • Section 7.2.2.3 discusses how to resolve problems linking CSP-provided identities to accounts. Recommended methods to resolve include:
      • Trusted third party. This method redirects a user to a third-party site (e.g., Experian) where he/she is prompted with several questions to verify his/her identity.
      • Help desk/call center. This method requires the user to call the help desk to resolve linking issues. The help desk can ask a series of questions to verify his/her identity.
    • Now should those "several questions" or "series of questions" correspond to the LOA of the identities in question?
  • SS: If they are looking for verified attributes, then it has to be better defined.
  • MF: It is unclear if the attributes SHALL be sent if the CSP has them or if they are optional.
  • RW: Are we making the assumption that the RP will be dictating the attributes that the CSP will have to gather in the ID Proofing process? 
    • (RF: Yes) 
    • So, is this assumption correct? 
    • (RF: Vz reading is that if the RP asks for it, then the CSP pretty much has to provide it)
    • This needs clarification
  • RW: The requirements are stated in terms of what the RP must do. The implication that is not clearly stated is that the imposition on the RP becomes an implication on the CSP. This is essentially a profile imposed on 800-63-2 -> "these are the things needed to sufficiently define an 'identity'"
  • MF: consolidate Scott's item with Rich's item 
  • RW: There's also an issue with the footnote saying 'in order of preference' -> this implies that beyond the core attributes, it is not clear what weighting the additional attributes have (the core gets 96% certainty, so what do the others provide?)
  • RF: Danger is in who is interpreting this - CSP will see it one way, Federal RP will interpret differently.
  • RF: If adding Attribute Providers into the CSP process, it's possible that the price of the CSP services will rise which might become an inhibitor to RP uptake.
  • ALL: review comments that have been circulated so far for tomorrow's call

...