Attendees:
Voting Participants: Mark King, Ken Dagg, Martin Smith, Richard Wilsher, Mark Hapner. , Mark King
Non-voting participants: Jimmy Jung, Jeremy Haines Pradeep, Rohan Pinta , Pradheep Sampath, , Roger Quint, Eric Thompson
Invited Guests: Jeremy Haynes, Blake Hall, Rohan Pinto, Pete Eskew
Staff: Colin: Kay Chopard, Ruth Puente
Quorum: There was quorum.
Agenda:
- Administration:
- Roll Call
- Agenda Confirmation
- Minute approval (DRAFT minutes of 2021-06-03
- )
- Staff reports and updates
- LC reports and updates
- Call for Tweet-worthy items to feed (@KantaraNews)
...
- Discussion
...
...
- Consideration of 'comparable alternatives' - See: https://groups.google.com/g/idassurance/c/GIGLjValdg4
...
- Australian Digital Identity Legislation Consultation Phase 2 - See: Public consultation on Australia’s Digital Identity legislation
...
- Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity. See: https://digital-strategy.ec.europa.eu/en/library/trusted-and-secure-european-e-id-regulation
- d. Component Service Consumer criteria
...
Welcome new ED. Kay Chopard, new ED. Hope to do a lot of listening, Feel free to reach out kay@kantarainitiative.org.
Minutes of June 3 – Mark Hapner, Eric. Approved unanimously.
Staff updates: Ruth – 4-5 new SPs expected in next 2 months. Personnel: Ruth leaving, last day.
Ken: will miss Ruth's excellent contributions over 9 years. Thanks very much. Richjerd-- great accomplice. Where is Ruth2 coming from
Ken – impending replacement. Hand-over during month of July. Kay: a top priorities, couple of finalists. Ruth very very helpful.
Ken-- Identiverse news, Kay? Kay: deluged with people meetign new ED, Did keynote with Ken Sutherland of Lexis-Nexis on leadership. No other sessions attended. Said over 1/2 speakers new this year. Sessions are recorded.
Ken – need Secretary. Do Minutes. Not too hard. Please send email to me and Martin to volunteer.
LC-Ken: Approved MDL privacy report, in pubs process. Expect to be influential
Call for Tweets
Minutes Approval
...
- .
Meeting notes:
Administrative items:
IAWG Chair Ken Dagg called the meeting to order at 1:05PM (US Eastern), and called the roll. It was noted that the meeting was quorate.
Agenda confirmation: Ken noted that the order of Discussion items had been changed from the original meeting announcement to accommodate the "comparable alternatives" item that is believed to be of current interest to CSPs.
Chair comments: Ken welcomed the new Kantara Executive Director (ED), Kay Chopard, and invited her to introduce herself. Kay said she is very impressed with the variety of important work being done in Kantara and specifically in the IAWG, citing today's full agenda as an example. She has so far been fully occupied with learning how Kantara operates and meeting people in Kantara and from other organizations interested in working with us, but she looks forward to contributing to the substantive work very soon. She called out particularly the assistance Ruth Puente has been providing to support a quick and smooth transition. She invited meeting participants to reach out to her at kay@kantarainitiative.org.
Ken noted that Ruth is also transitioning to a new position at another organization as of July 1. He congratulated her but also expressed how important she has been to maturing Kantara's Assurance Program during her 7 years and a half association with us. He also thanked her for her excellent support of the IAWG. Richard Wilsher added that she has been a "great accomplice." Kay commented that finding a new Assurance Program Manager is one of her highest priorities, and that she is currently evaluating several candidates.
Ken added that pending a new APM getting up to speed, the WG will be on its own for administrative support and is in need of a volunteer Secretary to prepare Minutes. He emphasized that responsibility does not require a great deal of time and invited IAWG participants to contact him if they might be able to step up.
Minutes approval: Mark Hapner moved approval of the the draft Minutes of the IAWG meeting of June 3; Eric Thompson seconded. The Minutes were approved unanimously, as written.
Staff reports and updates: Ruth Puente reported that the assessment program is quite active and she anticipates approval of 4 new Service Providers over the next months.
LC reports and updates: Ken said the LC has approved a very substantive report on mDL Privacy prepared by the Privacy and Identity Protection in mobile Driving License ecosystems DG (PImDL DG), which is now in the publication pipeline. He believes the report will be very influential because it documents a number of significant privacy issues that mDL solutions will have to address.
