Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Attendees:

Voting Participants: Ken Dagg, Martin Smith, Mark Hapner, Mark King, Richard Wilsher

Non-voting participants: Roger Quint, Varun Lal, Chris Lee, Jimmy Jung

Staff: Kay Chopard

Agenda:

  1. Administration:
    1. Roll Call and quorum determination
    2. Agenda Confirmation
    3. Minute approval (DRAFT minutes of 2021-08-12)
    4. Staff reports and updates
    5. LC reports and updates
    6. Call for Tweet-worthy items to feed (@KantaraNews)
  2. Discussion 
    1. Finalize proposed criterion language regarding "comparable alternative controls."  
    2. Finalize proposed text (if any) regarding use of "presentation attack detection" (PAD.) 
    3. Confirmation of other non-substantive changes to criteria to be included in the package to be submitted.
  3. Any Other Business and Next Meeting Date

Meeting notes: 

Administrative items:

IAWG Chair Ken Dagg called the meeting to order at about 1:04PM (US Eastern), and called the roll. It was noted that the meeting was quorate. 

Minutes approval:  Mark King moved approval of the draft Minutes of the IAWG meeting of Aug 12 . Richard W. seconded. The minutes as distributed were approved unanimously.

Staff reports and updates: ED Kay Chopard–New APM Lynzie Adams, starts next week on Monday. Hope she will be on the next IAWG call. Kay Invites anyone to offer suggestions re: any Kantara issues, strategy, etc. .   

LC reports and updates:  Ken – The LC met yesterday. There was a discussion of the appropriate scope of activity of Kantara WGs, DGs. Results to be communicated to all when guidance is finalized. Ken says IAWG's activities seem to be well within our appropriate scope. 

Ken  reminded WG participants that Kantara staff is ready to help them publicize their newsworthy activities via the @KantaraNews Twitter handle. Requests can be sent to Ken D or Kay C.

Discussion:


Finalize proposed criterion language regarding "comparable alternative controls (CACs)."  

Ken invited Richard W. to comment.

Richard thinks "make available" discussion last week (which he reviewed via the recording of the meeting) was off-target. The term "make available" has been used for a long time in Kantara criteria texts, and has not caused a problem. The principle is to tell assessees what must be done, not how to do it. 

Martin S.– In proposing a more pro-active approach, I think we were taking account of NIST's David T's reported view, that use of an alternative control should be an explicit client (i.e., RP) risk decision taken at the executive level. and that Kantara should not appear to be endorsing the service-provider's assertion that an alternative control is "comparable." 

Richard W.-- But Kantara can't make the RP do something. We might further insure the RPs attention via things we already do, like requiring a statement of criteria applicability; we might also consider requiring that use of a CAC is at least noted in the publicly publishable part of the SPA, which Kantara will publish.   

Martin S.:  Assuming we do want to take account of David T's viewpoint, it seems we need to find some way to make sure the RP is specifically alerted to the use of a CAC. 

Ken: should we add to the criterion that the RP acknowledge receipt of the CAC information? Jimmy J. - that would not be possible or effective – the RPs won't read it.  But if KI provided notice we would have done all we can, 

Ken :  Given this discussion, is it OK with everyone to go with "no change"

Jimmy J: can we put in the "Notes" column of the criteria spreadsheet that we (KI) are going to publish fact of CAC?  If we do something unusual, we need to make sure they (the RP) know about it. 

Richard W:  Maybe mod language to make avail : publish how you determined CAC and config requirements to make sure it is CAC. Fact of use in S3A could be noted. 

Ken: with that addition-- is group OK with this resolution? 

Mark H: Ok with current language; my concern is that the concept of comparable is so poorly defined in 800-63-3 hard to reason about how an assessor should proceed. 

Richard W:  We did try in sub-clause a-c to add some specificity.

MH:  They (NIST) don't define criteria or what information should be communicated. I am still uncomfortable, but don't see what else we can do. 

RW:  Without any documentation of the NIST risk assessment for the specified controls, how can assessor establish "comparable."? Difficult situation. 

KD: This implies that the service provider has to provide its own analysis of the effectiveness of the regular NIST control, in order to have something to which the proposed alternative can be compared. 

KD: Moves to approve language for the package:  seconded by Mark Hapner.

KD: Approved without objection or abstention. 


Finalize proposed text (if any) regarding use of "presentation attack detection" (PAD.) 

Ken D. invited Kay C. to provide background on the exchange with Phil Lamm of GSA,

KC: The background is just the one short email question; and Phil has not followed up on it in other discussions since then.  The subject of the email from Phil (cc: David T.) was "Kantara's view on facial biometric comparison and PAD as a 63-3A IAL2 requirement."  The text says that 63-3A IAL2 does not have a normative requirements for use of PAD for IAL2 remote, but that NIST's Implementation {SIC} Guidance does require it. Does Kantara require use of PAD at IAL2 remote?  


"cc David T:  Subj K view of 63-3A IAL requirement.  

RQ:  NIST does not require PAD currently, thought the letter might be asking if KI was doing anything more. 

MK, MH motion – approved. 

To change SAC in 63 a nd b to reflect optional nature of PAD, and if used to assess as indicated. 

Confirmation of other non-substantive changes to criteria to be included in the package to be submitted.

KD:  Asks Richard to confirm misc changes.

RW: Can be ready for next week. 5 sets of errata

KD:  will vote next week to complete package for submission. 


Other Business:

MK: Any further UK response? KC: Still on holiday. Allison did respond from vacation and will connect next week. MK: add to agenda for next week please.  

KD: Australia? KC:  did have 1-on-1 with Jon Thorpe. Very high level official.  Supportive of Kantara's goals for interop and also they are using NIST standards. Hoping companies don't have to go through same process multiple times for different countries.  Looking for KI to provide some leadership in these areas.  KD: excellent–may influence other countries. 

RW: just modified criteria (for PAD?) – sanity check of revised language.  Ken OK with it, JJ too but would like to have KI "lean forward a bit to credit companies who implement it." KD: We can vote next week. 

Next Meeting: August 26 to finalize the criteria change package for submission to Kantara review. 

Ken adjourned the meeting at about2:01PM US Eastern. 




  • No labels