Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

Attendees

Voting participants

Scott Shorter

Richard Wilsher

Mark Hapner


Non-voting participants

Tara Romeo, Experian

Jose Lopez, Zentry 


Staff

Colin Wallis

Ruth Puente 


Agenda

Discussion

a. Approval of 45-day Public Review 63A/B_SAC Disposition of Comments.

b. Approval of 63A_SAC (IAF-1430) and 63B_SAC (IAF-1440)

c. NIST Internal Report (NISTIR) 8112, Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes.

d. Discussion: Refinement of CO-SAC IAF-1400 (non-material change) and Repackaging into IAF-1410 and IAF-1420.

e. Next steps evaluating strengths of evidence  

Discussion items

ItemNotes
63A(1430) and 63B (1440) SACs


  • Editor´s comments and observations on drafting will be removed.
  • It was decided to keep columns A to H  that show the source text, the original NIST text, as it would help to have a cross reference between KI criteria and 800-63-3. Also, the participants agreed to hide columns B to H and leave the choice to the user to make them fully visible or not.
  • Scott said we should change "Reviewers guide" to "Users guide"
  • The plan is to initiate an e-ballot and after approval send it to LC for following All Member Ballot. Scott requested Ruth issue the e-ballot and send it to voting participants.
  • Disposition of Comments only applies to 63A as there were no comments on 63B.

NISTIR 8112
  • Scott said that he did not find out what have change from the last time. It is an interesting idea but short of a framework to use it without more use cases and trust model type content.
  • No action expected just to be aware of it.
Refinement of CO-SAC IAF-1400 (non-material change)

Refinement of CO-SAC IAF-1400 (non-material change) and Repackaging into IAF-1410 and IAF-1420.

  • The idea is to move some criteria from the CO-SAC to the OP-SAC
  • They are addressed by 63A or 63B no need to be in the CO-SAC, if you are not using 63A and 63B we still need this criteria, so we moved into the OP-SAC. Richard suggested that we look at the criteria and ask it is addressed in 63A and 63B? if it isn’t, we should leave where it is. If it is, that the reason for removing it to OP-SAC.


  • CO-SAC 1410 can be used in the old classic assessment or 63-A/B assessment.
  • Classic can be use the OP-SAC that includes these criteria removed.
  • In case the of 800-63 rev. 3 assessment we use SAC 1410 + IAF 1430 (63A SAC) and IAF 1440 (63B SAC).
  • Richard suggested aligning the tags but Scott sustained that if is not a material change we should not change tags, just ensure the language matches 63-2 and 63-3. 
Next steps evaluating strengths of evidence  
  • Scott commented that it would be good to have a common understanding on what possible evidence options meet the strengths requirements and be accesible to everyone.
  • Mark said that he is concerned that from disclosure requirements perspective GDPR will become the bar quickly; services provided to European should meet that bar. Therefore, CSP operation would be constrained with this and should be more open with what they are doing,  the level of disclosure of what investigation was done about you in order to issue a credential would be higher. He believes that disclosure requirements about what is going on in the proofing process are significant and it is a higher bar than 800-63-3. What risk assessment elements did you apply to this?
  • Richard commented that in KI, it is requested the CSP credential policy to be public, so you can see what evidence they would be to asking for.

Action items

  • @Ruth to create an e-ballot of 63A and 63B and send to voting participants for approval.
  • No labels