Kantara Initiative Identity Assurance WG Teleconference
...
- Administration:
- Roll Call
- Minutes approval:
- Staff reports and updates
- Assurance Review Board (ARB) and Leadership Council (LC) reports and updates
- Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
- Discussion
- NIST SP 800-63 comments from IAWG
Attendees
Link to IAWG Roster
...
Info |
---|
Meeting achieved quorum |
Voting
Lee Aber
Ken Dagg (C)
Scott Shorter
Colin Wallis
Non-Voting
Angela Rey
Steve Skordinski
Staff
...
Joni Brennan
Regrets
- Andrew Hughes (VC)
- Rich Furr
Info | ||
---|---|---|
| ||
|
Info | ||
---|---|---|
| ||
|
Notes & Minutes
Administration
Minutes Approval
- DRAFT IAWG Meeting Minutes 2015-05-07
- DRAFT IAWG Meeting Minutes 2015-04-30
- DRAFT IAWG Meeting Minutes 2015-04-23
- DRAFT IAWG Meeting Minutes 2015-04-16
- DRAFT IAWG Meeting Minutes 2015-04-09
- DRAFT IAWG Meeting Minutes 2015-03-26
Motion to approve minutes of ...:
Seconded:
Discussion:
Motion Carried | Carried with amendments | Defeated
Action Item Review
See the Action Items Log wiki page
Staff Updates
Leadership Council (LC) Updates
Participant updates
Discussion
...
Discussion
Ken: a scheme comes to mind for NIST's first question, based on discussions at identity north, separation of three functions, identification, authentication, and authorization. Scott agrees, will expand on comment about A&I to cover this.
CW Oasis trust elevation discussion - some transactions where people won't ask for authentication, by we leak so much data that low risk transactions are supported without clear authentication step.
UMA developing binding obligations and controls.
Contact Eve Mahler, ask for her comments?
Scott to ping Pete Palmer.
Ken will mention at leadership council.
Examples of authentication, identification and authorization system does it that way. Those three functions take place. Age authorization for old age security. Length of time in country during twelve month calendar. Employement status. Visa, work status.
Ken in terms of privacy, like the comment with respect to the triple blind being part of the privacy spectrum. Additional spect, PIA is focused on client and end user and protecting their privacy. Conducting a PIA gets the questions asked, and if a privacy commissioner exists in a jurisdiction they can say whether privacy is being respected.
When out to RFP for privacy solution the privacy commission, who can adjust the text of that.
Colin says should be a risk assessment is applied up front, it is not that clear what risk is being assessed and for what reason. Do an identity related risk assessment on the service, need approaches for doing the identity related risk assessment.
Ken, sent a link to Canadian govt assurance and guidance. Risk assessment to identity assurance. Scott to review.
CSPs are coming out and saying we have a level three system. The identity risk assessment rather than the system compromise risk assessment.
Scott to put the links in the minutes...
Joni to talk to UMA and CSPs.
Ken speak to LC.
Scott to distribute comments, ask for a COB Monday deadline. Get to Joni next Tuesday, joni will create cover letter and send to NIST.
Suggest to meet next week to discuss what was submitted, catch up on administrative stuff and decide on whether to meet biweekly again.
Carry-forward Items
Attachments
...