Attendees:
...
Covered above in the FedID update.
Discussion:
63-3 Project
Assurance Program
Any Other Business
Mark Hapner mentioned the S.1625 - Securing and Enabling Commerce Using Remote and Electronic Notarization Act of 2021 (text with highlightsnotes from Jimmy) was soon to be approved. Part of that includes allowing notaries nationwide to perform remote online notarizations. This might be something we would be interested in looking at. Mark King asked if there was requirement for location testing or checking - presumably it could be done from anywhere in the world. Andrew asked for interest in reviewing the statute and briefing the group on it - will be added to action items list. Mark will look into it. Jimmy provided some input as well (linked above).
63-4 Project - updates & plan
The page has been created and a spreadsheet was added for people to input areas of concern from 63-3. Please read and review this page and feel free to add anything either through the Google spreadsheet or editing directly in Confluence if you have the access. Richard asked for an explanation of what the purpose of the project is. Maria believes this list will help us look for and respond to known areas of concern in Rev 3. Once the release happens, we’ll need to consider new problems in Rev 4 in addition to the Rev 3 known problems. So assuring we have the known problems listed now will help us in our response. Richard summed it up as a list of what we want to see fixed. Andrew suggests to read and contribute as you see fit and have time for. Andrew asked Lynzie to communicate to our Assurance Program participants that our discussions will be transitioning to 63-4 in IAWG if they’d like to join. Lynzie addressed this in the new SAC set email with the group.
Richard questioned if NIST actually structures the publication where the criteria is easily identified rather than integrated into larger paragraphs, would Kantara still need to produce their own version of the criteria. Andrew believes things should be directly reference-able but we know there are gaps between what NIST covers and what people want. What do we do about that? Should Kantara create criteria for services and functions that NIST doesn’t cover but are out in the market? Is it time to evolve Kantara? Maria believes we need to be careful. When feds are doing acquisitions they want to ensure that when they see a Kantara Trust Mark - they know they are getting what is required for conformance. The needs of public and private sector are different and would need to be clear. Maria believes creating criteria would also be problematic - we’d need to see what standards are out there.
Assurance Program
Richard reiterated that the previous discussion on possible expansion of Kantara’s offered criteria sets further confirms the reason why the Trust Marks should be simple and with a QR code that links to full details.
Richard brought up his offer to head a subcommittee to give a concrete proposal for the group to review and confirm. Andrew suggested Jimmy also join the group for an assessor’s perspective. Lynzie, Eric, and will also participate in the group.
Andrew’s diagram was shared again. It was agreed that the diagram is helpful and should be formatted and available on our website. It will be looked into to recreate in a similar fashion with using puzzle pieces to represent the pieces. Eric thinks this view is helpful. Maria agrees that this can help show what we mean by component if it is displayed on the classes of approval page and other prominent places on the website.
Jimmy asked what people want to use - partial or component.
Component - Jimmy, Lynzie, Eric, Richard, Maria
Partial - none
We’ll take this topic off the agenda for a few weeks while the small group works on it and returns with a concrete proposal for the group to review.
Any Other Business
IAWG leadership keeps an action item list.
All IAWG participants should be aware that the spreadsheet exists and it lists everything we think the IAWG is working on or planning to work on. Please feel free to review it and correct it if needed - it is not our intent to overlook something!
...