Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

Kantara Initiative Identity Assurance WG Teleconference

Table of Contents
maxLevel3
minLevel3
typeflat
separatorpipe

Info

DRAFT Meeting Minutes - IAWG approval requiredapproved by IAWG 8 August 2013

 

Date and Time

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Minutes approval: no meeting last week - no minutes needing approval IAWG Meeting Minutes 2013-07-18
    4. Action Item Review
    5. Staff reports and updates
    6. LC reports and updates
    7. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
  2. Discussion
    1. Roadmap review
    2. IAF Tickets and Issues Review
      1. IAF Ticket #527461 (13 June 2013)
      2. IAF Ticket #328495 (July 13, 2013)
      3. IAF Ticket #314131 (July 13 2013)
      4. IAF Ticket #770408 (13 July 2013)
      5. Discussion of AL2_CM_CTR#028 and AL2_CM_CTR#025 questions
    3. Glossary status update
    4. Modular IAF Sub-group update
  3. AOB
  4. Adjourn

 Attendees

Link to IAWG Roster

As of 1 July 2013, quorum is 5 of 9

 

Voting

  •  

Non-Voting

Staff

Apologies

  • None
  • Myisha Frazier-McElveen
    • Rich Furr
    Info
    titleVoting Members for Cut/Paste
    Info

    Meeting was quorate, with 5 voting participants present.

     

    Voting

    • Andrew Hughes

    ...

    • Scott Shorter
    • Matt Thompson
    • Bill Braithwaite
    • Cathy Tilton

    ...

    ...


    Non-Voting

    ...

    ...

    • Ken Dagg
    • Jeff Stollman

    ...

    Staff

    ...

    Apologies

    • Myisha Frazier-McElveen
    • Richard Wilsher

     

    Notes & Minutes

    Administration 

    Minutes Approval

    ...

    IAWG Meeting Minutes 2013-07-18

    Motion to approve minutes of 2013/7/18: Cathy Tilton
    Seconded: Matt Thompson
    Discussion: None
    Motion Passed

    Action Item Review

    See running table below

    Staff Updates

    • Director's Corner Link
      • August 8-9 meeting planned in Portland/Vancouver, WA - Kantara strategy and internal operations. Please contact Joni for details.
    LC Updates
    •  No meeting this cycle 
    Participant updates
    • none new

    Discussion

    Roadmap review

    IAWG Roadmap - 2013

     

    IAF Ticket Review

    IAF Ticket #527461 (13 June 2013)

    ...

    Code Block
    titleIAF Ticket #527461 (13 June 2013)
    New ticket #527461 created.
-------------------

The process below does not clearly state if the ARB must vote to accept 
an application and list it as registered applicant or if the application 
can be accepted by the secretariat upon performance of review that the 
application is not a wast of time (so far out of scope or not aligned 
with mission).

I apologize for the line numbers but the below, I believe, references 
the section where the clarification is needed.

Could you please ensure this is entered as a change request for the AAS 
officially?

Thank you!

Quoting from AAS v3-0:
6.7 Specific Evaluation Steps 651
The Secretariat will validate the initial Application submission up to 
and including Part I clause 652 4.1, step 9. 653 Where the Application 
is for a Full Service Approval, the Secretariat will ensure that the 
overlay 654 of the collective criteria covered by the combination of 
the Applicant’s SoC and those of its 655 component parts encompasses 
100% of all SAC for the chosen Assurance Level. 656 When all of these 
validation steps are completed affirmatively, the Secretariat shall 
advise the 657 Applicant’s Point of Contact (APoC) that the Application 
has been found fit for assessment. The 658 Secretariat shall then take 
these additional steps: 659

a) Counter-sign and return the SPA to the CSP’s APoC; 660
b) File the Application for later reference, and; 661
c) Notify the Chairman of the ARB of the Application’s receipt (simply 
for advisory purposes 662 – no action is required of the ARB at this 
stage). 663
Evidence of its acceptance of the SPA is a necessary pre-requisite to 
enable the Applicant’s chosen 664 Assessor to formalize the contract 
for Assessment (see clause 6.8, below).

    Discussion of ticket

    • Request is clear
    • Request is not Errata
    • Experience with TrustX was that there was a lengthy delay between submission and approval of receipt.
    • Where applicants see a business benefit in being listed as 'in progress' on the Trust Status List, a quicker turn-around time is preferred
    • Opinion is that early list as in-progress is preferred - no downside anticipated.

     

    Disposition: Add to IAF enhancements list

     

    Code Block
    titleIAF Ticket #328495 (July 13, 2013)
    IAF-1400-SAC
Line: 1417, 1598

Reason:
It is listing particular techniques. IAF wants to be protocol and techniques independent.

