Attendees:
...
Administration:
Roll call, determination of quorum
Minutes approval
Kantara updates
Assurance updates
Discussion:
Defining an IALx API
800-63-3 Criteria Issues to Resolve - continue work through criteria updates, including revisions to Supervised Remote criteria (#0490-#0580)
Any Other Business
Meeting Notes
Administration:
IAWG Chair Andrew Hughes called the meeting to order. Roll was called. Meeting was quorate.
...
The group continued to work through issues raised from ARB, assessors, etc that must be resolved. Notes are in the document as well.
63A#0490 - #0580
| View file | ||
|---|---|---|
|
Jimmy summarized the email exchanges about these criteria over the past week. Lorrayne & Maria cited some examples where supervised remote might show up in IAL2. This might impact how we think about these requirements. Richard suggested that Lorrayne, Jimmy, Maria, & Richard should huddle and make a determination on the criteria and propose that to the group at the next meeting. Lorrayne suggested looking at §3.2 for additional information.
63B#0600
Accepted the changes as proposed on issue tracker.
63B#1680
After a lengthy discussion over the NIST meaning, it was determined that only federal agencies are required to have digital identity acceptance statements (DIAS) - though the rest of the source text in §5.2.10 is speaking to the broader service provider. It appears to be a split criteria where both the CSP and agency have a part. Mike stated that according to 63B, the DIAS falls to the CSP to write. Lorrayne & Mike noted that §5.1 and §5.5 of the base volume has more about DIAS (agencies SHALL develop a “Digital Identity Acceptance Statement”, in accordance with SP 800- 53 IA-1 a.1) and contradicts what 63B appears to say (the CSP SHALL…. include this migration pan in its DIAS). Andrew summarized that item 4 in the NIST language is mis-categorized and we should alert them to this if it’s not already a proposed change in the rev.4 text. Lynzie will send an email to NIST regarding this. For our criteria, “the CSP” is changed to “Federal Agencies”.
This issue made the group recognize that more attention needs to be paid to the base volume when creating rev. 4 criteria.
§6.1.2.2
It’s not in scope because the SHALL in “Before binding the new authenticator, the CSP SHALL require the subscriber to authenticate at AAL1” is reliant on the MAY in the previous sentence. Richard proposed that the wording could be changed to “If the subscriber requested that the account be upgraded to AAL2… then, the CSP SHALL” but doesn’t know that’s it’s worth it.
...
No change right now. But watch for use of control statements in rev-4.
63B#1900
Richard thinks that ‘is obligated to do so’ in part d) covers us not having to give notice to the subject. Jimmy noted that it appears d) isn’t even part of NIST text - just a Kantara-specific criteria. Richard mentions its because we have other clauses that says CSPs have to meet all legal obligations.
...