Versions Compared

Old Version 2

changes.mady.by.user Lynzie Adams

Saved on

compared with

New Version Current

changes.mady.by.user Lynzie Adams

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Attendees:

...

Staff: Kay Chopard, Lynzie Adams

Proposed Agenda

  1. Administration:
    • Roll call, determination of quorum
    • Agenda confirmation
    • Minutes approval - 2021-09-23 DRAFT Minutes and 2021-10-07 DRAFT Minutes
    • Staff reports and updates
    • Update on international International liaisons updates
    • LC reports and updates
    • Call for Tweet-worthy items to feed (@KantaraNews)

  2.  Discussion: 
    • Update on open issues regarding the pending package of proposed criteria changes
    • Begin Initial discussion on component services

  3. Any Other Business and Next Meeting Date

Meeting notes 

Administrative Items:

The meeting was called IAWG Chair Ken Dagg called the meeting to order at 1:04PM (US Eastern).  Roll was called. Meeting was quorate. Distributed agenda was confirmed

Minutes approval:  

Staff reports and Updates:

None.  

LC reports and Updates:

None.

Discussion:

Summary of ARB/IAWG meeting:

Ken briefly summarized the issues raised in the joint ARB/IAWG meeting held on September 27. All comments were within form 1430.

  • 1430 #510 - remote ID proofing - IAWG has LOA2 & LOA3 checked but NIST only requires this for LOA3. Why do we have it checked for LOA2? Jimmy believes it may just by a typo/mistake. Martin briefly recalls Richard sharing something in form 1440 that then made it applicable to LOA2 as well. He believes we should let Richard review this before making an assumption it was an oversight. 
  • The same holds for 1430 #520-#580. IAWG has LOA2 & LOA3 checked when NIST only requires it at LOA3. Martin added that David Temoshok made it clear that it definitely only applies to LOA3. Richard will look into this one as well to see if there is something in 1440 that makes this also applicable at LOA2. 
  • Many other issues deal with component services, which have already been addressed in the rewording of the new package. The group needs to review one final time to ensure all have been addressed. 
  • The ARB's final area of concern is with the tables (form 1430 T5-1, T5-2, T5-3). Criteria in 63A #190, #210, and #250 make it clear that the tables need to be referenced and used as justification for the strength of proofing that the CSP is doing. It does not say the table must be completed - but it does say tables must be referenced and CSPs must indicate which proofing requirements are being used. ARB wants the tables to be used and checked off as part of the evidence. That is not clear currently. The ARB suggests editing the tables to add columns for the CSP and assessors to checkoff what they are doing. Applications without completed tables would be sent back and requested that the CSP/assessor complete and resubmit once completed. 
    • Jimmy provided some context on how he handled the tables as an assessor. He believes the spreadsheet should make it more explicit that assessors need to fill out these tables. Kay reminded the group that the ARB wants to meet with the assessors and this can be addressed at that meeting.
  • Kay addressed another area the ARB is concerned with regarding when one CSP is using the services of another approved service and how that is documented on the spreadsheet. Jimmy suggested more guidance from the ARB on what they'd like to see and it was agreed to add it to the agenda of the ARB/assessor's meeting. 
    • There was some disagreement on what the ARB was wanting to see. Jimmy believes the ARB should be looking at the full service - reliant on the component service - to get the fuller answer from the full service and minimize the component service. Martin did not feel the ARB has a preference on who was responsible for what criteria, but more so that it is clear who is responsible for each criteria. Ken took it differently. He thought the front facing service that uses the component service, to be responsible for the redress but needed confirmation from the component service. The IAWG needs to ensure there is a place to record how the services integrate with one another. It was agreed that the component services should be able to say what they do and do not provide and it is the job of the full service that wants to use that component service to fill in the missing pieces.
    • Jimmy suggested allowing components to respond with 'supported' rather than the approved verbiage (conformant, non-conformant, etc) with an explanation that shows how far they step into that criteria without actually owning it.  Ken would like to discuss with a larger group as a possible away to get around this issue and put onus on the full service. 

