Versions Compared

Old Version 7

changes.mady.by.user Lynzie Adams

Saved on

compared with

New Version Current

changes.mady.by.user Lynzie Adams

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Attendees:

...

  1. Administration:

    • Roll call, determination of quorum

    • Minutes approval - 2023-01-05 Minutes

    • General Updates

    • Assurance Updates

  2.  Discussion: 

  3. Any Other Business

Meeting Notes 

Administrative Items:

IAWG Vice-Chair Denny Prvu called the meeting to order.  Roll was called. Meeting was quorate. 

...

March 24 is the due date for all NIST comments on 800-63-4. Same date applies to PIV drafts 800-157-1 and 800-217. Please submit all comments that you would like included WITH the Kantara submission to comments_iawg@kantarainitiative.org. Specific questions from NIST can be found here.

Discussion:

Revision 4

The revision 4 wiki space has been updated with some important dates and links. Please keep an eye on it.

...

  • Very little discussion about equity and how that was achieved - and whether the standard is sufficient for it. The impression was that there wasn’t much interest or focus on it in the discussion at all. Issue with proofing - allow someone who was already proofed at the target assurance to act as a local credential for the applicant. That person does not need to be employed by the agency or CSP. (noted by Mark Hapner, Michael agreed; Richard also addressed equity). Andrew noted that some questions can/should be formulated from this to shape up their thinking on this topic and allows us to query the basis for some comments. What do you see the regulatory/legislative imperatives and how they intersect with 800-63?

  • The focus on biometrics is primarily as a means of unlocking locally the authenticator - and when they start talking about biometrics captured by the service, the spec if weak - from an equity perspective. (noted by Mark Hapner, Michael agreed).

  • The bar being too high for Level 1 when it comes to E&I - shutting out a significant part of the population. (noted by Michael).

  • The difficulty to parse out the normative text from the actual standards that a CSP is required to do. Should we suggest how to edit? (noted by Richard). Andrew feels like there is an internal struggle between writing a narrative for guidance versus explicit standards to follow. They’re stuck between prescriptive and objective - it needs to go further into the objective tone.

  • What is the perspective of the comments we are offering. Are we looking for clarity since IAWG has to ultimately turn this into criteria? Then we need to ask for that. I see this requirement - how would I test this? I don’t know what you mean? We need to go beyond the text and ensure IAWG is prepared to write the criteria once published. (Jimmy noted).

  • As the levels have shifted as they have, did they leave enough room for non-government Kantara clients (who may or may not play in the government space) a place to work within these standards? (Jimmy noted). To extend this beyond the current NIST conversation, Andrew pitched that IAWG could write vertical profiles to 800-63 for those non-government CSPS (healthcare, etc). Makes it more clear for Kantara customers to know what they need to meet. Richard believes to pursue that, we need healthcare people involved in the writing of these profiles. Andrew agreed.

  • There needs to be sufficient clarity when they talk about different proofing types (Richard noted). Missing a simple taxonomy of proofing types and using those taxonomical names consistently throughout the guidance. Be specific in the terminology and consistent use of it throughout. Andrew agrees there is a lot of jargon in the text as a whole that needs noted for them.

Decision on how to respond to NIST calls for comment – (PIV ~ 800-157 rev.1 & 800-217)

Andrew believes we should seriously look at them and come up with some type of response to these drafts. Andrew Regenscheid is a common author on these two drafts and the revision 4 draft. If anything, it’s an area where IAWG can point out areas that might be conflicting with one another and not harmonizing with revision 4. Richard feels differently. If 63B is leaned on by PIV then it might be a case to pay attention to these documents, but currently there is only so much time in the day. Andrew reiterated just to read them and if we have stuff to comment on, then a way to do so can be determined.

Any Other Business:

The next scheduled meeting will be February 2, 2023.

IAWG leadership keeps an action item list.
All IAWG participants should be aware that the spreadsheet exists and that it lists everything we think the IAWG is working on or planning to work on. Please feel free to review it and correct it if needed - it is not our intent to overlook something!