2017-08-24 Minutes

Attendees

Andrew Hughes

Mark Hapner

Scott Shorter

Aakash Yadav

Denny Prvu

Jenn Behrens

Colin Wallis

David Temoshok

Richard Wilsher

Nathan Faut

Ruth Puente 


Key discussion  items

  • Aakash commented about the excel sheet he sent to the mailing, which is a NIST breakdown for the normative sections of A, B and C, which can be used to further breakdown the guidelines into individual Shall and Should statements. 

Document shared by Aakash NIST 800-63 breakdown.xlsx

  • Andrew commented that he converted the mark up files from NIST that are available in Github to DocBook format (XML-based document structure) and has the features we need. He plans to include structural elements into the 63B doc. With this tool we can tag up the text and publish it in whatever presentation format we would like, html, etc. It creates a master document so we can do it in chapters. 
  • Richard said that what Andrew showed provides us the potential to manage our re-expression of NIST requirements in a more convenient readable form.  He asked Andrew to take the document and turn it back to word and produce a line number version for reviewers to look at. Andrew clarified that the version was taken directly from Github, from NIST mark up files and was not taken from word format. 

  • Richard added that this is a development tool where we can put simple statements for CSPs and Assessors that have to meet or determine they have met. He questioned why we want to keep the NIST text if we want to drive a set of criteria of our own. We can retain relationship with the original text but we should focus on creating criteria. 

  • Richard commented that on behalf of ID.me he offers to take the editorship role in the subgroup work, for producing the KI criteria for IAL 2 and AAL2 of 63A and 63B. He explained that the CSP interested in 800-63-3, will be considering those functions and assurance levels into the medium term. And if others want AL1 and AL3 there will be a proofing path to do it.  He encouraged the group to move forward, getting the NIST text and produce from it applicable criteria. Also, he commented that Paul Grassi is producing some errata for 63-3, and asked him to give input before Thursday next week.  

  • Mark suggested to create an informal glossary of the tagging strategy.

  • Colin asked Richard to share his work with the group before the next call. Richard commented that he has been working on 63A criteria for IAL 2 and AAL2 and was not sure if he has time to provide his contribution before the 31st due to other commitments. Scott said that he would work with Richard to provide something for the group. 

  • Mark raised the CSP and RP requirements issue. Richard commented that is more difficult to justify an assessment process for an RP and clarified that the CSPs have privacy policy with the conditions and options to consent how your info will be used.