Minutes approved by IAWG 8 August 2013 |
Link to IAWG Roster
As of 1 July 2013, quorum is 5 of 9
Meeting was quorate, with 5 voting participants present. |
IAWG Meeting Minutes 2013-07-18
Motion to approve minutes of 2013/7/18: Cathy Tilton
Seconded: Matt Thompson
Discussion: None
Motion Passed
See running table below
IAF Ticket #527461 (13 June 2013)
IAF Ticket #328495 (July 13, 2013)
IAF Ticket #314131 (July 13 2013)
IAF Ticket #770408 (13 July 2013)
Discussion of AL2_CM_CTR#028 and AL2_CM_CTR#025 questions
New ticket #527461 created. ------------------- The process below does not clearly state if the ARB must vote to accept an application and list it as registered applicant or if the application can be accepted by the secretariat upon performance of review that the application is not a wast of time (so far out of scope or not aligned with mission). I apologize for the line numbers but the below, I believe, references the section where the clarification is needed. Could you please ensure this is entered as a change request for the AAS officially? Thank you! Quoting from AAS v3-0: 6.7 Specific Evaluation Steps 651 The Secretariat will validate the initial Application submission up to and including Part I clause 652 4.1, step 9. 653 Where the Application is for a Full Service Approval, the Secretariat will ensure that the overlay 654 of the collective criteria covered by the combination of the Applicant’s SoC and those of its 655 component parts encompasses 100% of all SAC for the chosen Assurance Level. 656 When all of these validation steps are completed affirmatively, the Secretariat shall advise the 657 Applicant’s Point of Contact (APoC) that the Application has been found fit for assessment. The 658 Secretariat shall then take these additional steps: 659 a) Counter-sign and return the SPA to the CSP’s APoC; 660 b) File the Application for later reference, and; 661 c) Notify the Chairman of the ARB of the Application’s receipt (simply for advisory purposes 662 – no action is required of the ARB at this stage). 663 Evidence of its acceptance of the SPA is a necessary pre-requisite to enable the Applicant’s chosen 664 Assessor to formalize the contract for Assessment (see clause 6.8, below). |
Discussion of ticket
Disposition: Add to IAF enhancements list
IAF-1400-SAC Line: 1417, 1598 Reason: It is listing particular techniques. IAF wants to be protocol and techniques independent. Proposal: Change the line to as follows. These criteria apply to any credentials. |
Discussion of ticket
Disposition: Add to IAF enhancements list
IAF-1400-SAC Line: (not listed) Reason: Again, it is listing limited number of technologies. Generalization is sought. Proposal: Replace including after "These criteria apply to ... " with "These criteria apply to any credentials." |
Discussion of ticket
Disposition: Add to IAF enhancements list
IAF-1400-SAC Line: 1636 - 1640, 2149 - 2198 Reason: This is permitting only three protocols making IAF protocol dependent. Currently, it is listing tunneled password, zero knowledge-base password; SAML assertions. Proposal: Delete |
Discussion of ticket
Disposition: Return for clarification | Add to IAF enhancements list
1. AL2_CM_CTR#028 seems to stipulate OTPs that are both event- _and_ time-base which is a bit strange. It seems this confusion is in 800-63-1 aswell. If (for instance) b and c were combined, and there was an OR in the lead-in (line 1642) then the criterion would allow both (sensible) time and event-based OTP-devices which I suspect was the intent. 2. AL2_CM_CTR#025 doesn't permit the use of public key-based authn for AL2. This must be an oversight right? If you all agree we should open tickets for these and probably talk to somebody at NIST about (1). |
Discussion of Questions
Disposition: Errata | Add to IAF enhancements list
Defer to future meeting
Action Items
Item # | Description | Assigned to | Est. Completion | Status |
---|---|---|---|---|
2013-06-06-002 | Review RGW 800-63-2 vs KI IAF mapping documents and provide feedback
| All | 27 June 2013 | In progress |
2013-06-06-005 | IAWG-NIST F2F in DC area to discuss approach and feedback on 800-63 v IAF analysis approach (2013-Aug-1): Comment that perhaps ICAM should be invited as well. | Staff / IAWG Leads | TBD | Not started |
2013-06-13-001 | Chair to discuss with Exec. Director the need for a Content Management System analysis and potential tool for IAF/SAC & funding options
| Myisha | 20 June 2013 | In progress |
2013-06-13-002 | Glossary updates underway. Next draft should be available in 4 weeks (11July2013): Defer item to future meeting (1Aug2013): No comments on new additions received yet - reminder sent to sub-group. | Ken Dagg | Updated:12 Sept 2013 | In Progress |
2013-08-1-001 | The text of the Tickets is not easily accessible. This is due to the policy that the source of comment must be kept confidential, and the Confluence Ticket system does not permit sequestration of the commenter identity. Secretary to create a place on the wiki for disposition of Tickets, including the ticket text itself. | Andrew Hughes | 8 August 2013 | Not Started |
2013-08-1-002 | Forward Ticket items that have been resolved to correct lists for next action. | Andrew Hughes | 8 August 2013 | Not Started |
Item # | Description | Assigned to | Est. Completion | Status |
---|---|---|---|---|