Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 32 Next »

Attendees:

Voting Participants: Mark King, Mark Hapner, Richard Wilsher, Ken Dagg, Martin Smith

Non-voting participants: Tim Reiniger, Roger Quint, Pete Palmer

Staff: Colin Wallis, Ruth Puente

Quorum: 3 out of 5. There was quorum.


Agenda


1.Administration:
a.Roll Call
b.Agenda Confirmation
c.Minutes Approval 2021-03-18 DRAFT Minutes

2. Discussion

a. Review NISTIR 8344 (Ontology for Authentication) 
b. NIST open discussion issues in light of SP 800-63 rev.4.

3. Any Other Business



Minutes Approval

2021-03-18 Minutes were approved by motion. Moved: Mark Hapner. Seconded: Martin Smith. Unanimous Approval. 


Comments on NISTIR 8344 (continuation from last meeting) 

  • Link to the document: https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8344-draft.pdf 
  • Deadline to comment: April 9, 2021
  • Martin suggested that for identity context it would be better to use the term "reliance" instead of "trust". 
  • Martin commented that we should request the clarification of some of the base terms, such as accountability and trust and maybe provide examples regarding the definitions to avoid overlaps and confusion. In addition, Ken pointed out that we should ask why they didn't use existing standards definitions.
  • Ken said that the limit of the acceptable risk and the consequences for violating that risk are considered in a trust framework, so the parties can conduct business over the internet.
  • Richard pointed out that a trust framework is different from a federation. For instance, a credit card system is a federation where there are known players and known rules for playing; a closed group which you have to fulfil requirements to join. However, a trust framework is established without knowing who all the players are, but applicants go through a test and come out with some kind of positive flag called approval that shows that they've met certain requirements. 
  • The group agreed to ask NIST to define the terms of the relationships between those terms that would enable the establishment of a trust framework that can support the establishment of a federation or operation of the federation. It should also be pointed out that the terms are not sufficiently rigorously defined.
  • Ken will provide a draft of the final comments next week.


 NIST Open Discussion Issues regarding rev.4 

  • Ken commented that NIST has provided a list of open discussion issues in light of revision 4, available at https://github.com/usnistgov/800-63-4/issues 
  • The deadline to comment is on May 15, 2021
  • Ken encouraged the group to review the list of issues and prepare comments for next week. 


AoB - Federation Agreement (63C)

  • Richard commented that in light of a FAL assessment, a CSP asked what happen if they're providing services under more than one federation agreement because they can't be going through a full assessment every time they need to demonstrate that they fulfil the requirements of a particular federation.
  • Mark King recommended to review CCEB Publication 1010, PKI Cross-Certification Between CCEB Nations, available at https://info.publicintelligence.net/CCEB-PKI.pdf. The agreement addressed how the US Department of Defense, UK Ministry of Defence and various other players to talk to each other when they have different laws. The document describe the deltas, so the participant could say "I'm joining this this federation, here is the standard and here are my differences from that". 




  • No labels