Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Attendees

Voting participants: Ken Dagg; Scott Shorter; José López;  Richard Wilsher 

Non-voting participants: Roger Quint, Martin Smith, Pete Palmer, Stuart Young.

Staff: Ruth Puente 

Quorum: 4 of 7. There was quorum.


Agenda

  1. Administration:
  2. Roll Call
  3. Agenda Confirmation
  4. Action Item Review: action item list
  5. Minutes Approval 2018-12-20 Meeting Notes
  6. Staff reports and updates - Director´s Corner
  7. LC reports and updates
  8. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)

2.Discussion

a. Unisys comments on 63A_SAC and impasse on KBV approval for IAL2. Please see attachment.
b. Update on Identity Proofing and Verification Use Cases Discussion Group 

3. Any Other Business


Minutes Approval

2018-12-20 Meeting Notes were approved by motion. 


LC Report

Some announcements about inactive DGs and WGs in the next coming weeks. 


Unisys comments on 63A_SAC and impasse on KBV approval for IAL2

Please see Unisys Report here: RQuint-Unisys Kantara Service Assessment Criteria - KBV impasse for IAL2.docx

NIST Special Publication 800-63A (NIST spec text):  NIST.SP.800-63a.pdf

  • Roger presented the issue he has found in the 63A criteria related to the use of KBV. He commented that the NIST 800-63A specifications points to Section 5.3.2 to address KBV for IAL2. The heading specifically says: “The following requirements apply to the identity verification steps for IAL2…” 2. Kantara SAC version 3 does not carry the requirements of Section 5.3.2 allocated for KBV compliance (those items are marked n/a).

  • Scott said that one of the NIST objectives was that to define a level of assurance at which KBV was not sufficient, so that´s why KBV is not defined as strong, and you need at least one strong. So he believes it´s intentional. 

  • Jose added that KBV is used when you try to resolve a unique identity. 

  • RW commented that KBV applies to validation. He referenced section 5.3.1 Identity Verification Methods, which points to Table 5.3;  the second sentence says: “The CSP SHALL adhere to the requirements in Section 5.3.2 if KBV is used to verify an identity”. Appears to have an omission. We need to look at section 5.3.1. There is no mandate to use KBV so there is no KI specific criteria for it. He said that need to determine where and in what conditions KBV should be invoked. In Table 5.3 there is no reference to KVB in strong (only in fair).

  • IAWG agreed to reach out NIST and raise the issue to get their feedback. 


Update on Identity Proofing and Verification Use Cases Discussion Group 

Link about IDVP use cases: https://kantarainitiative.org/groups/idpvusecases/


Action items: Reach out to NIST and share the KBV issue to obtain guidance. 

  • No labels