2022-06-16 Minutes
Attendees:
Voting Participants: Andrew Hughes, Martin Smith, Mark Hapner, Maria Vachino, Richard Wilsher, James Jung, Michael Magrath
Guests: Matt King
Staff: Lynzie Adams, Kay Chopard
Proposed Agenda
Administration:
Roll call, determination of quorum
Minutes approval - 2022-06-09 Minutes
General Updates
Assurance Updates
Requests to IAWG for Comment
Discussion:
INCITS CS1 Liaison (Richard Wilsher)
Assurance Program - Classes of Approval, Service Descriptors discussion
Any Other Business
Meeting Notes
Administrative Items:
IAWG Chair Andrew Hughes called the meeting to order. Roll was called. Meeting was quorate.
Minutes approval: Mark Hapner motioned to approve the draft minutes from the June 9 IAWG meeting. Jimmy Jung seconded the motion. The minutes were approved unanimously.
General Updates:
Identiverse is in Denver next week. Kay and Alison Beavers from the BoD will be there to present a Kantara 101 intro session with Andrew’s help. Andrew will also be speaking on mobile driver’s licenses at the conference.
Lynzie reported that Schellman Compliance, LLC is a newly accredited assessor for Kantara. Scott Perry, the lead assessor, was previously accredited with Kantara with his own company. Announcements will be out on social media and in the newsletter.
Kay reported on the logistical updates in the UK - finalizing agreements and such. There has been some misconception that we are waiting on some certifications before we are ready to go. That is false. We are not waiting on anything and we’re full steam ahead with the program. We are, in parallel, going through the UKAS process but the two are not reliant on one another.
Assurance Updates:
800-63 rev. 4 has been delayed until Q4.
What can Kantara do in the meantime? Maria brought up a previous discussion about pulling together a group of relying parties to understand how they handle risk management around identity - some of the more modern methodologies they are using. Andrew, representing Ping, believes he can help gather some RPs. Lynzie will schedule a planning meeting between IAWG leadership, Kay, and BoD representation (Maria, Eric, Matt). No action will be taken at that meeting - it’ll come back to IAWG first, but we’ll have input from the organization.
Jimmy reminded the group that Kantara’s interpretation of supervised remote differs from what NIST views as supervised remote and we need to consider addressing that. Andrew asked people to think of how we convey these different thought processes to NIST on specific topics.
Discussion:
INCITS CS1 Liaison
Colin Wallis is the listed nominee for Kantara liaison. It needs updated. Prior years has been Colin with Richard Wilsher’s input on reports and documents needed. Richard suggested either nominating Kay or himself, as a current member of INCITS. Andrew suggested Kay as the official liaison, but with the possibility to delegate to Richard, as a current member, to provide Kantara two voices in the group. Maria agreed that Kay is the correct representative as she can coordinate with other working groups when needed. Kay also acknowledged that leaving it as a role of the executive director preserves that standard for future EDs at Kantara. Richard will nominate Kay as the Kantara liaison to CS1.
We may want to consider INCITS reports in IAWG meetings when appropriate.
Assurance Program - Classes of Approval/Service Descriptors
Lynzie summarized last week’s discussion. Lynzie explained the term partial from the previous assurance program manager’s explanation – If you achieve both IAL and AAL, it is a full service. If you achieve only IAL or AAL, that is a component service. You receive either a ‘complete’ trust mark if all applicable criteria are fulfilled, or a partial trust mark if it is not. Richard said that was never the intent.
There were differing opinions on term definitions (component, full, partial, etc.). Andrew suggested we make the definitions of each clear. Kantara’s intent is that a component is 63a, 63b or 63c – each an individual component. And a full service is offering all of these components. The definition of full may need adjusted, but that was the original intent.
Michael pointed out that the word component is not found on any trust mark, while we use it as a descriptor on our Trust Status List. This is a cause of confusion.
Andrew suggested removing full since nobody has went through FAL. Rather, create a trust mark for IAL, AAL and FAL. For instance, ID.me would display the IAL and AAL trust mark rather than a full service trust mark. Would ID.me, and other similar CSPs, go for that? Richard suggested combining them into one trust mark. Approved with 1, 2, or 3 lines depending on what was approved. Lynzie will get mock-ups from Karyn. This will replace full service and list what exactly you are approved for.
Kantara Approved
· Identity Proofing Service
· Credential Management Service
· Federated Authority Service
Kantara Approved
· Identity Proofing Service Component
· Credential Management Service Component
Mark Hapner pointed out that we need to consider who the viewer is – is it a consumer? the public? Keep that in mind.
Any Other Business
We will be honoring Ken Dagg in an upcoming meeting with the honorary title Emeritus Chair of the IAWG. A few in this group made the request and pushed for his service to be formally acknowledged with the title. An award and certificate have been prepared. The date, if known in advance, will be announced to the group and the presentation will happen at the start of that meeting.