...
Non-voting participants: Jimmy Jung, , Pradheep Sampath, , Roger Quint, Eric ThompsonInvited Guests: Jeremy Haynes, Blake Hall, Rohan Pinto, Pete Eskew, Chris Lee
Staff: Kay Chopard, Ruth Puente
Agenda:
- Administration:
- Roll Call and quorum determination
- Agenda Confirmation
- Minute approval (DRAFT minutes of 2021-06-24)
- Staff reports and updates
- LC reports and updates
- Call for Tweet-worthy items to feed (@KantaraNews)
- Discussion
- Consideration of 'comparable alternatives' - See: https://groups.google.com/g/idassurance/c/GIGLjValdg4
- Australian Digital Identity Legislation Consultation Phase 2 - See: Public consultation on Australia’s Digital Identity legislation
- Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity. See: https://digital-strategy.ec.europa.eu/en/library/trusted-and-secure-european-e-id-regulation
- d. Component Service Consumer criteria.
...
IAWG Chair Ken Dagg called the meeting to order at 1:05PM (US Eastern), and called the roll. It was noted that the meeting was quorate.
Minutes approval: Mark Hapner H moved approval of the the draft Minutes of the IAWG meeting of June 24; Richard W . Richard W seconded. The Minutes, as written, were approved unanimously, as written.
Staff reports and updates: .ED ED Kay ChopardC. Focus is finding a replacement for Ruth as Program Manager (PM) for the Assurance Program. First After first pair of finalist candidates both dropped. Back to LinkedIn, starting interviews again. Looking for more junior PM rather than trying to replicate Ruth's deep experience out-of-the-box. Best case for new IAF PM to be on-board is some time in August. Still open to getting more applicants referred by WG members.
LC reports and updates: Ken D: LC had one meeting. Of interest, long-time Chair of UMA has stepped down due to business demands. mDL Privacy report is out for review–have a look.
Ken reminded KenD: reminded WG participants that Kantara staff is ready to help them publicize their newsworthy activities and via the @KantaraNews Twitter handle. Or send to Ken D or Kay C.
Discussion:
Consideration Continued consideration of 'comparable alternatives' - See: https://groups.google.com/g/idassurance/c/GIGLjValdg4
Ken notes listserv discussion and then invites Richard to lead D: noted that a listserv discussion is accessible via a link in the Agenda emailed before the meeting. He then invited Richard W to lead the resumed discussion.
Richard W: believe believed we should do something in this space ; and it may not be just for Fed Federal agencies. Suggests Suggested that we need a capability to assess alternative controls, based on a thorough process based on evidence regarding risk, etc.
Eric T: agree agreed that there 's is a need and opportunity here, to provide some rigor around alternative controls. Key thing is needing to quantify risk being controlled. Need to remember that service providers want to let appropriate people in, not just keep inappropriate people out. Agencies / orgs don't have ability themselves to do this themselves. the rigorous analysis develop and document use of "comparable alternative controls."
Mark H: Agree. Broader need than Govt agenciesagreed that there is a broader need than just for CSPs serving Federal agency customers.
Kay C: Other Fed agencies I talk to feel they need technical, neutral identified that other Federal agencies with whom she has talked feel that they need unbiased technical help to make their decisions on IAM risk. Believe Understands that NIST (David T) is very wary about Kantara involvement but believe this that his concern can be reconciled.
Richard W: Anil John was concerned about lack of communication between government and industry, but didn't have results.
RQ: If Roger Q: asked if we do work in this area, will NIST welcome or oppose?
Richard W. – we : we should respond to what our customers request and work on getting acceptance, if not support, from NIST.
Ken D: Maybe maybe an approach to GSA would work–they work as they owned FICAM. We need a Federal central-agency customersupporter of our work in this area.
Kay says C: Kantara is still meeting with GSA --Phil. New PM will do that when they arrive. Might regularly. It will be just her until the new IAF PM is on-board. It was noted that things might be slow for a bit . RQ: Need some awareness and at least tolerance. at NIST and GSAas everyone in Government seems to be planning deferred vacations.
Roger Q: Kantara needs some awareness at, or at least tolerance from, NIST and/or GSA for anything we do in this area.
