Versions Compared

Old Version 5

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Attendees

Voting Participants: Ken Dagg; Richard Wilsher; Mark Hapner; JJ Harkema; Martin Smith 

...

Quorum: As of 2019-12-19, quorum is 3 of 5. There was quorum

Agenda

Administration

  1. Roll Call
  2. Agenda Confirmation
  3. Action Item Review: action item list
  4. Staff reports and updates -  Keeping up with Kantara February 2020and January Director's Corner 
  5. LC reports and updates
  6. Call for Tweet-worthy items to feed (@KantaraNews)

...

  1. ARB issue on Classic OP-SACwith regard to phishing attacks (AL3_CM_CRN#040 Token strength and AL3_CM_CRN#050 One-time password strength).
  2. DIACC Call for Comments: PCTF Organization component (Trusted Processes and associated Conformance Criteria that establish an Organization exists, is real, unique, and identifiable) for review by March 19th
  3. Review UK Government Digital Service document - Using authenticators to protect an online service.
  4. Develop Kantara Service Assessment Criteria for NIST SP 800-63C.

Any Other Business 

Discussion

ARB issue on Classic OP-SAC with regard to phishing attacks (AL3_CM_CRN#040 Token strength and AL3_CM_CRN#050 One-time password strength).

  • Ken suggested that some guidance could be added to be a guest to CSPs to be weary of, but he does not know how much value that would provide. Richard added that the CSP should closely follow the evolving landscape around phishing within this authentication technology.
  • It was argued that advice is not a particular good thing, it is a requirement, or it is not.
  • It was commented that the CSPs are relaying on Kantara, at some level of generality, to keep an eye on whether the framework is offering a protection. Richard answered that if Kantara was to catch as something which would say use of appropriate phishing new system authentication technologies, in the outside there is and this criteria that are reference, that potentially the scope to include if there is a list of things to be done (and there are in some places) it could be added in there. There is a list of factors which needs to be taken into account, Kantara could add a specific requirement in there that might be more concrete. But it is not the intention to be putting guidance, the idea is to make an assertive statement and then the assessors are able to make the judgement against it. The CSPs can have judgement on how they will respond to that requirement in terms of assessing the risk in applying controls against it.
  • JJ pointed out the 800-63-3 talks about the strength authentication and part of that has to do with the quality of the secrets that are used to authenticate an individual, therefore some of those secrets are more difficult to compromise than others. Now they all have their little risks and so from an 800-63-3 perspective, they try to stack up a few of them rather than relying on a single one mainly for proofing, he guesses. They are assuming for authentication that you are giving someone a strong secret, he thinks that the biggest issue today is that secrets are easy to compromise, they are easy to use and also easy to compromise. All of those are not the strongest, and thus the issue for CSPs is what motivates them to continue to move and improve the quality of the authenticator that they give people once they have been proved. For him this is the issue, what is motivating the industry to move forward to provide stronger authenticators.
  • It was added it is the motivation, but it is also the fear of losing part of it. The motivation to not do it in the moment is stronger than to implement it.
  • It was mentioned that going back to the immediate problem, it could be looked in here at adding an item g) to AL3_CM_CTR#020 criterion, related to phishing attacks explicitly. JJ argued that the problem is that if you mention a particular thread like phishing, there is a range of things that can be done potentially to mitigate that, but the most important thing you could do is to use an authenticator that is very difficult phish. It was responded that it is up to the CSPs to make the determination.
  • It was suggested agreed that in order to satisfy the ARB’s concerns, to add a phrase to item g) in this list.the list of AL3_CM_CTR#020 Protocol threat risk assessment and controls. 
  • The text to be added will be prepared, it will be reviewed probably at an e-ballot through next meeting.

Action item: To add a phrase to item g) in the list of OP SAC AL3_CM_CTR#020 Protocol threat risk assessment and controls. 


DIACC Call for Comments: PCTF Organization component (Trusted Processes and associated Conformance Criteria that establish an Organization exists, is real, unique, and identifiable) for review by March 19th

...