Page Comparison

• Editor´s comments and observations on drafting will be removed.
• It was decided to keep columns A to H  that show the source text, the original NIST text, as it would help to have a cross reference between KI criteria and 800-63-3. Also, the participants agreed to hide columns B to H and leave the choice to the user to make them fully visible or not.
• Scott said we should change "Reviewers guide" to "Users guide"
• The plan is to initiate an e-ballot and after approval send it to LC for following All Member Ballot. Scott requested Ruth issue the e-ballot and send it to voting participants.
• Disposition of Comments only applies to 63A as there were no comments on 63B.
  
  

• Scott said that he did not find out what have change from the last time. It is an interesting idea but short of a framework to use it without more use cases and trust model type content.
• No action expected just to be aware of it.

Refinement of CO-SAC IAF-1400 (non-material change) and Repackaging into IAF-1410 and IAF-1420.

• The idea is to move some criteria from the CO-SAC to the OP-SAC
• They are Richard commented that if the criteria is addressed by 63A or 63B there is no need to be in the CO-SAC, if you are not using 63A and 63B we still need this criteria, so we moved into the OP-SAC. Richard He suggested that we look at the criteria and ask, is it is addressed in 63A and 63B? if If it isn’t, we should leave where it is. If it is, that that´s the reason for removing moving it to the OP-SAC.

  
  

• CO-SAC 1410 can be used in the old classic assessment or 63-A/B assessment.
• Classic can be use the OP-SAC that includes these criteria removed.
• In case the of 800-63 rev. 3 assessment we use SAC 1410 + IAF 1430 (63A SAC) and IAF 1440 (63B SAC).
• Richard suggested aligning the tags but Scott sustained that if is not a material change we should not change tags, just ensure the language matches 63-2 and 63-3. 

• Scott commented that it would be good to have a common understanding on what possible evidence options meet the strengths requirements and be accesible to everyone (whitepaperwhite paper).
• Mark said that he is concerned that from disclosure requirements perspective, GDPR will become the bar quickly; services provided to European should meet that bar. Therefore, CSP operation would be constrained with this and should be more open with what they are doing ,  the and the level of disclosure of what investigation was done about you in order to issue a credential would be higher. He believes that disclosure requirements about what is going on in the proofing process are significant and it is a higher bar than 800-63-3. He wants would like to know from the CSPs: How did you validate this? What risk assessment elements did you apply to this?
• Richard commented that KI requests the CSP to make public the credential policy, so you can see what evidence they would be to asking for.
• Scott suggested we continue this discussion in the next meeting.