...
Reference: IAWG Meeting Minutes 2017-03-09
SIXTH SESSION
- Credential generation and other lifecycle issues are missing from the discussion. Andrew points out 800-63B has a section called lifecycle management.
- Ken asks if anything changes if it happens in a federated context as opposed to the context B was written in.
- RGW suggests that it depends whether the federation includes requirements to be a member of the club. Only becoming more of a concern as reading 63B and 63C. Many SHOULD statements - as we know, if is says SHOULD then they probably won't.
- Globally we have a comment that SHALL and SHOULD need to be clear. Each distinct SHALL or SHOULD ought to be in a single paragraph.
- Andrew observes it's a similar comment to last week - the document is a mixture of explanatory material, guidance material and requirements material.
- Ken suggest we could comment them for adopting a normative style.
- General agreement that the document is not ready for prime time.
Andrew notes that we appreciate the shift towards normative language in the requirements, but the phrasing of some requirements makes it difficult to have certainty that the implementation meets those requirements. As assessors there is also uncertainty about how to evaluate the conformity. Uncertainty then leads to inconsistency.
RGW has one other broad topic - 4.2 of 63C - requirements on federal agencies slapped on the end of the section. Perhaps including it in an annex instead of including in the rest of the flow of the document. The agency guidance at the end of the privacy section is a non-sequitur with respect to the rest of the document
Andrew notes that the audience section of 63-3 is blank.
We could use clarity from the authors on when the agency specific text applies.
Next week we will take the first cut at looking at the comments. We can package and submit them early if we're happy with them next week.