Kantara Initiative Identity Assurance WG Teleconference

Meeting Minutes - approved by IAWG 29 August 2013

Date and Time

Date: Thursday, 22 August 2013
Time: 07:00 PT | 10:00 ET | 14:00 UTC (time chart)
United States Toll +1 (805) 309-2350
Alternate Toll +1 (714) 551-9842
Skype: +99051000000481
- Conference ID: 613-2898
International Dial-In Numbers

Agenda

Administration:
1. Roll Call
2. Agenda Confirmation
3. Minutes approval: IAWG Meeting Minutes 2013-08-8
4. Action Item Review
5. Staff reports and updates
6. LC reports and updates
7. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
Discussion
1. Call for IAWG Charter Review (ref. Email to IAWG Chairs and WG)
2. IAF Tickets and Issues Review
  1. IAF Ticket #770408 (13 July 2013)
  2. NOTE: All tickets now posted at Identity Assurance Framework - Working Drafts
Updates
1. IAF Glossary Update status (Dagg)
2. Modular IAF status (Hughes)
AOB
Adjourn

Attendees

Link to IAWG Roster

As of 1 July 2013, quorum is 5 of 9

Meeting was quorate with 5 voting members present

Voting

Andrew Hughes (S)
Scott Shorter
Rich Furr (V-C)
Matt Thompson
Bill Braithwaite

Non-Voting

Jeff Stollman
Ken Dagg
Linda Goettler

Staff

Joni Brennan

Apologies

Myisha Frazier-McElveen (C)

Notes & Minutes

Administration

Minutes Approval

IAWG Meeting Minutes 2013-08-8

Motion to approve minutes of 2013/8/8: Bill Braithwaite
Seconded: Scott Shorter
Discussion: None
Motion Passed

Action Item Review

See running table below

Staff Updates

Director's Corner Link

LC Updates

Participant updates

Discussion

Call for IAWG Charter Review

(ref. Email to IAWG Chairs and WG)

Link to current IAWG Charter (July 2009)

Kantara Portland retreat in August 2013 created plans to sharpen focus for Kantara WGs. Review and update of existing WG charters was requested, due September 25 for review by LC.

The text of the request:

During the recent Kantara Leadership Retreat, we focused on the question of why Kantara exists (seehttp://kantarainitiative.org/pipermail/lc/2013-August/002348.html for a high level summary out of that retreat). The idea is that with a clear "why", we can make sure the actions we take truly support the goals of the Kantara Initiative. The current working DRAFT of Kantara's "why" statement is:

DRAFT: Kantara exists to define rules of engagement for operators of online services, enabling high-value, privacy-preserving identity and access.

In order to incorporate this concept in to the Innovation side of Kantara, the work groups, we are initiating a Work Group recharter effort. This will help make sure that the Work Groups are on track with solid deliverables and timelines that support the goal of the organization. Work Groups can expect to receive more organizational support in terms of marketing to increase group participation and the creation of industry-driving Kantara Recommendations. For Work Groups that do not recharter, their status will change to that of a Discussion Group, which is considered a much more informal effort. (Please see the Kantara Operating Procedures for a more detailed definition of Work Group and Discussion Group: http://kantarainitiative.org/confluence/x/owVAAg .)

The link to your current charter can be found on your space in the Kantara wiki. The LC would like to have the updated charters in by September 25. The LC will discuss and review the charters over the month of October.

Discussion

Need to assemble a subgroup to look at the charter
- Volunteers: Rich Furr; Linda Goettler; Andrew Hughes; Scott Shorter
Deeper discussion deferred to subgroup

IAF Ticket Review

IAFTicketReview

The text from prior meetings is copied here for reference.

NOTE: All tickets now posted at Identity Assurance Framework - Working Drafts

#770408 discussed on 1 August and 8 August 2013 calls.

IAF-1400-SAC
Line:  1636 - 1640, 2149 - 2198

Reason: 
This is permitting only three protocols making IAF protocol dependent. 
Currently, it is listing tunneled password, zero knowledge-base password; SAML assertions. 

