...
Jimmy believes our (non-PKI) part in this is potentially very small – the IAL part is 2-3 pages of section 3.2.3.1 - likely similar for AAL. Andrew thinks we need to determine how different the CARIN policy is from the NIST guidelines. He believes CARIN is trying to produce a ready-supply of vendors into the TEFCA space. Martin asked if healthcare is going to require IAL3 - we aren’t sure at this point but are currently okay at IAL2. There’s not huge interest in the pipeline at the moment for IAL3 approvals. Jimmy reiterated that Kantara should have a conversation with CARIN to see what (if anything) was promised and what we want to have promised to that group.
...
Further, Richard said we need to consider if there is anything beyond what our criteria presently has. And can it be accommodated by adding a profile?
Andrew prefers just having a webpage for CARIN people to help them through the process - our current process with a rationale that they are pursuing this for CARIN/TEFCA.
Jimmy scrolled through the table of contents to identify the sections that are PKI based and what is what we do - Sections 3 & 4, some of Section 5. If CARIN is asking Kantara to provide something to complies with this entire policy - that’s a lot of work - and it’s PKI policy which is beyond us. We don’t assess any of Section 6.
KIAF 1050 - Glossary and Overview
...