Kantara Initiative Identity Assurance WG Teleconference

Meeting Minutes approved by IAWG 22 August 2013

Date and Time

Date: Thursday, 8 August 2013
Time: 07:00 PT | 10:00 ET | 14:00 UTC (time chart)
United States Toll +1 (805) 309-2350
Alternate Toll +1 (714) 551-9842
Skype: +99051000000481
- Conference ID: 613-2898
International Dial-In Numbers

Agenda

Administration:
1. Roll Call
2. Agenda Confirmation
3. Minutes approval: IAWG Meeting Minutes 2013-08-1
4. Action Item Review
5. Staff reports and updates
6. LC reports and updates
7. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
Discussion
1. Disposition of Comments for SP800-63-2 v IAF v3.0 mapping (continuted)
2. IAF Tickets and Issues Review
  NOTE: All tickets now posted at Identity Assurance Framework - Working Drafts
  1. Myisha to present ARB feedback
AOB
Adjourn

Attendees

Link to IAWG Roster

As of 1 July 2013, quorum is 5 of 9

Meeting was quorate, with 7 voting participants present.

Voting

Myisha Frazier-McElveen
Rich Furr
Andrew Hughes
Bill Braithwaite
Scott Shorter
Matt Thompson
Cathy Tilton
Richard Wilsher

Non-Voting

Jeff Stollman

Staff

Apologies

Ken Dagg

Notes & Minutes

Administration

Minutes Approval

IAWG Meeting Minutes 2013-08-1

Motion to approve minutes of 2013/8/1: Rich Furr
Seconded: Bill Braithwaite
Discussion: None
Motion Passed

Action Item Review

See running table below

Staff Updates

Director's Corner Link
- August 8-9 meeting planned in Portland/Vancouver, WA - Kantara strategy and internal operations. Please contact Joni for details.

LC Updates

No meeting this cycle
New format for quarterly report - easier to distribute

Participant updates

Discussion

Disposition of Comments Continued

Furr reviewed Wilsher's response to comments, and accepts the responses as written.

IAF Ticket Review

UPDATE: ARB comments on #527461

ARB has a preference to review applications and vote to accept as valid or reject as incomplete application
Discussion about ARB turnaround time concerns
Good for ARB to see the applications
Update procedure to include ARB vote

Noted that Tickets originators should both highlight the issue area, and also propose text
Further discussion on Ticket #328495
- This text looks like it originated from 800-63
- This may be a profile candidate
Request to be made to Staff to discuss this ticket with the originator.
Decision made to Delete the noted lines
Same for #314131
Minor edits:
- Section 5.3.1 Line 2149: add newline
- Section 5.4.1 Line 2725: add newline

#770408 discussed on 1 August and 8 August 2013 calls.

IAF-1400-SAC
Line:  1636 - 1640, 2149 - 2198

Reason: 
This is permitting only three protocols making IAF protocol dependent. 
Currently, it is listing tunneled password, zero knowledge-base password; SAML assertions. 

Proposal: 
Delete

Discussion of ticket

More research required - Need to know the source of the 3 Protocols listed (are they specified in 800-63?)
The list is specific to the 3 protocols - is this the intent? "Permit ONLY the following ..."
This looks like a candidate for a US-Specific Profile
The point appears to be to avoid password eavesdropping or message replay
Defer further discussion to next meeting

(8 August 2013) Discussion:

This is 800-63 specific, and is lagging the current technologies available.
Suggestion to specify requirements for the strength of the credential rather than the specific protocols
Issues include how to demonstrate 'strength'
An analysis is needed to update the technologies list to current.
"Apply only authentication protocols <text that refers to strength needed at this AL> for example: tunneled password; zero knowledge-base password; SAML assertions."
Defer text writing to next meeting.

Disposition: Return for clarification | Add to IAF enhancements list

The text from last week's meeting is copied here for reference. Myisha to discuss ARB feedback on Ticket disposition decisions.

NOTE: All tickets now posted at Identity Assurance Framework - Working Drafts

Identity Assurance Framework - Working Drafts

IAF Ticket #527461 (13 June 2013)

IAF Ticket #328495 (July 13, 2013)

IAF Ticket #314131 (July 13 2013)

IAF Ticket #770408 (13 July 2013)

Discussion of AL2_CM_CTR#028 and AL2_CM_CTR#025 questions

New ticket 527461 created.
-------------------

The process below does not clearly state if the ARB must vote to accept 
an application and list it as registered applicant or if the application 
can be accepted by the secretariat upon performance of review that the 
application is not a wast of time (so far out of scope or not aligned 
with mission).

I apologize for the line numbers but the below, I believe, references 
the section where the clarification is needed.

Could you please ensure this is entered as a change request for the AAS 
officially?

Thank you!

Quoting from AAS v3-0:
6.7 Specific Evaluation Steps 651
The Secretariat will validate the initial Application submission up to 
and including Part I clause 652 4.1, step 9. 653 Where the Application 
is for a Full Service Approval, the Secretariat will ensure that the 
overlay 654 of the collective criteria covered by the combination of 
the Applicant