Page Comparison

• Proposed syncable authenticator criteria from Richard/Jimmy (Found in Meeting Materials on IAWG Wiki).

Group

• Last meeting recap:   

  • Group consensus that the unobservable/unassessable criteria do pose some risk and there should be something in place

  • Clear direction/statement/risk based approach is needed  to handle these things posed  rev. 4/rev 3 Supplement.

• Mike M: reports NIST got over 2K comments to work through.

• Carol: notes continued inconsistencies in language that could be problematic.  Agrees on a risk-based approach but clarity from NIST regarding an acceptable level of risk would be needed for assessment purposes.

• Andrew H: Considers the risk related to the unobservable criteria  to be between the CSP and federal agencies, what can we ask the CSP to have in place to identify/accept that risk? Include something in the agreement/terms of service?

• Richard: Proposes a notice referencing the affected criteria and the unobservable nature/unassessability of such criteria and how the applicability of that criteria will be recorded.  It would be easier to change/modify notices and criteria as things move forward with NIST guidance.

  • Carol: Notices can be a really useful functional tool in clarifying what’s in/out of scope.

  • Kantara may need a more formalized/detailed approach to notices with references included in TSL, SoCA, etc.

  • Notice could include recommendation(s) to CSPs for how to proceed.

  • Goal would be a single source, easily accessible document.

• Group consensus on notice/SoCA approach for handling syncable authenticators.

• Richard’s note in chat:

  • Notice 2024-01:  Accommodation of Passkeys

  • Use of Passkeys presents difficulties when Kantara assessments are confronted with criteria for which the CSP is unable to provide evidence of conformity because the referenced functions are beyond their control or even awareness because the related functions are within the Passkey implementation fabric.  Consequently KI’s Assessors are therefore unable to determine meaningful findings with regard to such criteria.

  • Furthermore, industry is faced with widespread adoption of Passkeys and their very ubiquity establishes them as an established practice that they cannot be ignored.

  • Accordingly, CSPs which deploy Passkeys shall mark the criteria listed below as having the following applicability:

  • “In scope – Not applicable

  • Refer to KI Notice 2024-01”

• Also needed: List of affected criteria

• Notice is the path to take.  

• ACTIONS: 

  • @Richard W: Consolidate list of affected criteria and propose notice language 

  • @Andrew/Staff: Review/Develop a Kantara process for managing/publishing notices.  

    1. Initial thoughts: Add to TSL page?  Some motion within IAWG to do this.

• Additional work:

  • Richard: still sees errors on TSL (definitions); Carol will be working on soon.

  • Some nonmaterial things still need publication and further breakdown of acceptable combinations of evidence. Andrew/Carol to discuss.