...
Mark K. suggested that we might want to make sure others developing national ID frameworks were at least aware of the new document, but said he had no other comments on the document. No one spoke up in favor of submitting comments on the document.
Roger Quint said that it would be very useful implementers of ID systems (CSPs and RPs) to be able to compare the characteristics of different frameworks and the extent to which they were interoperable or compatible. He wondered if Kantara had any plans to provide guidance like this, and also whether Kantara was doing anything to promote interoperability or compatibility between frameworks, including its own IAF.
...
Martin agreed that a "side-by-side" comparison of multiple frameworks would be very useful and likely itself promote some convergence of the frameworks. He added, however, that the effort to create and maintain such an artifact would require a substantial effort, beyond the resources of a volunteer WG. Financial sponsorship would be required. Another member said he believed that Colin Wallis may have in fact sought to find a sponsor. Martin said that in submitting comments on various framework. frameworks Kantara has also consistently
- Mark K – may want to make other aware, No other proposal for comments.
- RQ: are we going to be compatible. MK: many are simply missing international issue. K has commented along those lines.
- JJ: Joni's thing? IS DIACC going to KI type service . RQ: Value of framework to end-users - would enhance sevice to side-by -side. WOuld bneed paying sponsor for KI to do that.
...
consistently recommended that they provide for independent assessment and certification of conformance of participating service providers (principally CSPs) with the framework's standards and service-operations rules, i.e., the kind of assessment that Kantara provides against the Kantara IAF.
Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity
...
Martin asked Mark K. if he thought it was important for Kantara to weigh in on this proposal. Mark said he merely wanted to bring this to the WG's attention as it is a formal proposal. He added that if Kantara wanted to provide input, it might be better received if it came from or at least through Kantara Europe, based in EU Member-State Estonia.
Continued consideration of 'comparable alternatives': discuss revised DRAFT Kantara criteria/process (Wilsher), and next steps
Richard presents and reviews proposed revisions to draft "Alternative Controls" process.
Goal is to achieve an Ken Dagg and Richard Wilsher having joined the meeting, the WG resumed last week's discussion on this topic. Richard shared his draft Kantara "comparable alternative controls" with updates made following last week's WG discussion.
Richard suggested that the goal of an alternative control might be described as an appropriate balance between false positives and false negatives, or other ways for some way the CSP to define could express the risk accepted in by using the alternative control.
JJ: seems we should be either less or more specific.
KD: HOw about "risk profile is defined. "?
MH: not good to talk about false negatives. HAs to be a way to resolve "false negative."
KD: But are there other types of risk. Those need to be documented as well as fp/fn. A "risk profile"
RW: CSPs ,might provide a slide control on FP/FN. He added that he was not yet satisfied with this formulation.
Ken D, suggested that "a defined risk profile" might work, which both avoids implying that the types of risks that a control might create are limited to its performance on false positives and negatives. Others agreed that an open-ended look at possible risks is appropriate and that Kantara should not imply that assessors would perform quantitative analysis of a controls' effectiveness. Richard W. observed that as far as he could determine, NIST had not done such quantitative analysis in developing the 800-63 standards, so there is not even a basis for that sort of determination that an alternative control is "comparable."
RQ: pushback. When RP gets CSP metrics, they will not know whether to believe the CSP. Martin: that's K assor's job.
...