...
Mark K. suggested that we might want to make sure that others developing national ID frameworks were at least aware of the new document, but said he had no other comments on the document. No one spoke up in favor of submitting comments on the document.
Roger Quint asked
- Mark K – may want to make other aware, No other proposal for comments.
- RQ: are we going to be compatible. MK: many are simply missing international issue. K has commented along those lines.
- JJ: Joni's thing? IS DIACC going to KI type service . RQ: Value of framework to end-users - would enhance sevice to side-by -side. WOuld bneed paying sponsor for KI to do that.
...
said that it would be very useful to implementers of ID systems (CSPs and RPs) to be able to compare the characteristics of different frameworks and the extent to which they were interoperable or compatible. He wondered if Kantara had any plans to provide guidance like this, and also whether Kantara was doing anything to promote interoperability or compatibility between frameworks, including its own IAF.
Mark K. said that some frameworks that are being developed simply made no mention of interoperation with other frameworks or how users other than their own nationals would be able to interact with services using their framework. He said Kantara had submitted comments to that effect.
Martin agreed that a "side-by-side" comparison of multiple frameworks would be very useful. He added, however, that to create and maintain such an artifact would require a substantial effort, beyond the resources of a volunteer WG. Financial sponsorship would be required. Another member said he believed that Colin Wallis may have in fact sought to find a sponsor. Martin said that in submitting comments on various frameworks Kantara has also consistently recommended that they provide for independent assessment and certification of conformance of participating service providers (principally CSPs) with the framework's standards and service-operations rules, i.e., the kind of assessment that Kantara provides against the Kantara IAF.
Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity
...
Martin asked Mark K. if he thought it was important for Kantara to weigh in on this proposal. Mark said that he merely wanted to bring this to the WG's attention as it is a formal proposal. He added that if Kantara wanted to provide input, it might be better received if it came from or at least through Kantara Europe, based in EU Member-State Estonia.
Continued consideration of 'comparable alternatives': discuss revised DRAFT Kantara criteria/process (Wilsher), and next steps
Richard presents and reviews proposed revisions to draft "Alternative Controls" process.
...
Ken Dagg and Richard Wilsher having joined the meeting, the WG resumed last week's discussion on this topic. Richard shared his draft Kantara "comparable alternative controls" with updates made following last week's WG discussion.
Richard suggested that the goal of an alternative control might be described as an appropriate balance between false positives and false negatives, or
...
some way the CSP
...
could express the risk accepted
...
by using the alternative control.
...
JJ: seems we should be either less or more specific.
KD: HOw about "risk profile is defined. "?
MH: not good to talk about false negatives. HAs to be a way to resolve "false negative."
KD: But are there other types of risk. Those need to be documented as well as fp/fn. A "risk profile"
RW: CSPs ,might provide a slide control on FP/FN.
...
He added that he was not yet satisfied with this formulation.
Ken D, suggested that "a defined risk profile" might work, which both avoids implying that the types of risks that a control might create are limited to its performance on false positives and negatives. Others agreed that an open-ended look at possible risks is appropriate and that Kantara should not imply that assessors would perform quantitative analysis of a controls' effectiveness. Richard W. observed that as far as he could determine, NIST was supposed to have done such a quantitative analysis in developing the 800-63 standards, but that he believed that it had not been published.
Roger Q. expressed concern that most customers (RPs) will not know how to judge the CPS's metrics on performance of their controls. Martin suggested that the RP would rely on the Kantara assessor's evaluation. One member asked if these alternative controls would be assessible. Another said the RP use-cases would be varied, possibly making assessment more complex. Another said that use-case variations should not keep a CSP from documenting and estimating a control's performance, and that the KI assessor's role would be limited to evaluating the CSP's evidence and justifications. Another expressed the view that this was not too much different from what is done now in IAF assessments.
Ken D. noted that the scheduled meeting time had expired and suggested a summing-up of the WP's conclusions at this point.
Richard W offered the view that the CSP should review all the mitigated and residual risks of an alternative control, including any new risks created by the control. This analysis is documented. The CSP's top management is aware of the use of a comparable alternative control; and the CSP does in fact deploy the control. The CSP is required to make any RP client aware of the used of the alternative control and advised of any extra procedures or configuration adjustments needed because of new control. He added that we don't want to specify hard numbers for performance of a control in our criteria.
A member asked if the specification of the control and related documentation would be available for re-use by other CSPs. Several members agreed that the architecture of the alternative control and the associated assessment documentation should be considered proprietary to the CSP that developed it, but that re-use might be achieved by licensing or other agreement with the developer, or perhaps even by the developing CSP offering the control as service component on a SaaS basis. One member wondered if it might hurt the Kantara "brand" if it became known that a service had somehow been certified without meeting the 800-63 requirements. However, another member observed that existing Kantara requirements for publication of information about successful certifications would let other CSPs or interested RPs know that a "comparable alternative control" had been included in the certified CSP service offering, as permitted by NIST.
As for next steps, Ken D. said that once we get Richard's draft finalized, it would go through the standard Kantara process for making "material" changes to the IAF criteria. This process takes about 70-90 days in total.
Richard W. added that we have a number of minor (probably all "non-material") changes to the criteria that should be bundled with this one so as to avoid burdening reviewers with multiple rounds of review.
Richard also noted that he would be unavailable for IAWG work for three weeks starting next week, and suggested that another member take over as IAWG Editor to keep the process moving forward. Ken D. agreed to fill in for Richard as Editor.
4. Component Service Consumer criteria
Not discussed.
Other Business:
- Next Meeting:
Ken D. proposed that given an otherwise light agenda we should skip next week's IAWG meeting and meet next on July 29th, and then plan to meet two weeks after that (August 12th.) Ken closed the meeting at 3:18PM
---------------------
Martin's raw notes
RW: don't want to include hard number in criteria.
KD: is this stuff assessible?
...
KD: not meet next week, then again two wwks after
29th of July.
2:18 PM
4. Component Service Consumer criteria
Other Business:
Other topics on the agenda deferred to the next meeting.
————————
Next meeting July 22, 1PM US Eastern as usual.
Ken D closed the meeting at ?.