ET: Is there an oppty Eric T: asked if there is an opportunity for IAWG to help move this forward by putting out guidance related to quantifying risk and the effectiveness of alternative controls for ID proofing systems. ?
RW: Another point is , if we have Richard W: noted that Kantara having a set of criteria , for evaluating risk and control effectiveness would be useful for assessors who have customers (e.g., private sector or non-US) that are not strictly locked in to into (very conservative, tech-basedfocused) NIST stdsstandards.
Mark K: Is asked if this is just a US issue? Will check a bit with (He will check to see if he can locate any EU-developed materials . JJ: Believe for risk analysis/quantification and controls effectiveness.)
Jimmy J: believed that many US Fed agencies are thinking "I need IAL2", and would not buy want to get involved with something "comparable.."
RWRichard W: We have reminded the meeting that Kantara has been asked by a Member CSP working with a real Fed Federal agency that has a need, We should respondbusiness need to identify public clients who cannot provide the proofing documents required by NIST standards. Believes that Kantara should respond to those needs.
JJJimmy J: No stated that he is not sure that every KI assessor is going to be able to make and document these judgments about risk and effectiveness. Might Inconsistent assessments would create a risk to Kantara's reputation.
MH: If K states we are Mark H: believed that the risk to Kantara can be reduced if Kantara is transparent about what it is doing and shows that it is doing this analysis of an alternative controls' control’s effectiveness based on reasonable criteria, then believe risk to Kantara can be reduced. JJ: Believe RW
Jimmy J: believed Richard W's suggested added additional IAF criteria seem a reasonable basis to begin developing a process for evaluating alternative controls.
Ken D: Notes noted that the NIST language seems directed at Agencies, not CSPs. Not sure how to put the onus on the Agency.
ETEric T: What believed that, as a supplier, we must do is make sure an agency (customer) is aware of the requirements of accepting "comparables"
RW: We assess CSPs. Not RPs. We have criteria for federations that would impose Richard W: noted that Kantara assesses CSPs and not RPs. (But Kantara has criteria for federations, and federations would presumably impose various requirements on their member RPs.)
JJ: How would we Jimmy J: asked how Kantara would express the results of an assessment based on the use of a comparable alternative control?
ETEric T: We indicated that, as a supplier, they would provide a memo to their customers clarifying that the service is/uses an alternative control.
Ken D: thanked everyone for the good discussion. Summary: seems worth pursuing, incorporating RWbuilding on Richard W's draft criteria.
RWRichard W, ET, KD, MH. – agree. Ken: asks RW to Eric T, Mark H., Jimmy J. and Roger Q. agree. No dissent.
Ken D: asked Richard W when he could be ready to discuss initial draft criteria., But may
Richard W: noted that he might not be available for a couple of meeting meetings in August. Ken Next week is
Ken D: asked Richard W if something could be available IAWG to look at for next week's meeting on the 15th.
RW: Can have something for the 15th
Richard W: indicated that he could.
JJ: Does ARB need Jimmy J: asked if the ARB needs to get involved? What's the process where an alternative control is involved? RW: agrees
Richard W: agreed that there needs to be a process to communicate the decision to the CSP and to the (RP) customer.
RQ: yes we Roger Q: identified that Kantara need to coordinate and communicate with NIST . RW: Yes, but we are not asking permission. MK: Australia: individual submissions only to avoid appearance of going around them.
Richard W: agreed but stated that Kantara is not asking for permission.
Ken D: indicated that Kantara would inform NIST for their information.
Other Business:
Mark K: asked if individual submissions only for providing input to Australia? Ken: yes. Deadline 7/14.
Ken D: identified that the Pan-Can framework new doc Canadian Trust Framework has a new document out for comment by 28 July revisiting by 28 July. Seems to be revisiting the "vectors of thrust" concept. Doesn't seem too relevant to orelevant IAWG but wil will send around.
CLose meeitng at 2:05.
Next meeting 15ht.
JJ:
.
...
, and WG can decide at next meeting if we want to submit comments.
Other topics on the agenda deferred to the next meeting.
————————
Next meeting July 15th, 1PM US Eastern as usual.
Ken D closed the meeting at 2:05.