We are scheduled to begin ISO17065 certification. There are two new lead auditors who have started with a gap analysis to make sure UK documentation will meet 17065 requirements. The intent is to bring this accreditation to the US, thus will likely move into a gap analysis with the US Assurance Program. UK business is slowly growing.
Kantara is also preparing for the spring conference season (May).
Assurance Updates
The ARB is lacking time to make handbook edits. Would IAWG be interested in tackling this for the Assessor/Service pieces (pending ARB permission)?
Andrew Hughes-let’s make the offer, noting that at times IAWG is too busy.
Lynzie will bring up to ARB, also noting that this may be work for a subcommittee.
Continued discussion on second criteria question #0180 (superior v. strong evidence) with a “tidied” updated version of Richard’s proposed alternative/comparable criteria (sent 2024.03.14, attached)
Overview, Identification, and Authentication Concept Maps from ISO SC 27/WG 5 (attached and in 2024 Meeting Materials)
Any Other Business
\uD83D\uDC65 Attendees
Voting: Andrew Hughes, MarkKing, Michael Magrath, Yehoshua Silberstein, Jimmy Jung
Nonvoting: Jazzmine Dowtin, Eric Thompson
Staff: Kay Chopard, Lynzie Adams
Guests:
Quorum determination
Meeting is quorate when 50% + 1 of voting participants attend
Overview, Identification, and Authentication Concept Maps from ISO SC 27/WG 5 (attached and in 2024 Meeting Materials)
Andrew Hughes
Kantara has a liaison with ISO SC27/WG 5 (scope is security of identity management, privacy technologies, and biometrics)
Andrew Hughes serves as a delegate to this group from Canada.
Current challenge-reaching agreement on what identity management processes cover
FIDO style v. info management (attributes) v. digital identity etc.
Definitions, concepts, etc.
Concept maps came out of an ad hoc group, as a potential, informal explanation/description for these topics and how they are interrelated.
Not looking to modify, just seeking confirmation that they are sensible/useful.
Overview - Enrollment Process Map
Relationship diagram for overall enrollment process (goal is to identify and register the entity)
Identification process goal-fully outlined in identification process map
Association process goal
Entity association binding outlined in identification map
Authentication association/binding outlined in authentication map
Authentication process goal-determines if claiming entity is the same as registered entity
Identification Process Map
Linking phrases are arbitrary
Debate is what needs to appear in map, not precise annotation, but it’s about getting enough relationship information recorded so that if a discussion about domain policies takes place, a quick understanding/reference is available for use in that discussion
High level
Registration process-not yet mapped out
Where do stolen identity/duplicate claimant/fraud issues fit in? Perhaps a resolution process? Should this be included in this map?
Authentication Process Map
Similar set-up to other maps (high-level, provides enough information to be a reference during discussion)
Core-involves verification and the challenges/outputs/data/methods associated with this
Process for “something is changing” on behalf of the user/subscriber?
i.e. travel notices
ISO work group has a diverse group, with each member having a fixed view on how identity management works. A goal of these maps is to offer a way to talk about the central underlying theme of exactly what they are trying to standardize
Challenges: outdated standards and lack of consensus
Which audience is this for? Is it for new people to learn/gain information or for experienced people needing guidance/structure in arcane conversations? Both - Knowledge sharing and localization tool
Maps can also be used to find gaps/missing links
Maintenance of identities? Is this being intentionally avoided? Would it be a separate concept map?
Conflicting views regarding identification:
Purpose of identification is to create a record of data pertaining to the entity that can then be shared with other authorized parties
Purpose of identification is to assign an authenticator or credential/certificate, which then represents the entity and allows them to be recognized when they return to a place
The data collected at enrollment is not the primary reason for identity.
Identity management:
Identity information management-info/attributes pertaining to an entity/individual (Make as complete/accurate list or registry as possible)
Identification and returning identification-technical process
Possible need for a map for administration/management/maintenance?
Information record for entity
Information standing behind an authenticator or credential
S3A; criteria (Assurance Program considerations)
Jimmy Jung
Seeking to lay down structure/standards/workflows to increase ARB’s understanding of the systems that are under review and increase consistency within the program
Possibly introduce requirements for providing more detail by augmenting the S3A template
Screen share information:
The Cyberdyne Skynet service supports the following configurable workflows:
Unsupervised remote proofing at IAL2 (leveraging Experian)
Supervised remote proofing at LOA3 and IAL2 (Webcam proofing
Supervised In Person proofing at LOA3
The Cyberdyne Skynet service requires the following evidence types identified by SP 800-63-3
1 STRONG and 2 FAIR (leveraging Experian)
2 STRONG
The Cyberdyne Skynet service supports multifactor authentication using passwords and one of the following:
Out-of-Band Device using SMS or Voice One-time Passwords
Single-Factor OTP Device using a Time-Based One-Time Password Application (TOTP)
Single-Factor Cryptographic Software using the Authy mobile authentication application.
FIDO based authentication is being considered for future implementation
The Cyberdyne Skynet service performs authentication using the following protocols:
SAML
Jimmy: 63B#0120 is pulled directly from 800-63B and “requires verifiers to meet FIPS 140 Level 1 or higher”. However, FIPS 140 criteria has mostly been avoided by the Assurance Program. What do they want here? That cryptographic authenticators should meet FIPS 140?
✅ Open Action items
Action items may be created inline on any page. This block shows all open action items from all meeting notes.
Description
Due date
Assignee
Task appears on
Andrew: Andrew will prepare a cover letter thanking them for the opportunity to provide feedback, and ship that off prior to deadline. Will share the letter with IAWG after.