Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Attendees:

Voting Participants: Ken Dagg, Martin Smith, Mark Hapner, Mark King

Non-voting participants: Jimmy Jung, Chris Lee, Roger Quint

Staff: Kay Chopard

Agenda:

  1. Administration:
    1. Roll Call and quorum determination
    2. Agenda Confirmation
    3. Minute approval (DRAFT minutes of 2021-07-15)
    4. Staff reports and updates
    5. LC reports and updates
    6. Call for Tweet-worthy items to feed (@KantaraNews)
  2. Discussion 
    1. Review the roadmap for moving a consolidated set of criterion changes through the Kantara approval process. 
    2. Discussion of GSA question about Kantara criteria referencing "presentation attack detection" (PAD) , and possible clarification of the relevant Kantara criteria. 
    3. Decide if IAWG should respond to a public consultation on a new (July 19) UK Government Cabinet Office draft paper on "Digital identity and attributes", response due 13 Sept
  3. Any Other Business and Next Meeting Date

Meeting notes: 

Administrative items:

IAWG Chair Ken Dagg called the meeting to order at about 1:06PM (US Eastern), and called the roll. It was noted that the meeting was quorate. 

Minutes approval:  Mark King moved approval of the draft Minutes of the IAWG meeting of July 15. Mark Hapner seconded. The minutes as distributed were approved unanimously.

Staff reports and updates: ED Kay Chopard – Lynzie Adams hired to replace Ruth P, currently in training, and reporting Aug 23 on a full-time basis. Should be able to provide some support for IAWG. None of the candidates interviewed were expert on topics specific to the Kantara assurance program such as NIST 800-63, but Lynzie is well qualified and a fast learner. 

LC reports and updates:  Ken again recommended that WG participants have a look at the P&I DG's very thorough mDL Report. He noted that that DG is being archived and a new WG is being chartered to carry on the work.  Ken also mentioned that the FIRE WG is preparing a grant proposal. If that is successful, IAWG may be asked to help create an new set of assessment criteria. These would be the basis for certification of commercial consumer applications as capable of meeting HHS/ONC requirements for processing patients' PHI downloaded from electronic medical records (EMR) systems. 

Ken  reminded WG participants that Kantara staff is ready to help them publicize their newsworthy activities and via the @KantaraNews Twitter handle. Or send to Ken D or Kay C.

Discussion:

Ken suggested reversing the order of the Agenda's discussion items to address the decision items first. 

c.  UK Government Cabinet Office draft paper on "Digital identity and attributes", response due 13 Sept.--Ken asked for WG views on whether and how IAWG should respond. Mark King noted that the paper did not address the issue of most direct concern to Kantara, namely whether the UK framework would include a process for certification of scheme participants (mainly CSPs.) Given that, he suggested the WG wait and see if an opportunity to address this issue might present itself. Ken D. wondered if Kay C., using the occasion of her appointment as Exec Director, might contact the UK program leads and indicate Kantara's interest in providing input regarding a certification process.  He observed that Kantara had been trying for some time, with limited success,  to establish a productive relationship with the UK Government, and this might provide a fresh start with a new face representing Kantara. Kay C. noted she is acquainted with one of the UK program managers via their participation in Women in Identity.  It was agreed she would make a contact in her new Kantara role, mention Kantara's interest in providing input to the UK program (in particular from the perspective of our experience in operating a certification process), and assess opportunities to develop the relationship. Ken suggested we should would return to the issue of a possible response to the UK consultation call in late August, perhaps with some additional input from Kay's contact. 

b.  GSA question about Kantara criteria referencing "presentation attack detection" (PAD), and possible clarification of the relevant Kantara criteria.  Ken provided brief background on the question from GSA (Phil Lam, speaking with Kay C.) that came up since the last WG meeting, and said this might be an opportunity to enhance our relationship with GSA. He asked for any thoughts from the WG. Roger Q. said several vendors had come up with ideas for detecting/mitigating presentation attacks, and so focus on this by Kantara is timely. Jimmy J. said he has applied PAD, but that it's a bit different from regular assessment activity and may be more like a laboratory standards issue. Roger Q. agreed, and said he'd been very interested in seeing the language Richard has come with so far. Ken suggested we should defer this issue also to the next meeting when Richard should be available. Ken confirmed that if IAWG were to develop new or clarifying criteria language related to GSA's question he would expect to make it part of the package of revisions we are working to submit for approval this summer. Kay C. mentioned that she is meeting again with Phil Lam, but has other issue to discuss and would not raise this; Ken suggested that if Phil raised it, she might tell him the IAWG is actively considering it and expects to be able to get back to him soon.

a. Review the roadmap for moving a consolidated set of criterion changes through the Kantara approval process. Ken provided an overview of the process, indicating that the total Kantara approval timeline is about 2 1/2 months.  Given that, he believes the WG should aim for publication of the updated criteria in mid-November, which implies having a package ready to submit by the end of August.  The package would consist of at least one "substantive" update – the "comparable alternative control" criteria we have been discussing – plus several non-substantive revisions that Richard has been accumulating.  If the PAD issue results in revised criteria language, that would also be included. He pointed out that one important consideration is to avoid frequent changes to the criteria as that has an impact on CSP's (as well as on all Kantara reviewers.) NIST's update of SP 800-63 to version 4 will definitely require another revision of the Kantara criteria, but he believes that NIST's schedule for 800-63-4 will likely slip a bit so there should be at least 18 months between the Kantara update we are now preparing and the major one that will result from the NIST revision.

Mark K. asked if reviewers will be provided with any notes on the rationale for each of the proposed changes. Ken said notes like that have not been provided in the past, but that it might be a good idea this time, as a way to expedite review of the package of proposed changes. He noted that the only substantive updates planned are the "comparable alternative" language changes and possibly new PAD-related language.  (He noted that Richard W.'s latest draft of the former was currently being shared on-screen, and that a link to the spreadsheet was included in the email with the invitation and Agenda for this meeting, Revisions since the previous IAWG call are in blue text in the spreadsheet.)   

Mark K. asked how we can expect CSPs to provide a quantitative comparison of the effectiveness of a control specified in 800-63-3 vs. a proposed "comparable alternative", since as far as we know NIST has not provided such data on controls. Roger Q. asked if we could or should be more specific about what should be measured for a "quantitative assessment.  

Roger: can we spec the quants? Ken: too general to specify. Assessor has to determine that the quant analysis makes sense.

JJ: seems OK, transparency is about all we can do. and involves numbers. 


Ken: get thru 18 months and hope it's covered in 63-4.

JJ: think NIST tries to be academic and flexible. Don't want to enforce. 

Kay: D had strong reaction to K getting involves, and pushed to making the decision political vs. requiring NIST to approve. 

JJ: only way for CIO to make the decision is based on the CSP's K certification. 

Ken thinks our language permits the agency to take apolitical decision based on the CSPs representations about the risk analysis, as certified by K. 

Mark K:  from outside view: by providing one standard that all agencies could use, creates a market for CSPs. 

Ken: I think we're close but how to market and avoid bad stuff for Kantara's rep. Need another meeting with Richard. 

Meetign in 2 weeks. Aug 12. resolve comparable AND PAD, and richard provide non-subs. 


ROGER for FIRE. 












Other Business:

      Next Meeting: 




  • No labels