Attendees
Mark
Andrew
Richard W.
Nathan
Scott
Key discussion items
...
- It was discussed what we are trying to produce
...
AH straw man is this we are trying to produce?
...
- in the sub-group.
- Andrew shared a straw man on 63B (Section 5.1.7) and asked the group if this was the right direction of the work.
Kantara Initiative Mail - [SG-800-63-3
...
Next week further what we are
...
...
assessment guide is that we are trying to create?
So the attached doc is a first attempt to produce assessment criteria against the specified requirements in one section of 63B: s5.1.7 Single-Factor Cryptographic Devices.
On the left I've copied the text from 63B.
On the right I've written a bunch of questions that must be answered to determine if the stated requirement from the left has been fulfilled.
There might be additional instructions to the assessor on what evidence is needed to support the answers on the right.
Criteria versus the question approach
...
- analysis ACH.docx
- There was a general consensus that the straw man was not what the group is trying to achieve and produce.
- It was commented that the outcome of the group, should enable an assessor to assess that a CSP meets 800-63-3.
- Andrew said that if our objective is to strict evaluate conformity to the requirements stated
...
- in -63, we should produce an assessment guide and instructions to some extent
...
- in order to have assessors assess in a similar ways and come to similar conclusions.
...
- Richard W. stressed that it is not only
...
- a set of criteria which defines what is required
...
- , but discrete statements and evaluate if they need clarification.
Assessors need into this process?
RW Determine making a claim that meet the requirements conformity or not.
- Richard W. pointed out that assessors´s concern is that when reading the statement with SHALLs
...
- determine that the provide to the service meets the requirements, there might be a policy or practice statement
...
- .
- Mark
...
- commented that it would be good to structure the claims in a useful way.
- Richard W. suggested to break the source doc. down, identify the requirements text and make a number of discrete
...
- statements.
...
- For example in 5.1.7.1 there are 4 discrete requirements
...
- , so the CSP
...
- is aware on what
...
...
- they need to show to be compliant.
- Scott highlighted that we should focus on criteria clearly identified list of what are the sets of requirements, get them all clearly articulated so that can be evaluated or assessed.
...
- We need to use a structure to formally express the content that can be evaluated in a rigorous way.
63-3 specific we are going 62-3 OP SAC as the ongoing international -3 approval process
- Richard W. commented that the current IAF SAC is beyond 800-63-2 in order to provide a more international approach.
- In this sense, it was said that we should focus on 63-3
...
- beyond just
...
- FICAM circle.
...
Should not
...
-
- Scott reminded the group that in this phase we need to identify and document the requirements.
Action items
- Mark to document and create a directed graph with optional and required edges on it that describes the spec
...
- (with JSON-LD)
...
- Andrew Hughes
...
- to break down
...
- 63B
...
- Scott
...
- to break down 63C
identigy and document the requirements.
AUDIO/VIDEO FILE
...
| Widget Connector | ||||||
|---|---|---|---|---|---|---|
|