Versions Compared

Old Version 3

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Colin Wallis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Kantara eGov Working Group Teleconference (confirmed Jan 7th 2013)

Administrative section

Date and Time

  • Date: 3. Dec 2012
  • Time: 11:00 PDT | 14:00 EDT | 20:00 CET | 0708:00 NZ(+1)

Roll Call

Present

  1. Rainer Hörbe, Kismed
  2. Ken Dagg, Fed Canada
  3. Colin Wallis, DIA NZ Govt, NZ
  4. Keith Uber, Ubisecure
  5. Allan Foster, ForgeRock
  6. Andrew Hughes (Vice chair of identity assurance - non voting)
  7. Bob Sunday, ex-Fed Canadaindividual

Note to all: Calendar feed from the Kantara site includes room codes

1.Minutes

Non-quorate call, no review of November call minutes.

Minutes taker: Keith Uber

2. Action Item review

Colin: update of the charter and , submission for to LC . and approval -Complete (Waiting on editing rights to charter page)
-- Keith to contact oliver Oliver oliver@kantarainitiative.org

Colin: manage response to eHerkenning Netherlands B2B SAML solution for consultation. Now closed, we did not get much feedback since October (Rainer's)

3. Report from Face to Face meeting, Washington DC

Initial report from Trust framework/trust federation world is a new to concept to recent Kantara joiners.

Colin: Terrific workshop, probably the best of that style Colin Kantara has ever attendedstaged. "Stunning".

Ken: Good event, excellent discussion - interesting to see how many people were a complete 'suite' of identity federation stakeholders there.

20-25 participants
Approved identity providers: experionexperian, symantec
Some 'prospective' IdPs: lexis/nexis, dayondaon, maybe equifax
"2.5" assessors in the room.
GSA
Some assessors: KPMG, Electrosoft (and Deloitte, although Myisha representing the IAWG as Chair)
Governments: US GSA, Ken and Tim from Fed Canada
, Colin from NZ
CA presentAlso present: CA (Phil), ISOC (Karen), Ingo from DT, Dr Alterman for the IRB
Interesting mix of people
Non-government relying parties were missing
Focus All agreed to try for focus group discussions with the RPs would be goodon the next workshop. The identity proofers, who already have all the RP customers, are the ideal parties to invite their customers to come and join the discussion.

The first day day was broken into 4 topics:

The first topic was dedicated to trying to find equivalency between the almost identitical 863not quite identical NIST 800-63-1 and , ISO 29115./ITU-T X1254 . Gap and the Kantara IAF v2.0. Relates also to the OASIS Trust Elevation TC's work which attempts to standardise approaches to raising trust to mitigate risk from using a weaker credential/LoA than a service/Transaction is rated at.  Rough gap analysis and discussion.
863 Kantara IAWG will try to draft out a mapping table
Note that 800-63 is a set of US gov specs, instead of a set of requirements that need to be met .
Missing comparability to requirements.
863-* needs to look at the requirements of these documents, not the specifications which are outlined in this document.
Lexis/Nexis working on timelines for standards on how to identify. Guides customers (e.g. the Kantara IAF). 800-63 missing comparability to requirements.

Prospective IdPs working on NASPO ID-V standard. Guides adopters how to identify, how to get increased assurance.

Anna is welcoming a closer engagement with Kantara, which is positive.
Canada is publishing a comparison document (through OASIS SSTC)
Ficam is working on a similar comparison document on how assess and approve the components rather than running the identity assurance framework The second topic looked at the new Kantara IAF component option: identity and credential management as separate approval pieces rather than the IAF as a single piece..
FICAM has requested this. Experian and Symantec are the first 'couple' to be approved.
There was almost unanimous agreement on the need for a future discussion form for the possibility of standardizing the interface between IDP and credential provider. So that when an IDP and credential provider want to cooperate, they don't have to come up with their own solutions every time. Ideally the interfaces can the assessed independently.
Reduce The aim is to reduce ardous integration projects. This may not necessarily be a technical API, but some kind of standardization is an absolute requirement.
The identity proofers don't want to give away any secrets on how proofing is performed.
Identity proofers (Experion) may not able to participate in a standardization call in order to protect trade secrets.
The last , so less keen on extending the initiative as far as developing an API.

The Third day began with a presentation from Canada on pseudonymous design. Comparison of approaches between Canada, NZ and USA and how they separate different pieces of the transaction, so that no one party has all of the identification keys.
Canadian gov (Andrew Hughes(sp?), Colin Suite(sp?), David Wosleythe Kantara IAWG sub group (Canadian gov, Andrew Hughes, Colin Souter, David Walsey) developed over the summer what they are calling the "decoupled binding approach"

  • How to separate the credential activities from the identity activities
  • doing credential activities first and then bind identity or vice versa
  • More detail will come in the meeting notes, with a slide deck.
  • Were able to generate a generalized model showing the relationships between the individual, RP, IDP and credential provider.

Model Canada expanded on its pseudonymous design. Comparison of approaches of Canada and NZ (very similar) to the USA and how the former separate different pieces of the transaction, so that no one party has all of the identity information. FICAM seemed very interested in learning more and leveraging these experiences. Approach is consistent with Ficam FICAM future state thinking (Neil)
Trust framework/trust federation world is a new to concept to recent Kantara joiners.Anil). Colin mentioned maybe in the FCIX Federal Cloud Identity Exchange
http://fcix.us/aboutus.html

Andrew sees next pieces of work:

...

Andrew will summarise his presented work and distribute to the group or through the event report being coordinated by Joni.
In summary: Good presentation, well received, more details to follow.
Neal (sp?) from GSA has already asking about a date in February to meet again between governments and got through it.
Colin mentioned: FCIX Federal Cloud Identity Exchange
http://fcix.us/aboutus.html
The afternoon discussion also looked at individual deployments. Ficam was very interested in learning more and leveraging these experiences.

Meeting report is yet to be published but will appear.

4. Privacy Enhanced WebSSO

Report from Rainer

Work continues on non-traceability requirement / do not track provisions for WebSSO.

Rainer proposed the new work item to collect requirements, existing or planned solutions (see wiki for this new space).

So far Colin has uploaded some documents from the NZ deployment.

UK & NL contacted but pending responses.

...

Rainer is interested in consumer approach (EUStic).Is interested to hear how does NZ/Canada justify their tight controls.

Andrew: Move the linking records to an outide outside party, such as a broker, which offers persistant persistent anonymous ids to all parties. the sp doesn't know the actual credential.

Andrew: Under 863 800-63 this model is not possible, because the credential provider must know the identity

Rainer to contact NL again.

Colin: Will we see the Had seen earlier UK SAML profile for from their identity hub ? The one (John Bradley was working onassisting with?).

Rainer: Steven Dunn shared it with us in October at the RSA conference. You couldn't implement the architecture with pure SAML.

Colin to contact UK for the latest documents of the UK SAML profile for their identity hub.

5. Reach out letter update

At the last meeting we put a call out for additional people to go on the list.

...

Once the new charter is published, Joni will email the prospective contacts. We have 25 or so. Target is 40 35 or more.

6. A.O.B.

Q: Proposed meeting in Feb to discuss US/Canada/NZ approaches
Not a Next Kantara event, : no date has yet been set. , but maybe around RSA is last week of February.
NSTIC IDisg IDESG has been confirmed for 5,6,7th Feb in Phoenix, AZ. Govs may meet separately also in Feb
European ID Workshop (IIW) will be in Vienna 5,6th Feb 2013 or a week after. Will be announced in the next couple of days.
7. Next Call

Next call Monday 7th Jan 2013.