Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Attendees:

Voting Participants: Ken Dagg, Martin Smith, Richard Wilsher, Mark Hapner, Mark King

Non-voting participants: Jimmy Jung, Roger Quint, Eric Thompson

Invited Guests: Chris Lee

Staff: Kay Chopard

Agenda:

  1. Administration:
    1. Roll Call and quorum determination
    2. Agenda Confirmation
    3. Minute approval (DRAFT minutes of 2021-06-24)
    4. Staff reports and updates
    5. LC reports and updates
    6. Call for Tweet-worthy items to feed (@KantaraNews)
  2. Discussion
    1. Consideration of 'comparable alternatives' - See: https://groups.google.com/g/idassurance/c/GIGLjValdg4
    2. Australian Digital Identity Legislation Consultation Phase 2 - See: Public consultation on Australia’s Digital Identity legislation
    3. Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity. See: https://digital-strategy.ec.europa.eu/en/library/trusted-and-secure-european-e-id-regulation
    4. d. Component Service Consumer criteria.

Meeting notes: 

Administrative items:

IAWG Chair Ken Dagg called the meeting to order at 1:05PM (US Eastern), and called the roll. It was noted that the meeting was quorate. 

Minutes approval: Mark Hapner moved approval of the the draft Minutes of the IAWG meeting of June 24; Richard W seconded.  The Minutes were approved unanimously, as written.   

Staff reports and updates: .ED Kay Chopard. Focus is replacement for Ruth as PM for Assurance. First pair of finalist candidates both dropped. Back to LinkedIn, starting interviews. Looking for more junior PM rather than trying to replicate Ruth's deep experience out-of-the-box. Best case for new IAF PM to be on-board is some time in August. Still open to getting more applicants referred by WG members.

LC reports and updates:  Ken: LC had one meeting. Of interest, long-time Chair of UMA has stepped down due to business demands. mDL Privacy report is out for review–have a look. 

Ken reminded WG participants that Kantara staff is ready to help them publicize their newsworthy activities and via the @KantaraNews Twitter handle. Or send to Ken or Kay. 

Discussion:

Continued consideration of 'comparable alternatives' - See: https://groups.google.com/g/idassurance/c/GIGLjValdg4

Ken notes listserv discussion accessible via a link in the Agenda emailed before the meeting. He then invites Richard W to lead resumed discussion.

Richard W: believe we should do something in this space; may not be just for Fed agencies. Suggests we need a capability to assess alternative controls, based on a thorough process based on evidence regarding risk, etc. 

Eric:  agree that there's a need and opportunity here, to provide some rigor around alternative controls. Key thing is needing to quantify risk being controlled.  Need to remember that service providers want to let appropriate people in, not just keep inappropriate people out.  Agencies / orgs don't have ability themselves to do the rigorous analysis develop and document use of "comparable alternative controls."  

Mark H: Agree. There is a broader need than just for CSPs serving Govt agency customers. 

Kay C: Other Fed agencies I talk to feel they need unbiased technical help to make their decisions on IAM risk.  Believe NIST (David T) is very wary about Kantara involvement but believe his concern can be reconciled. 

RQ:  If we do work in this area, will NIST welcome or oppose?  Richard W.  –  we should respond to our customers and work on getting acceptance if not support from NIST. 

Ken:  Maybe and approach to GSA would work–they owned FICAM.  We need a Federal central-agency supporter of our work in this area.  Kay says Kantara still meeting with GSA--Phil. Just her (Kay) until the new IAF PM is on-board. IN any event, things might be slow for a bit as everyone in Government seems to be planning deferred vacations.  

RQ: Kantara needs some awareness and at least tolerance at NIST and/or GSA for anything we do in this area.   

ET:  Is there an opportunity for IAWG to help move this forward by putting out guidance related to quantifying risk and effectiveness of alternatives controls for ID proofing systems?

RW: Notes that Kantara having a set of criteria for evaluating risk and control effectiveness would be useful assessors who have customers (e.g., private sector,or non-US) that are not strictly locked in to (very conservative, tech-focused) NIST standards. 

Mark K:  Is this just a US issue?  (He will check a bit to see if he can locate any EU-developed materials for risk analysis/quantification and controls effectiveness. 

JJ:  Believe many US Fed agencies are thinking "I need IAL2", and would not want to get involved with something "comparable.." 

RW:  We have been asked by a Member CSP working with a real Fed agency that has a business need to identify public clients who cannot provide proofing documents required by NIST standards, We should respond to these needs. 

JJ:  No sure every KI assessor is going to be able to making and documenting these judgments about risk and effectiveness. Inconsistent assessments would create a risk to Kantara's reputation. 

MH:  If Kantara is transparent about this and shows we are doing this analysis of alternative controls' effectiveness on reasonable criteria, then I believe risk to Kantara can be reduced. 

JJ:  Believe RW's suggested added IAF criteria seem a reasonable basis to begin developing a process for evaluating alternative controls. 

Ken: Notes that the NIST language seems directed at Agencies, not CSPs. Not sure how to put the onus on the Agency. 

ET:  What we must do is make sure an agency customer is aware of the requirements of accepting "comparables" 

RW:  We assess CSPs. Not RPs. (But we have criteria for federations, and federations would presumably impose various requirements on their member RPs.) 

JJ: How would we express the results of an assessment based on use of a comparable alternative control?

ET:  We would provide a memo clarifying that the service is/uses an alternative control. 

Ken:  good discussion. Summary:  seems worth pursuing, building on RW's draft criteria. 

RW, ET, KD, MH. – agree.  Ken: asks RW when he can be ready to discuss initial draft criteria. RW: I may not be available for a couple of meeting in August. 

Ken Next week's meeting is the 15th, can you have something for the IAWG to look at then? RW: Yes. 

JJ: Does ARB need to get involved?  What's the process where an alternative control is involved?  RW: agrees there needs to be a process to communicate the decision to SP and to the (RP) customer. 

RQ: We need to coordinate and communicate with NIST to avoid appearance of going around them. RW: Yes, but we are not asking permission. 


Other Business:

MK: Australia: individual submissions only?  Ken: yes. Deadline 7/14. 

Ken:  Pan-Canadian Framework has a new document out for comment by 28 July. Seems to be revisiting the "vectors of thrust" concept. Doesn't seem too relevant to IAWG but will send around, and WG can decide at next meeting if we want to submit comments.

Next meeting July 15th, 1PM US Eastern as usual. 

Ken closed the meeting at 2:05. 





JJ: 


Next Meeting: Next Thursday, July ??  at 1PM US Eastern

  • No labels