...
Attendees:
Voting Participants: Andrew Hughes, Martin Smith, Mark Hapner, Mark King
...
, Maria Vachino, Richard Wilsher
Other IAWG Members:
...
Eric Thompson
...
Guests: Matt King
...
Staff: Lynzie Adams, Kay Chopard
...
Proposed Agenda
- Administration:
- Roll call, determination of quorum
...
- Minutes approval - 2022-
...
...
...
- General Updates
- Discussion:
...
- New Chair - Introduction & Overview
- VP of Assurance Report
- 2022 Action Item List - Overview & Structure
- IAWG role in 800-63
...
- Rev. 4
- Addressing assessor/field observations about new ways of doing proofing/authentication - and how to incorporate into SAC
- Any Other Business
...
Meeting Notes
Administrative Items:
IAWG
...
Chair
...
Andrew Hughes called the meeting to order. Roll was called. Meeting was quorate
...
.
...
Minutes approval: The April 28 minutes were updated to reflect Matt King as an IAWG guest rather than a IAWG member. Mark
...
King motioned to approve the draft minutes from the
...
May 5 IAWG meeting.
...
Mark Hapner seconded the motion. The minutes were approved unanimously.
...
General Updates:
...
International Updates:
EIC is next week. Kantara will be well represented.
LC update:
Beginning a new cycle of reviewing the Operating Procedures for improvements.
Call for tweet worthy items.
Discussion:
IAWG Chair Election
Andrew Hughes was the sole nomination for the IAWG chair. Voting members for the election include: Maria Vachino, Mark King, Mark Hapner, Jimmy Jung, and Martin Smith.
Maria motioned to selected Andrew Hughes as the new chair for this working group for the remainder of 2022. Mark King seconded the motion. Jimmy, Martin and Mark Hapner all voted yes. With a unanimous vote, Andrew Hughes is the IAWG chair for the remainder of 2022. He will start his new role at the next meeting.
800-63 Briefing
The briefing and discussion was led by Maria. Some key points included:
- 63-4 release delayed until end of summer. Controversy around ID proofing is mostly the reason - facial verification piece for IAL2 and above. There is also an increased focus in this administration for equity and inclusion issues. It is taking NIST time to work it into the draft. No controversy with AAL or FAL at this point.
- Authentication – risk detection/ fraud detection type of responsibilities. Zero Trust document - 800-63 is a foundational piece of that. There is interest. The problem is the compensating controls used in the financial sector are geared toward a group very different from those needing government services (i.e., no internet, low-quality technology, etc).
- NIST agreed to do a workshop with Kantara. They do that on a regular basis with agencies and is willing to do it with Kantara for Kantara members. Likely during the public review period.
- Suggested solutions to the agencies could be appreciated on some of these issues. Probably not a desire for a listening session - but they always are looking for solutions.
- 63-4 rumored changes: Enhanced IAL1 coming. Addition of a credible source being added to help with a risk-based decision. Expansion of a trusted referee is in the works – or an applicant representative, i.e. a social worker could assist the applicant with the proofing process.
- NIST posted open questions they want addressed – beyond that is the equity and inclusion question. Low and moderate will have separate controls is the hope. It will help a great deal. Github is a good place to keep an eye on open questions.
- Discussions around password-free processes.
- Maria suggests all companies respond to the draft with not only the issues – but include suggested language. As for Kantara’s response, IAWG will likely be the WG to draft the language and then pass through individual organizations.
DIACC
It was determined that IAWG will not be able to draft a response in the time period allotted for the DIACC request.
Any Other Business & Next Meeting:
Jim Kragh introduced himself as the chair of the Federated Identifiers for Resilient Ecosystems (FIRE) work group and the vice-chair of the Healthcare Identity Assurance work group. These two work groups will be merging together to look very specifically at the underserved population. How do we gain trust?
...
Kay - Adding an additional assessor and current assessors are adding staff to keep up with the current demand and growth of the Assurance Program. Continued work with ONC, CARIN, and other agencies.
Andrew - Provided update on EIC pre-conference session. There was an engaged crowed who are happy to hear things are really taking off! As for CARIN, there are hopes that 2 IAWG members can contribute to the CARIN working groups to help them and also bring back the lessons so we can monitor how it is going.
Discussion:
New Chair - Introduction & Overview
Andrew discussed the new agenda format and the desire to hold meetings weekly. Additionally, in coming weeks the Assurance Report will move from a discussion item to a standing administrative item to be addressed when needed.
VP of Assurance Report
Maria reported that a strong concern she is hearing is that non-experts are looking at the Trust Status List and they are confused. They are not understanding what the levels are and the difference between full and component services. We need to be more explicit on what component services are and what is still needed to complete the full service. This can go on with the classes of approval/ service descriptors meeting being held June 9.
Additionally, we need an explanation of component services up front. We need to be explicit about what is missing and what you need to add to make it fully compliant. Would also like to display the SACs in another way as the PDFs are sometimes missing information. Action Item - Figure out how to better display the SACs and in what was we can enhance the TSL to be useful to non-industry folk.
Action Item List
Andrew reviewed the 2022 Action Item list with updates he found makes it easier to use, including a column for next action date.
We want to clean it up and make it active actions only. Will continue to include the screenshot of the action item list in the invitation and agendas to keep us on task. The group addressed ongoing items and decided to move it to the agenda rather than the action items list. Will reflect on the next agenda. IAWG leadership will discuss what to do with Rev. 4 suggestions and Ken’s report on the action item list at their next planning meeting and bring back to the full group.
IAWG Role in 800-63 Rev. 4
Maria brought up false non-match rates and the data we need to address that. How are we enforcing the false match rate? We want to make sure that our Approvals are meaningful. Martin asked if adding criteria is one path to achieving this – Andrew and Maria acknowledged it is one way. Further, we need to include the ISO standards directly in the Kantara standards. Richard reminded the group that we currently require the CSPs to show evidence that they are conformant to the standard.
Andrew asked if it would be helpful to have a 3-4 page report on how matching rates work and how they are determined? Point to the NIST REPORT that lists the algorithms and how they work. Is that an action item that would be useful for our CSPs? More explanation of the nature of matching. Maria believes it would be useful. And she wants to see clear and consistent guidelines on what test they must run in an Assessment. Maria does not believe ‘show me whatever evidence you have for match rate’ is sufficient enough. Richard argues that if we do this for one criterion, where do we stop? Further, he believes we should not be trying to define a standard that already has an international standard defining it. Richard thought Maria was going to suggest CSPs would submit data and demographic information, which could be a potential solution.
We need to see the standard and see what it is. Then we can have the discussion. Action Item – buy the ISO standards to further discuss.
This conversation will be carried over to the next meeting. Richard highlighted 63a#0620 as the applicable criteria.
ISO:
63A#0620 |
|
| The CSP shall implement biometric systems which have at least the following characteristics: |
63A#0620 | a) |
| operate with an FMR [ISO/IEC 2382-37] of 1 in 1000 or better; |
63A#0620 | b) |
| achieved that FMR operation under conditions of a conformant attack (i.e., zero-effort impostor attempt) in accordance with ISO/IEC 30107-1. |
Addressing assessor/field observations about new ways of doing proofing/authentication - and how to incorporate into SAC
Ran out of time. Will be addressed at next meeting.
Any Other Business
Mark Hapner is interested in identity recovery - what happens when you lose your issued credential? Andrew suggested putting it as an item to discuss in an upcoming meeting.