Roll call-Andrew Hughes called the meeting to order. The meeting was not quorate.
Voting: Andrew Hughes, Mark King, Mark Hapner, Jimmy Jung, Peter Davis
Non-Voting: Martin Smith
Staff: Amanda Gay, Kay Chopard
Guests: Lisa Balzereit
Minutes approval
Kantara Updates
AGM was a success, and the recording will be shared with members.
GSA-special schedule for KI certified vendors
Assurance Updates
Discussion:
Discuss comments and changes: 2024 Charter Review Process
Andrew Hughes sent around comments, color code:
red=delete, green=good to go, yellow=discussion
Reiterates goal is to slim down/describe what we do/why we do, not expansionary/what we could do
WG name: RED (quote not cited)-text doesn’t belong under WG name (could go into IAWG overview document, but it doesn’t go into a charter, and we don’t do these things)
Martin notes agreement with what we don’t do and supports less is more-what are we doing about comments on other schemes? If we want to do that, it should be reflected in purpose
Purpose (green title, yellow substance)-perhaps these comments are the scope not the purpose?
Martin’s comment above-comments on other schemes
AHughes agrees-should be talking with other scheme owners and authors/maintainers of our SAC
Leave door open to other schemes
MK-UK activity? Interestingly-IAWG doesn’t have anything to do with the UK, but thinks IAWG should be giving advice on the part of KI? AHughes captured this in advice to executive director (IAWG->ED->UK and vice versa (ex. Comments on DIATF)
Doesn’t want it to be mostly NIST e.g. nist (find comment)
Aligning language with scheme owners and post procedures–not in charter document.
Topics point–is it OK? How to phrase and it is accurate
Seems more what IAWG actually does (if following NIST)
Federated access management
63C (AHughes)
Could be an authentication statement-Peter
Convene v. participate v join
AHughes-chose convene because he wants the sense that we bring people into Kantara to discuss (idea that we have a place amongst ourselves to talk)
Purpose text-too expansive, but ran out of time to make further comments.
Martin concurs with limiting purpose section (shouldn’t be too much); Suggests deleting everything and starting fresh with something fresh and simple to save time
Lines 25-28- belongs in IAF, not charter RED
Lines 29-36 - we don’t do some things RED
“Value” line 37-YELLOW-discussion: Should be outside of charter, important
Scope: what is worked on–should move stuff from purpose comment to scope
RED lines 61-66-out of scope
Draft tech specs and draft recs: GREEN
Leadership: RED lines 74 on–should be in operating procedures
Leader team-adjust as needed GREEN
Martin-secretary role? Assessment manager has two roles? Will that continue? See comment for language regarding formal connection to ARB
Additional vice-chairs? Leadership is busy, should build in more cushion with people’s workload?
Per operating procedures-any leadership structure is OK (can’t have two chair, must be CO)-default can have as many VC as needed
Audience-we don’t talk to those people-similar to liaisons, audience should be entities directly impacted by IAWG decisions or they have a stake in the decisions (i.e. ARB, CSPs, FO, but policy makers is too broad (who-governing authorities)--needs clarification YELLOW
Martin-what kind of language should be used to make sure that the people we care about understand our message and are persuaded by our message?
Who do we care about understanding what we are doing? Who is it important to understand?
Should add BoD as well-governing body of business
Kay: policymakers - US perspective is often towards government policy (agencies or administration or the Hill)-it is beneficial for them to know Kantara and Kantara’s role, but in other countries-the UK trust framework is more focused on commercial markets (people aren’t buying credential services for gvt functions the way it happens in the US)-last month’s fintech–banks/financial institutions are interested, and they are policy makers that would also benefit from the understanding about Kantara and the work. Some purchasers may be more like relying parties, but their involvement could be beneficial to IAWG. would be helpful to have industry associations/standards associations (martin/kay)-notary services now have to be IAL2 compliant–This is a whole new group of organizations that may need certification.
Peter Davis-banking compliance-they know what the requirements are but they don’t know how to compare vendors against those compliance requirements
Ie. KYC does not equal IAL2
Related work and liaisons—RED delete see comment
Divide and conquer–only list liaisons with meaningful interactions (clean this up)
Add ARB and WG/DGs to audience
Liaison v. audience
We don’t want to name internal connections as liaisons, so ARB is audience
Signal in title
Need equal level of engagement for people on list (some deeply involved, some not, some were but now they are)
ACTION:
- Amanda Staff-create an IAWG Liaisons page to begin finalizing a list (Peter for language as needed) (Note: each WG should have this)
Contributions: YELLOW
Was this part of the initial set-up–should we clean-slate it?
Set a schedule for completion of the 2024 Charter.
Address of Record Position (if available)
Updates regarding NIST Comment Period (rev. 4): https://www.nist.gov/blogs/cybersecurity-insights/note-progressnists-digital-identity-guidelines
Any Other Business
Cancel next week’s meeting-no more meetings in December.
Next meeting is January 11th, 2024