Ken reminded WG participants that Kantara staff is ready to help them publicize their newsworthy activities and via the @KantaraNews Twitter handle.
Discussion:
Consideration of 'comparable alternatives' - See: https://groups.google.com/g/idassurance/c/GIGLjValdg4
Ken asked Richard
...
Wilsher to introduce the topic and provide background.
Background: It was commented that there is a US Federal Agency that is interested to know if Kantara has an opinion or guidance related to NIST 800-63-3, 5.4 - Risk Acceptance and Compensating Controls. In this section, the guidance states that the “Agencies MAY determine alternatives to the NIST-recommended guidance, for the assessed xALs, based on their mission, risk tolerance, existing business processes, special considerations for certain populations, availability of data that provides similar mitigations to those described in this suite, or due to other capabilities that are unique to the agency.” It follows that agencies “SHALL demonstrate comparability of any chosen alternative, to include any compensating controls, when the complete set of applicable SP 800-63 requirements is not implemented.” (pp 22-23). The agency is specifically concerned about the disparate impact on digital ID proofing for a relatively low inherent fraud risk within their program. They have risk assessed that this falls into IAL2, but think it is a candidate for this ‘comparable alternative” ID Proofing. However, there is no guidance on how to demonstrate comparability or details related to appropriate justification.
Moreover, this Agency is interested to explore the feasibility of a third party framework to certify Comparable Alternatives as allowed for in section 5.4 of NIST 800-63-3, such as Kantara.
Richard said Sec 5.4. does allow
...
US Federal agencies to use "comparable alternatives" and
...
provides some guidance on how that would be done. Richard suggested that KI might perform an assessment of a service that used an alternative control, but he feels that Kantara can't take on determination of what
...
Martin: does Sec 5.4 say how "comparability" is determined? Richard: somewhat. Richard suggests: we would handle, but
IbLAKE – D.Me – thinks this is DOL, trying to use expired DLs. Hopes to service this requirement. THinks maybe ReaLid COULD BE ACCEPTABLE.
eRIC tHO,MPSON AGREES THAT ALTERNATIVES SHOUDL BE ok, NOT EVERYONE HAS id
Ken: 2 issues: gaping hole in rev 3; "comparable" process.
...
is "comparable."
Richard shared draft language for an approach to this issue Kantara might take:
Richard further reported discussion of this issue with David Temoshok of NIST. He said David discouraged KI involvement in assessing these alternative controls because it's the Federal Agencies CIO responsibility; he further believes use of such alternatives would only be appropriate to address a use-case unique to one agency.
Blake Hall said he believe the "Federal agency" Richard mentioned is the Department of Labor, which is exploring the possibility of allowing the use of expired drivers licenses as identity documentation for their public "customers." Blake said his company hopes to service this requirement.
Eric Thompson agrees that there should be alternatives for the large number of people who lack the currently acceptable identity documents.
Martin Smith suggested that from what has been said, it sounds like this issue could best be addressed via the upcoming revision of SP-800-63-A that could provide for more flexible (and thus more inclusive) identity-proofing alternatives. But of course 800-63 Rev. 4 will not be promulgated some time next year.
Roger Quint said the question is: what are we trying to accomplish?
...
Are we developing a general strategy for addressing
...
special cases? He said Kantara should avoid getting
...
in the middle of hard determinations.
Mark Hapner:
SOCA: applicable
(Pete Eskew. leaves)
KEN–calls time on the discussion at 1:59
KEN: if we add this as a criterion does it add risk to KI in granting approvals.
Australian Digital Identity Legislation Consultation Phase 2 - See: Public consultation on Australia’s Digital Identity legislation
Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity. See: https://digital-strategy.ec.europa.eu/en/library/trusted-and-secure-european-e-id-regulation
Component Service Consumer criteria.
...
Ken summarized the situation by saying it appears there are two distinct issues: a gaping hole in 800-63-3, and how Kantara might deal with the "comparable alternative" process..
Chairman Dagg called time on the discussion as 2:59PM. He characterized the discussion as very useful and said Kantara will need to settle on an approach soon. He confirmed that the WG will meet next week to continue this discussion and, if possible, address other issues on today's Agenda that were not discussed.
Next Meeting: Next Thursday, July 8 at 1PM US Eastern (July 1st is a national holiday in Canada)