Martin questioned if the whole revision for component services was a prerequisite for submitting the current batch of changes? If it is not a prerequisite, then we should continue to move forward with our current proposal. Ken does not believe a published package will come out until mid-January or February due to the holidays so we are not in a rush to complete but he would like the component service changes integrated into the current revisions if at all possible. 

The group was not prepared to further discuss the 63A#0177 issues on comparable alternatives. This will be addressed at the next meeting. 

Other Business:

The next IAWG meeting will be Thursday, Oct 21 at 1pm EST to discuss status of open issues regarding the pending package of proposed criteria changes and to revisit component services. 

Ken adjourned the meeting around 2:00   Martin Smith moved approval of the draft Minutes of the IAWG meetings of September 23 and October 7. Mark Hapner seconded. The minutes as distributed were approved unanimously.

Staff Reports and Updates:

Lynzie reported the first organization seeking FAL certification recently reached out. They are still a few months out from getting started but wanted to begin learning more. Numerous other organizations have been reaching out with interest in Kantara certification - including companies from Korea, Japan, and India who are looking to get into the US market and believe a Kantara certification can assist them with that. 

International Liaisons Updates:

Kay provided an update on:

  • OSIA (France):  They are not looking for a new assurance program, it's a much smaller scale project. Conversations are continuing of how we can fit into their future. 
  • UK:  Had a meeting regarding certification and seemed positive. They are interested in Kantara pursuing certification - allows Kantara to be a certifying body in the UK. Similar to Kantara/GSA, but more formalized. Mark King asked if Kantara is part of the International Accreditation Forum. It's relevant for international collaboration. Nobody was sure at the moment but we will revisit. Mark King shared the link: https://iaf.nu/en/home/ 
  • New Zealand:  They requested a meeting but this has not occurred yet. 
  • Australia:  Continued discussions are occurring with Jonathan Thorpe. Mark King reviewed Australia's Draft Law document and it seems much we said was not taken into consideration nor was there a response as to why much of this was overlooked. Ken asked to send IAWG's apologies that we were not able to address the latest request. 

Ken requested adding this new 'international liaisons updates' standing agenda item given the amount of work we've done in the past for other governments. We tend to get involved in a lot of these things and it is part of the mandate of IAWG to know what is going on around the world and aide them. 

LC Reports and Updates:

A new working group, "Privacy Enhancing Mobile Credentials" is being set up. John Wunderlich is the chair. If you'd like to join, reach out to Ken and/or John.

Discussion:

Update on Open Issues Regarding the Pending Package of Proposed Criteria Changes:

Ken noted that the pending package is set on all the criteria except for the ones around alternative controls. Kantara is currently trying to schedule a meeting with GSA/NIST to have an initial discussion around the package. Kay has sent the request. 

Eric Thompson proposed focusing on publishing guidance around alternative controls measurement. He sees this as an area holding agencies back and with some leadership and guidance from Kantara it could move the discussion forward immensely. Ken suggested this be proposed as a new discussion group. He believes there would be interest from folks in other groups as well. Ken requested a half page overview with the scope of the problem to take to LC for approval to get this going. Eric and Ken will work together to propose this discussion group. 

Initial Discussion on Component Services:

The ARB shared concerns with the IAWG regarding how the assessment views component services, particularly what requirements are the responsibility of the full service and what is the responsibility of the component service. This raised the general question - What kind of requirements do we place on a full service and what do we place on a component service? ARB feels a general review of criteria to consider how it works with a component service could be beneficial. Ken was unsure if such a review has occurred. Jimmy worries it could be a complicated lift to address. 

Martin suggested we consider a need for a contract between the parties that clarifies the relative responsibilities. Have we addressed what the contract has to cover when a component service is in use? Ken will review the CO_SAC for any contractual obligations already listed and see if this is a place we could clarify. 

Ken asked everyone to think on it more and we will address further on the next call. 

Other Business:

Eric asked if anyone heard any updates or any movement on NIST 800-63-4? We submitted feedback on the last call for feedback. Nobody has heard anything further at this point. Kay will ask David Temoshok if there are any updates besides what NIST has already published. 


The next IAWG meeting will be Thursday, November 11 at 1pm EST. Continued discussion on component services will occur. 

Ken adjourned the meeting at 1:50 pm EST.