Attendees:
...
A reminder email went out today for the all-member ballot to approve the material CO_SAC changes IAWG approved in April. This is the final step before they are published. The eballot closes Thursday, August 18. There is a requirement that at least 15% of members vote. All Kantara members in IAWG should vote! The eballot can be found here.
63b SoCA Proposal
Richard walked the group through proposed changes to 63B#0650, #0660, and #0670. As the criteria is presently written, #0670 refers to a salt value - but that relates only to the circumstance above in #0660 (shall be salted and hashed with a value that has at least 32 bits). He proposes that we incorporate #0670 into #0660 - making the it an additional requirement when the secret has fewer than 112 bits of entropy. #0670 becomes no stipulation.
...
Lynzie will review the current CSP SoCAs to see #0670’s applicability and report back to the group. If this remains non-material, it can be published with the larger release after the all-member ballot closes and passes. We will make motions at the next meeting once the analysis is completed and shared with the group.
Assurance Program
Andrew recapped the discussion on multiple component services being unable to band together to be a full service. The services must go through the process together to be considered full service. He believes this is a change in practice. Mark King brought up that it does not seem to fit very well into the federated model that some believe the UK might adopt. Andrew agreed. It’s relevant to the US market as well - but not to NIST. NIST does not recognize the separation of companies delivering services in rev. 3. As Kantara evolves, they should consider offering trust marks of what the market wants in addition to what NIST wants.
Richard brought up Classic approval and the associated terminology. He does not believe we should have same terms with different meetings - or completely different terms for Classic. Andrew’s opinion is that Classic is not associated with the rev 3 updates and should just remain labeled as ‘Classic’ until we determine if it still has a place in the assurance program. Eric reiterated the need to keep Classic as there is a market and need for it specifically. There are agencies wanting to show they are following NIST guidance even if they are not ready for IAL2. He emphasized the need to be deliberate if any changes are going to be made. Experian and others have ongoing contracts that use Classic. Andrew suggested that we not touch Classic at this point. Lynzie is going to update the Trust Status List to have Classic as its own tab. This should better align with the Trust Marks that will be provided to these CSPs going forward. Additionally, Andrew requested Kantara IT add alt text to the company logo names.
Andrew believes that the IAWG did define a component in Classic - and that language was carried forward into rev 3. He believes if we read back, we’ll be able to find it. Richard thinks it might be in the Word Document originally defining the criteria. It will need located.
It was decided to not make changes to 63c in these updates. Federated full service and federated full service technical will be the only two trust marks available for 63c (same as current).
Michael asked for confirmation on where ‘Technical’ stands. The plan is to remove it but for now it will remain. The work needs to be done before it can be fully removed/integrated into the technical criteria. The goal is not to burden the assessors of the CSPs - but to streamline the process.
Any Other Business
IAWG leadership keeps an action item list.
All IAWG participants should be aware that the spreadsheet exists and it lists everything we think the IAWG is working on or planning to work on. Please feel free to review it and correct it if needed - it is not our intent to overlook something!
...