Versions Compared

Old Version 8

changes.mady.by.user Martin Smith

Saved on

compared with

New Version Current

changes.mady.by.user Martin Smith

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Ken  reminded WG participants that Kantara staff is ready to help them publicize their newsworthy activities via the @KantaraNews Twitter handle. Requests can be sent to Ken D or Kay C.

Discussion:


Finalize proposed criterion language regarding "comparable alternative controls."  

Ken noted that in the absence of Richard Wilsher we would not likely be able to finalize the text for comparable alternatives, but asked the WG for any reaction to Jimmy Jung's email sent to the list today. Referencing the draft language for KI criterion 63A#0177, part (f), Jimmy proposed that "we might rather 'inform service's clients/consumers' than just 'make available to the service's clients/consumers'

...

" the results of the CSP's determination of comparability of an alternative control.  After some discussion, Ken suggested the following language: 

(f) "Inform, directly or through a direct link,

...

For Component services: CSP is using the CSP. "or uses a component that does" 

KD: if a CSP makes a subst change they must inform the ARB. Component switch would be a significant change.  MK: I would not consider that subst, necessarily. 

RQ: we want to foster competition in the market. 

KD: close off. 2 changes to be sent to Richard

the service's clients . . ." 

A questions was raised as to how the (CSP) service's (RP) clients would be made aware of the use of an alternative control if the CSP's service incorporated a component service that used an alternative control.  Ken proposed that the main text of the criterion 63A#0177 be revised as follows:

"63A#0177  "If the CSP implements, or incorporates a component service that implements, comparable alternatives . . ."

The WG briefly discussed whether, if a CSP were to replace one component service in its offering with another (Kantara-certified) service, that would require recertification of the CSP's service. Ken stated the view that any change to a certified service would have to be notified to Kantara, and the ARB would determine if the change would require recertification or perhaps some lesser level of review. He thinks that replacement of a component service with one that incorporated a comparable alternative control would be considered a significant change in the CSP's service.

Ken closed the discussion of this item noting that he would bring the revisions discussed today to Richard W's attention so that any issues he might identify with the language could be resolved at the next IAWG meeting. 

Finalize proposed text (if any) regarding use of "presentation attack detection" (PAD.) 

RQ: were going to consult with RW and Kay present.  

KD:  postpone.

Short answer "no" but discussed clarification. 

Varun:  easy dynamics.  familiar with PAD. wondered what KI was thinking. 

RQ:  63-3b  "should" And 90 percent. 

KD:  again let's wait. 

...

Roger Q. noted we wanted to discuss this matter with both Richard W. and Kay C. present.   

Ken D agreed and said we will have to postpone wrap-up of this issue since neither is present today.

Martin S. asked if Ken thought it was definite that we would want to include some change to the existing Kantara criteria in the package we are currently preparing. Ken said the short answer is "no." 

Ken went on to provide a brief summary of the origin of the issue and discussion to date. The initial impetus for consideration of the issue was a question from Phil Lam at GSA to Kay C. He asked if Kantara required the use of PAD for certification of conformity with 63A. Kay owes Phil a response, and the basic answer is "no," but we wanted to review the issue first to see if we might want to clarify or elaborate the language of the relevant criterion.  Since Kay's meeting with Phil, there have been some email exchanges between Richard W and Ken, but Ken feels further discussion within the WG is needed. 

Varun L said he is familiar with PAD and was wondering what Kantara was thinking. Roger Q. noted that although NIST 800-63-3 does not explicitly require use of PAD ("SHALL"), it does specifically recommend its use in remote proofing ("SHOULD") and even specifies the level of assurance that PAD should attain. 

Ken D. agreed that it seems that NIST strongly recommends use of PAD and might make it a normative requirement in 800-63-4.  However, he noted that Kantara does not add requirements beyond those that NIST specifies, so we would not want to make use of PAD a SHALL in our criteria unless NIST does. 

He added that we really have to wait to discuss this with Richard W. and Kay C. present at our next meeting. He noted that we want to submit the consolidated criteria change package (with or without added PAD-related language) no later than the end of August to have it published by the end of November or very early December. We should therefore meet in one week and plan for another meeting the following week to be sure to finish the work.  

Confirmation of other non-substantive changes to criteria to be included in the package to be submitted.

kick to 19th

...

Ken said that Richard W. has a spreadsheet of these proposed non-substantive changes, so in his absence we would postpone this discussion to the next IAWG meeting as well. 

Other Business:

Next Meeting: August 19, and then 26.   In addition to the items noted above related to finalizing August 26 if necessary to finalize the criteria change package , we hope to get a report from ED Kay C. on her outreach to her contact at the the UK Digital Identity program.  \for submission to Kantara review. 

Ken adjourned the meeting at about 1:51PM US Eastern. 

...