Proposal: 
Delete

Discussion of ticket

More research required - Need to know the source of the 3 Protocols listed (are they specified in 800-63?)
The list is specific to the 3 protocols - is this the intent? "Permit ONLY the following ..."
This looks like a candidate for a US-Specific Profile
The point appears to be to avoid password eavesdropping or message replay
Defer further discussion to next meeting

(8 August 2013) Discussion:

This is 800-63 specific, and is lagging the current technologies available.
Suggestion to specify requirements for the strength of the credential rather than the specific protocols
Issues include how to demonstrate 'strength'
An analysis is needed to update the technologies list to current.
"Apply only authentication protocols <text that refers to strength needed at this AL> for example: tunneled password; zero knowledge-base password; SAML assertions."
Defer text writing to next meeting.

(IAWG Listserv email contribution - Wilsher)

Re. today's discussion on the criterion below, I propose the following text
(there is no stipulation at AL1;  AL3 would be the same, except for the
existing qualifier "For non-PKI credentials, apply ...", and of course 'AL2'
would be replaced with 'AL3'; AL4 is also no stipulation).  

Regards,
RGW

AL2_CM_CTR#025   Authentication protocols

Apply only authentication protocols which, through a comparative risk
assessment appropriate for AL2, are shown to have resistance to attack at
least as strong as that provided by commonly-recognized protocols such as:

a)                  tunneled password;

b)                 zero knowledge-base password;

c)                  SAML assertions.

Guidance:  Whilst many authentication protocols are well-established and may
be mandated or strongly-recommended by specific jurisdictions or sectors
(e.g. standards published by national SDOs or applicable to
government-specific usage) this criterion gives flexibility to advanced and
innovative authentication protocols for which adequate strength can be shown
to be provided by the protocol applied with the specific service.

(22 August 2013 Discussion):

Support was expressed by several participants

Disposition: Add to IAF enhancements list

Updates

IAF Glossary Update status (Dagg)

One set of comments received
Deadline for comments is August 26 2013
Ken to proceed with final draft after this point

Modular IAF status (Hughes)

Subgroup is working on a draft report
- Table of Contents is firm
- Material from previous documents has been merged into the ToC
- Currently developing function/service -> Role -> organization mappings that describe existing Deployment Patterns such as FICAM & Government of Canada
- Expect to distribute to IAWG within 5 weeks for discussion

AOB

Expect a new ticket on the requirement to retain identity proofing data for PKI credentials for 7.5 years. This is not specified for non-PKI credentials. Could imply an infinite retention requirement.
- General support
- Suggestion that the period of time should be non-specific but guided by sectors or regulations.

Action Items

Item #	Description	Assigned to	Est. Completion	Status
2013-06-06-005	IAWG-NIST F2F in DC area to discuss approach and feedback on 800-63 v IAF analysis approach (2013-Aug-1): Comment that perhaps ICAM should be invited as well.	Staff / IAWG Leads	TBD	Not started
2013-06-13-001	Chair to discuss with Exec. Director the need for a Content Management System analysis and potential tool for IAF/SAC & funding options (2013-Jun-20): Discussion occurred; vision has been always to have a CMS - possibly a database with online self-serve document generation capability (in whichever output format is needed); team will be needed to draw up a wireframe and requirements for a custom developed tool (2013-Jun-27): Call for lead is required. Myisha to send a call to list for volunteer lead.	Myisha	20 June 2013	In progress
2013-06-13-002	Glossary updates underway. Next draft should be available in 4 weeks (11July2013): Defer item to future meeting (1Aug2013): No comments on new additions received yet - reminder sent to sub-group.	Ken Dagg	Updated:12 Sept 2013	In Progress
2013-08-1-002	Forward Ticket items that have been resolved to correct lists for next action.	Andrew Hughes	8 August 2013	Not Started
2013-08-8-001	Bring forward ticket #770408 for further discussion of new text	Chair	15 August 2013	Not Started

Recently Closed Action Items

Item #	Description	Assigned to	Est. Completion	Status

Attachments

Next Meeting

Date: Thursday, 29 August 2013
Time: 07:00 PT | 10:00 ET | 15:00 UTC (time chart)
United States Toll +1 (805) 309-2350
Alternate Toll +1 (714) 551-9842
Skype: +99051000000481
- Conference ID: 613-2898
International Dial-In Numbers