Versions Compared

Old Version 4

changes.mady.by.user Lynzie Adams

Saved on

compared with

New Version Current

changes.mady.by.user Lynzie Adams

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Administration:

    • Roll call, determination of quorum

    • Minutes approval - 2022-06-16 Minutes

    • General Updates

    • Assurance Updates

    • Requests to IAWG for Comment

  2.  Discussion: 

    • Assurance Program - finalize discussions

    • Process for addressing assessor/field reports on new methods not covered in 63-3

  3. Any Other Business

Meeting Notes 

Administrative Items:

IAWG Chair Andrew Hughes called the meeting to order.  Roll was called. Meeting was quorate. 

...

Mark King attended a Zoom session where Kay was part of the British All-Parliamentary Group on identity. He also mentioned a new paper out - Paving a Digital Road to Hell. Interesting read with insightful observations.

Discussion:

Assurance Program - Classes of Approval/Service Descriptors Continued

...

The next email topic of federation authority will take additional reading/research. Federation authority refers to what a federation would need to do - it is not the same as NIST 800-63-3C. C is about security of transitions - not authorities. Will revisit this.

There was a brief discussion on relying parties and the need to have them get officially ‘approved’ as a relying party through Kantara. Richard feels it’s unnecessary and Andrew can see his point. Mark King pointed out that it is a U.S. specific need as Europe has already established requirements.

...

Beyond Richard’s questions, IAWG needs to address how long we keep schemes available. Martin believes it will take us a large portion of that one year to publish our updated 63-4 criteria – so we might as well retire 63-3 approvals once our 63-4 is effective. Eric provided a use case of where Classic approval is desired beyond ECPS as an argument for continuing to offer Classic. There is still an active market out there that want Classic. Jimmy concurred. Andrew asked to do a market use survey to the current CSP companies, and others broadly, to see if there still is a market for Classic. Michael suggested cutting ties with Classic at the implementation of 63-4 (2024 Q1) and publicizing that date in advance so people know it is coming. This is an open issue.

Process for addressing assessor/field reports on new methods not covered in 63-3

...

Martin suggested the person proposing the alternate be the party responsible to assert the comparison data. Maria agrees the problem is the lack of data and there isn’t a good mechanism to get the data. There is an appetite for being able to have compensating controls evaluated independently by an organization. Andrew asked if we have a sense of what that data is and where it might come from? Could we do a research project to figure out the baseline? Maria believes the idea would be that all agencies implementing NIST 63 standards should be required to collect data on the controls they’re using, fraud they’re seeing, reasons for the fraud and report up to have the data compiled there. Academic programs can only do so much for understanding what types of fraud can get through this type of system. Due to time, this will be held over to a future meeting.

Any Other Business