...
Administration:
Roll call, determination of quorum
Minutes approval -
May 18 DRAFT Minutes (non-quorate meeting)
Kantara updates
Assurance updates
Discussion:
Updates: DRAFT - NIST IAM Roadmap: Principles, Objectives, & Activities - Extended to June 16 & CARIN Credential Policy.
KIAF 1050 - Glossary and Overview - updates done by IAWG in 2021 were never approved. We've reviewed but haven't had a quorum to vote; plan for the future of the document.
IAF Criteria Updates - areas for discussion and action on current service assessment criteria
Any Other Business
Meeting Notes
Discussion:
IAWG Chair Andrew Hughes called the meeting to order. Roll was called. Meeting was quorate.
...
The policy is now shared on the wiki - you can find it here.
Lynzie updated the group on her call with CARIN the previous week. There continues to be several unanswered questions on what the expectation is for Kantara. Ryan (CARIN) and Kyle (DirectTrust) offered to meet with a group of us if desired. Kyle did update the group that DirectTrust will have the ‘entire package’ out the door in January. The positive to that is that even with our IAWG/LC approvals, open comment period, and all-member ballot, we have until late September before we need to have something finalized of this group.
...
Jimmy believes our (non-PKI) part in this is potentially very small – the IAL part is 2-3 pages of section 3.2.3.1 - likely similar for AAL. Andrew thinks we need to determine how different the CARIN policy is from the NIST guidelines. He believes CARIN is trying to produce a ready-supply of vendors into the TEFCA space. Martin asked if healthcare is going to require IAL3 - we aren’t sure at this point but are currently okay at IAL2. There’s not huge interest in the pipeline at the moment for IAL3 approvals. Jimmy reiterated that Kantara should have a conversation with CARIN to see what (if anything) was promised and what we want to have promised to that group.
...
Further, Richard said we need to consider if there is anything beyond what our criteria presently has. And can it be accommodated by adding a profile?
KIAF 1050 - Glossary and OverviewAndrew prefers just having a webpage for CARIN people to help them through the process - our current process with a rationale that they are pursuing this for CARIN/TEFCA.
Jimmy scrolled through the table of contents to identify the sections that are PKI based and what is what we do - Sections 3 & 4, some of Section 5. If CARIN is asking Kantara to provide something to complies with this entire policy - that’s a lot of work - and it’s PKI policy which is beyond us. We don’t assess any of Section 6.
Mark King asked if minors were considered. It was on the CARIN agenda last week, but the group didn’t get that far, so it’s unknown what their plan is.
After the lengthy discussion - Andrew noted he does not want to make a Trust Mark for the credential policy as it is now. It’s a PKI certificate policy and most of it is out of scope for us. Richard mentioned offering a class of approval that accommodates variations we wouldn’t want others jumping in to - that are healthcare/CARIN specific.
Due to time, we could not move further on the agenda.
Any Other Business