...
Mark K. suggested that we might want to make sure that others developing national ID frameworks were at least aware of the new document, but said he had no other comments on the document. No one spoke up in favor of submitting comments on the document.
Roger Quint said that it would be very useful to implementers of ID systems (CSPs and RPs) to be able to compare the characteristics of different frameworks and the extent to which they were interoperable or compatible. He wondered if Kantara had any plans to provide guidance like this, and also whether Kantara was doing anything to promote interoperability or compatibility between frameworks, including its own IAF.
Mark K. said that some frameworks that are being developed simply made no mention of interoperation with other frameworks or how users other than their own nationals would be able to interact with services using their framework. He said Kantara had submitted comments to that effect.
...
Martin asked Mark K. if he thought it was important for Kantara to weigh in on this proposal. Mark said that he merely wanted to bring this to the WG's attention as it is a formal proposal. He added that if Kantara wanted to provide input, it might be better received if it came from or at least through Kantara Europe, based in EU Member-State Estonia.
...
Ken D, suggested that "a defined risk profile" might work, which both avoids implying that the types of risks that a control might create are limited to its performance on false positives and negatives. Others agreed that an open-ended look at possible risks is appropriate and that Kantara should not imply that assessors would perform quantitative analysis of a controls' effectiveness. Richard W. observed that as far as he could determine, NIST had not was supposed to have done such a quantitative analysis in developing the 800-63 standards, so there is not even a basis for that sort of determination that an alternative control is "comparable." but that he believed that it had not been published.
Roger Q. expressed concern that most customers (RPs) will not know how to judge the CPS's metrics on performance of their controls. Martin suggested that the RP would rely on the Kantara assessor's evaluation. One member asked if these alternative controls would be assessible. Another said the RP use-cases would be varied, possibly making assessment more complex. Another said that use-case variations should not keep a CSP from documenting and estimating a control's performance, and that the KI assessor's role would be limited to evaluating the CSP's evidence and justifications. Another expressed the view that this was not too much different from what is done now in IAF assessments.
...