PCIPR20200807

NOTICE: Public review for comments and IPR review for Kantara Initiative xAL3 SACs


Dear Kantara Initiative Members and Community,


This is a formal notification that the Identity Assurance Work Group (IAWG) has approved the following documents as IAWG-Approved Draft Recommendations and their distribution for public comment and IPR Review: 


Document: KIAF-1430 ‘Identity Assurance Framework: NIST SP 800-63A Service Assessment Criteria (at IAL2 and IAL3)’

Version:  3.1.10

Document Date: 2020-08-06

Document URL: Download Document


Document: KIAF-1440 ‘Identity Assurance Framework: NIST SP 800-63B Service Assessment Criteria (at AAL2 and AAL3)’

Version: 3.0.7

Document Date: 2020-08-06

Document URL: Download Document


Document: KIAF-1450 ‘Identity Assurance Framework: NIST SP 800-63C Service Assessment Criteria (at FAL2 and FAL3)’

Version: 0.17.0

Document Date: 2020-08-06

Document URL: Download Document


These documents have entered a 45-day public comment and IPR review period in preparation for an all-member ballot to consider their approval as Kantara Initiative Recommendations. 


Public Review and IPR Review Period Opens: 2020-08-07, 3:00PM ET

Review Period Closes: 2020-09-21, 3:00PM ET



Overview of Documents:

Two years ago, Kantara developed Service Assessment Criteria (SAC) to be used in SP 800-63 rev.3 conformity assessments for identity proofing and authentication services at Assurance Level (AL) 2. These SAC were derived from the strictly normative requirements (i.e. criteria were only developed from guidance expressed using ‘SHALL’) of SP 800-63A and ’63B at IAL2 and AAL2’ respectively, as they applied to Credential Service providers (CSP).  Since their publication Kantara has granted a number of Approvals based on these criteria and anticipates growing interest in these Approvals in the short to medium term.  The sponsor of that work, ID.me, generously provided to Kantara additional sponsorship to develop SAC focused on SP 800-63C, i.e. addressing federations, at FAL2.

ID.me has now extended their generous support to enable Kantara Initiative to develop level 3 criteria, i.e. IAL3, AAL3 and FAL3.

A contracted editor has developed draft criteria for the three SACs and these have been reviewed by a sub-group of the Identity Assurance Work Group (IAWG).  In addition to this, the IAL2 and AAL2 criteria have been reviewed and some additional criteria, previously excluded because they did not apply directly to CSPs, have been introduced to provide the same scope of coverage as was developed for FAL2. There have also been some consequential changes to align criteria. The IAWG has now reviewed and approved each of these xAL3 extensions and Kantara is now releasing these criteria for a 45-day Public Review.

Accordingly, attached are three XLS documents (KIAF-1430 63A_SAC v3.1.10, KIAF-1440 63B_SAC v3.0.7, KIAF-1450 63C_SAC v0.17.0).  Each document includes a control tab which we are seeking to have reviewed, namely the tabs labelled ‘63A/B/C_SAC’.

In each of the subject tabs you need only review those criteria which are, in part or whole, in red text.  The subject tabs include:

  • the source 800-63C texts on which have been based the derived Kantara
  • the entities towards whom each criterion is directed 
  • a unique tag for each criterion, some with sub-parts - note that for 63A and
  • 63B_SACs the criteria are being amended to achieve greater consistency and
  • sequencing   
  • the criterion itself 
  • the applicable AL
  • provision for commenting


Kantara invites your review of these documents and asks that you submit any comments and proposed revisions on or before 2020-09-21. As this deadline will be strictly adhered to, late submissions will not be taken into account.

When commenting, please provide a three/four letter identifier in the column headed ‘Initials’ (e.g. your own initials or something to identify the entity on whose behalf you are commenting, and a #<sequence number>, to ensure easy unique identification of your comments) and your review comment in the adjacent right-hand column.  We will especially appreciate and respond to comments which offer some kind of solution (e.g. revised wording) in addition to a statement describing the problem which is being addressed.

This is an open invitation to comment. Kantara Initiative solicits feedback from potential users, developers and, other interested parties, whether Kantara Initiative members or not, for the sake of improving the interoperability and quality of its technical work.


To Comment on the Recommendation:

To comment please use the form located at: https://kantarainitiative.org/comment/   

______________


Intellectual Property Rights Notice:

Note that any submissions are deemed to be contributed under the IPR Option of the WG: Patent & Copyright: Reciprocal Royalty Free with Opt-Out to Reasonable And Non-discriminatory (RAND).

Intellectual Property Rights Notice: In accordance with the Kantara Initiative IPR Policy Appendix B Article 5 and the Kantara Initiative Operating Procedures Section 7.5, you have a period of 45 days to review the criteria for any Necessary Claims that may be implicated by the criteria.

While there is no requirement to review your patent portfolio for Necessary Claims, please be advised that unless you provide a licensing objection in accordance with the Kantara Initiative IPR Policy Article 5 or a notice of withdrawal in accordance with Kantara Initiative IPR Policy Article 6 on or before 2020-09-21 you will have committed to the licensing provisions as set forth by the Patent & Copyright: Reciprocal Royalty Free with Opt-Out to Reasonable And Non-Discriminatory (RAND) IPR Policy with respect to any Necessary Claims implicated by the final approved criteria.

Having signed the Group Participation Agreement (GPA) all members of the IAWG should be familiar with these documents, which may create obligations regarding the disclosure and availability of a member’s patent, copyright, trademark and license rights that read on an approved Kantara Initiative Recommendation.


Kantara Initiative invites any persons who know of any part of this Group output that would infringe on third party intellectual property rights to disclose such infringement claims so that these claims may be provided to the Group members for resolution.
 
To submit an Intellectual Property Rights infringement claim, email staff@kantarainitiative.org  with the subject "IAWG IPR CLAIM".

____________________


Please contact the Kantara Initiative staff at staff@kantarainitiative.org with any questions regarding this notice.  


We thank you for your time and interest.

Kantara Staff