Attendees:
...
Administration:
Roll call, determination of quorum
Minutes approval
Kantara updates
Assurance updates
Discussion: 800-63-3 Criteria Issues to Resolve
T5-1 notification
supervised remote proofing proposal
OPD#0010
S3A
Any Other Business
Meeting Notes
Administration:
IAWG Chair Andrew Hughes called the meeting to order. Roll was called. Meeting was quorate.
...
Kay reported it’s still a full pipeline in the U.S. - but much slower in the U.K. She’s hoping that changes and hopes to hire on a Program Manager over there that can run the program similarly to how Lynzie runs the U.S. program. There have been lots of conversations with several agencies - including GSA - about our program and the need to have a Kantara Trust Mark to be on their schedule.
Discussion:
T5-1 notification
Andrew shared the drafted notification and provided background information for anyone not aware. Richard moved to accept the notification as-is and published. Andrew seconded the motion. Motion carries with no objections. Notice will be sent out to relevant parties next week.
Supervised Remote Proofing Proposal
A small group discussed the criteria and developed the following proposal for #0490-#0580
View file | ||
---|---|---|
|
...
Richard pointed to the source text - 5.3.3.1 part 1 refers to the operator but part 2 does not. So perhaps the reference to the proofing supervisor in #0500 and #0510 is a little bit too much. Tim asked why we use the term biometric in #0500. Biometric is the result of running the computation on the selfie image, etc. You don’t need the biometric to do the remote physical comparison. Richard cited the source text on 5.3.3.1. Yehoshua mentioned it’s a bit contradictory and circular. The group reviewed and discussed Table 5-3 in the source text. After the discussion, Richard suggested striking the reference to 63A#0620 to 63A#0680.
Jimmy then suggested another criteria edit - “If the CSP provides Supervised (Remote or In-person) proofing it SHALL document and apply technologies and procedures such that they SHALL ensure that biometric samples are taken from the Applicant themselves and not from another person.” Richard argues this should be adopted in #0500 and #0510 to remove the reference to the proofing supervisor. The update will be incorporated into the overall changes to the 63A updates.
Richard suggested striking the line “Physical comparison performed remotely SHALL adhere to all requirements as specified in 63B, Section 5.2.3.” for STRONG evidence. Andrew & Yehoshua were agreeable. The updates will be made into the over updates of 63A.
OPD#0010
Andrew raised the concern. Richard noted there is no source text to the criteria - that it begins with the subparts of the criteria. Richard reviewed the original Word version of the OP_SAC and determined there was never a header for it. He suggested inserting one. Andrew believes the revocation stuff should be in the credential policy - it just needs stated. Suggested header: “The CSP must in its CrP…”.
Richard noted that a reference back to OPA#0020 f) would also work. Richard will propose guidance to be included in the update.
S3A
Andrew shared the reasoning for the updates to the S3A, including the need for more detailed information being provided to the ARB. Richard believes the level of detail in the S3A was never intended to be aligned with all criteria in the SAC. Jimmy agreed. The assessor gets some scoping out of the S3A, but not what they need to complete the assessment. But, this is all the ARB gets beside the SAC to explain what the system does. And that’s why it needs to be comprehensive - at least at a data flow level. Without that, the ARB doesn’t always know what they are looking at. The other option, is the ARB just trusts the assessor and asks the questions needed. Richard prefers that option but acknowledges there needs to be a degree of detail in the S3A for the ARB to understand the full process.
Richard asked if the S3A is the CSPs responsibility - or is the assessor responsible for reviewing and suggesting edits. Richard doesn’t see that it’s the assessors role to validate the S3A. Andrew posed the question - is there enough guidance given for a CSP to provide the level of detail the ARB expects? The discussion will be picked back up at the next call due to time - responsibilities and expectations related to the S3A.
Any Other Business
Andrew shared that Ping Identity doubled in size - Ping’s owner purchased ForgeRock and they will be rolled into Ping. Hopefully this will allow Andrew to bring more people into the Kantara space with this acquisition.
...