...
The next email topic of federation authority will take additional reading/research. Federation authority refers to what a federation would need to do - it is not the same as NIST 800-63-3C. C is about security of transitions - not authorities. Will revisit this.
There was a brief discussion on relying parties and the need to have them get officially ‘approved’ as a relying party through Kantara. Richard feels it’s unnecessary and Andrew can see his point. Mark King pointed out that it is a U.S. specific need as Europe has already established requirements.
A recap on the technical class of approval reiterated some uncertainty on its future. The assurance program will continue to alert people of this. The biggest overhaul will be in rev. 4 but we will need to have an interim period in advance of 63-4. Rev. 3 will be valid for one year after publication of rev. 4, but people can get approved for 63-3 during that year – meaning we’ll need something in place to close that gap. Jimmy argued that there are concerns we should care about but ensure we don’t cast the net too wide. He also argued that ISO27001/FedRAMP/SOC2 would not fully cover the CO_SAC so equivalences wouldn’t fully address the issues.
IAWG intentions for technical class of approvel – 1) phase out technical, 2) embed specific CO_SAC criteria into current SAC sets, 3) allow equivalences where applicable, 4) do this in conjunction with 63-4 updates. There will be a time period where that criteria is not available so will need a statement on what we will require/request during that time period. Eric reminded the group that the CO_SAC should remain version agnostic and for that reason there is value in keeping it separate from the 63-3 SACs.
Beyond Richard’s questions, IAWG needs to address how long we keep schemes available. Martin believes it will take us a large portion of that one year to publish our updated 63-4 criteria – so we might as well retire 63-3 approvals once our 63-4 is effective. Eric provided a use case of where Classic approval is desired beyond ECPS as an argument for continuing to offer Classic. There is still an active market out there that want Classic. Jimmy concurred. Andrew asked to do a market use survey to the current CSP companies, and others broadly, to see if there still is a market for Classic. Michael suggested cutting ties with Classic at the implementation of 63-4 (2024 Q1) and publicizing that date in advance so people know it is coming. This is an open issue.
Process for addressing assessor/field reports on new methods not covered in 63-3
Any Other Business