Proposal:
Change the line to as follows.

These criteria apply to any credentials.

    Discussion of ticket

    • Suggestion from group is to use "These criteria apply to any credentials, for example, PIN, Password or SAML Assertions"
    • Editor to search for similar specification of particular methods, and include generalizing text as above.

    Disposition: Add to IAF enhancements list

     

    Code Block
    titleIAF Ticket #314131 (July 13 2013)
    IAF-1400-SAC
Line: (not listed)

Reason:
Again, it is listing limited number of technologies. Generalization is sought.

Proposal:
Replace including after "These criteria apply to ... " with "These criteria apply to any credentials."

     

    Discussion of ticket

    • Same disposition as Ticket # 328495

    Disposition: Add to IAF enhancements list

     

    Code Block
    titleIAF Ticket #770408 (13 July 2013)
    IAF-1400-SAC
Line:  1636 - 1640, 2149 - 2198

Reason: 
This is permitting only three protocols making IAF protocol dependent. 
Currently, it is listing tunneled password, zero knowledge-base password; SAML assertions. 

Proposal: 
Delete

     

    Discussion of ticket

    • More research required - Need to know the source of the 3 Protocols listed (are they specified in 800-63?)
    • The list is specific to the 3 protocols - is this the intent? "Permit ONLY the following ..." 
    • This looks like a candidate for a US-Specific Profile
    • The point appears to be to avoid password eavesdropping or message replay
    • Defer further discussion to next meeting

    Disposition:  Return for clarification | Add to IAF enhancements list

     

    Code Block
    titleDiscussion of AL2_CM_CTR#028 and AL2_CM_CTR#025 questions
    1. AL2_CM_CTR#028 seems to stipulate OTPs that are both event- _and_ time-base
which is a bit strange. It seems this confusion is in 800-63-1 aswell. If (for instance) 
b and c were combined, and there was an OR in the Applicant lead-in (line 1642) then the 
criterion would allow both (sensible) time and event-based OTP-devices which I 
suspect was the intent.

2. AL2_CM_CTR#025 doesn't permit the use of public key-based authn for AL2. This
must be an oversight right?

If you all agree we should open tickets for these and probably talk to somebody 
at NIST about (1).

     

    Discussion of Questions

    • Comment appears valid
    • #1 is Errata - Need to raise with NIST for direction, but the requester makes a reasonable case
    • #2 is the same as Ticket #770408

    Disposition: Errata | Add to IAF enhancements list

    AOB

     Defer to future meeting

    Action Items

    Item #DescriptionAssigned toEst. CompletionStatus
    2013-06-06-002

    Review RGW 800-63-2 vs KI IAF mapping documents and provide feedback

    • (2013-Jun-20): Minimal comments and feedback received from IAWG by email; last chance for IAWG comments on the 2 documents Tuesday 25 June 2013
    • (2013-Jun-27): Discussed specific clauses on-call.
    		All27 June 2013In progress
    2013-06-06-005

    IAWG-NIST F2F in DC area to discuss approach and feedback on 800-63 v IAF analysis approach

    (2013-Aug-1): Comment that perhaps ICAM should be invited as well.

    		Staff / IAWG LeadsTBDNot started
    2013-06-13-001

    Chair to discuss with Exec. Director the need for a Content Management System analysis and potential tool for IAF/SAC & funding options

    • (2013-Jun-20): Discussion occurred; vision has been always to have a CMS - possibly a database with online self-serve document generation capability (in whichever output format is needed); team will be needed to draw up a wireframe and requirements for a custom developed tool
    • (2013-Jun-27): Call for lead is required. Myisha to send a call to list for volunteer lead.
    		Myisha20 June 2013In progress
    2013-06-13-002

    Glossary updates underway. Next draft should be available in 4 weeks

    (11July2013): Defer item to future meeting

    (1Aug2013): No comments on new additions received yet - reminder sent to sub-group.

    		Ken Dagg

    Updated:12 Sept 2013

    		In Progress
    2013-08-1-001

    The text of the Tickets is not easily accessible.

    This is due to the policy that the source of comment must be kept confidential, and the Confluence Ticket system does not permit sequestration of the commenter identity.

    Secretary to create a place on the wiki for disposition of Tickets, including the ticket text itself.

    		Andrew Hughes8 August 2013Not Started
    2013-08-1-002Forward Ticket items that have been resolved to correct lists for next action.Andrew Hughes8 August 2013Not Started

     

    Recently Closed Action Items

    Item #DescriptionAssigned toEst. CompletionStatus
         

     

     

    Attachments

     

     

    Next Meeting