Versions Compared

Old Version 11

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Martin Smith

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Minute approval (DRAFT minutes of 2021-06-03)
    4. Staff reports and updates
    5. LC reports and updates
    6. Call for Tweet-worthy items to feed (@KantaraNews)
  2. Discussion
    1. Consideration of 'comparable alternatives' - See: https://groups.google.com/g/idassurance/c/GIGLjValdg4
    2. Australian Digital Identity Legislation Consultation Phase 2 - See: Public consultation on Australia’s Digital Identity legislation
    3. Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity. See: https://digital-strategy.ec.europa.eu/en/library/trusted-and-secure-european-e-id-regulation
    4. d. Component Service Consumer criteria.

Meeting notes: 

Administrative items:

IAWG Chair Ken Dagg called the meeting to order at 1:05PM (US Eastern), and called the roll. It was noted that the meeting was quorate. 

...

Ken noted that Ruth is also transitioning , to a new position at another organization , as of July 1.  He congratulated her but also expressed how important she has been to maturing Kantara's Assurance Program during her 7 years and a half association with us. He also thanked her for her excellent support of the IAWG. Richard Wilsher added that she has been a "great accomplice." Kay commented that finding a new Assurance Program Manager is one of her highest priorities, and that she is currently evaluating several candidates. 

Ken added that pending a new APM 's getting up to speed, the WG will be on its own for administrative support and is in need of a volunteer Secretary to prepare Minutes. He emphasized that responsibility does not require a great deal of time and invited IAWG participants to contact him if they might be able to step up. 

Minutes approval: Mark Hapner moved approval of the the draft Minutes of the IAWG meeting of June 3; Eric Thompson seconded.  The Minutes were approved unanimously, as written.   

Staff reports and updates: Ruth Puente reported that the assessment program is quite active and she anticipates approval of 4 new SPs Service Providers over the next months. 

LC reports and updates:  Ken said the LC has approved a very substantive report on mDL Privacy prepared by the Privacy and Identity Protection in mobile Driving License ecosystems DG (PImDL DG), which is now in the publication pipeline. He believes the report will be very influential because it documents a number of significant privacy issues that mDL solutions will have to address. 

...

Ken asked Richard Wilsher to introduce the topic and provide background. Richard reported that a US Federal agency has asked how Kantara would handle its using a CSP implementing a "comparable alternative" to the identity proofing controls included in 800-63-3.  He

Background: It was commented that there is a US Federal Agency that is interested to know if Kantara has an opinion or guidance related to NIST 800-63-3, 5.4 - Risk Acceptance and Compensating Controls. In this section, the guidance states that the “Agencies MAY determine alternatives to the NIST-recommended guidance, for the assessed xALs, based on their mission, risk tolerance, existing business processes, special considerations for certain populations, availability of data that provides similar mitigations to those described in this suite, or due to other capabilities that are unique to the agency.” It follows that agencies “SHALL demonstrate comparability of any chosen alternative, to include any compensating controls, when the complete set of applicable SP 800-63 requirements is not implemented.” (pp 22-23). The agency is specifically concerned about the disparate impact on digital ID proofing for a relatively low inherent fraud risk within their program. They have risk assessed that this falls into IAL2, but think it is a candidate for this ‘comparable alternative” ID Proofing. However, there is no guidance on how to demonstrate comparability or details related to appropriate justification.

Moreover, this Agency is interested to explore the feasibility of a third party framework to certify Comparable Alternatives as allowed for in section 5.4 of NIST 800-63-3, such as Kantara. 

Richard said Sec 5.4. does allow US Federal agencies to use "comparable alternatives" and provides some guidance on how that would be done. Richard suggested that KI might perform an assessment of a service that used an alternative control, but he feels that Kantara can't take on determination of what is  "comparable." He

Richard shared draft language for an approach to this issue Kantara might take. :

Image Added


Richard further reported discussion of this issue with David Temoshok of NIST. He said David strongly discouraged KI involvement in assessing these alternative controls because it's the Federal Agencies CIO responsibility; he further believes use of such alternatives would only be appropriate to address a use-case unique to one agency.

...

Next Meeting: Next Thursday, July 1 8 at 1PM US Eastern (July 1st is a national holiday in Canada)