...
- Richard commented that in light of a FAL assessment, a CSP asked what happen if they're providing services under more than one federation agreement because they can't be going through a full assessment every time they need to demonstrate that they fulfil the requirements of a particular federation.
- Mark King recommended to review CCEB Publication 1010, PKI Cross-Certification Between CCEB Nations, available at https://info.publicintelligence.net/CCEB-PKI.pdf. The agreement addressed how the US Department of Defense, UK Ministry of Defence and various other players to talk to each other when they have different laws. The document describe the deltas, so the participant could say "I'm joining this this federation, here is the standard and here are my differences from that".
- Richard: Are we trying to demonstrate in the assessment that they're capable of responding to federation agreement requirements or that they meet each discrete federation agreement? and that's where it becomes unscalable.
Ken suggested that if a CSP goes through an assessment with a specific federation agreement, then if they need to go through an assessment with a second federation agreement, it's done purely on the deltas from the original reference agreement and the new one, we look only at the deltas.
- Mark King added that that the equation would include some generic start point plus the deltas.
Richard concluded that the two options would be 1. The simpler choice is to change some of the criteria such that we require CSPs have a policy demonstrating conformity against a federation agreement. 2. Draft a reference federation agreement and then we review how they've managed the deltas from that reference agreement, and we publish the deltas.
- It was suggested to invite David Temoshok from NIST and Federal Agencies to this discussion.