2020-07-09 Minutes
Attendees:
Voting participants: Ken Dagg, Tom Jones, Mark Hapner, Martin Smith, Richard Wilsher
Non-voting participants: James Jung, Mark King
Kantara staff: Colin Wallis and Ruth Puente
Quorum: As of 2019-12-19, quorum is 3 of 5. There was quorum
Agenda
Administration:
- Roll Call
- Agenda Confirmation
- Action Item Review: action item list
- Minutes approval 2020-06-18 Draft Minutes
- Staff reports and updates - Director's Corner and Keeping up with the Kantarians
- LC reports and updates
- Call for Tweet-worthy items to feed (@KantaraNews
Discussion
a. Review and Approve KIAF 1430 - Identity Assurance Framework: NIST SP 800-63A Service Assessment Criteria at IAL2 & IAL3
b. Update on xAL3 Sub-group, which is preparing criteria for 63B at AAL3 and 63C at FAL3.
c. NIST SP 800-63-3 Implementation Resources and Conformance Criteria
d. Update on KIAF 1050 - Glossary and Overview revisions.
3. Any Other Business
Minutes Approval 2020-06-18 Minutes:
- Motion: To approve 2020-06-18 Draft Minutes.
Moved: Martin Smith; Seconded: Tom Jones. Unanimous Approval.
Review and Approve KIAF 1430 - Identity Assurance Framework: NIST SP 800-63A Service Assessment Criteria at IAL2 & IAL3
Disposition of Comments and Criteria presented by Richard Wilsher: KIAF-1430 SP 800-63A Service Assessment Criteria v3.1.7 DoC v0.3.xlsx
- Given the amount of comments on IAL2, Richard suggested to address them under the annual review of the criteria.
- Regarding 4.2 (row 3), it was agreed to add as a point of guidance that there is nothing wrong with collecting additional information if the RP is requesting it or the service requires it, but it cannot be used to deny existence of an identity against the basic proofing policy. Martin asked to add this point to the comments for NIST.
- It was clarified that CSP in Kantara means Credential Service Provider, for the performance and provision of services that include, identity proofing, binding identity to credentials, authentication, manage the lifecycle of credential, so we have a boundary on these set of concepts with the interface to RPs. Therefore, a credential would be granted to the person that passes the proofing test against the published proofing policy, and then the RP would decide what it wants to do with that identity and how it wants to treat the claimant.
- Martin asked to defer the comments on IAL2 for another meeting in order to avoid delaying the approval of IAL3. The group agreed.
- All the comments from Mark King were accepted by the editor and it was agreed on the changes made.
Motion to approve the IAL3 as introduced by the editor. Moved: Martin Smith. Seconded: Richard Wilsher. Unanimous Approval.
Update on sub-group:
- AAL3 is under review by the sub-group and FAL3 will be reviewed right after the completion of AAL3 criteria. Moreover, the sub-group is undertaking a 12-month review of all the 800-63-3 Kantara SACs.
- NIST request for comments on 63-3 deadline is August 10th. Ken will compile the notes made by the subgroup and IAWG. He suggested to start gathering comments on the next IAWG meeting. There will be 2 consensus meetings at the end of July before the formal submission to NIST. Furthermore, he will collect the comments from HIAWG as well.
Blacklist vs Whitelist at 63C SAC:
- Richard suggested to change those terms by "allow list" and "deny list".
- Motion to approve the new terms. Moved: Tom Jones; Seconded: Richard Wilsher. Unanimous Approval.
- Ken will add it as suggestion to NIST for Rev.4
NIST 800-63-3 Implementation Resources and Conformance Criteria for 63A and 63B
- Link: https://www.nist.gov/topics/identity-access-management/nist-special-publication-800-63-digital-identity-guidelines
- Ken said that the new NIST resources are informative and complementary material (check list) for RPs and implementers. He remarked that IAWG should review them and compare the NIST Conformance Criteria with the KI SACs. Colin said that we should include HIAWG on the review work as Christine Shulten is writing a paper to map the Mitre manual to NIST guideline.
- Ruth commented that GSA is working with OMB and Federal Agencies to build its strategy in relation to NIST Conformance Criteria, following the OMB 19-17 mandate. Furthermore, GSA is working on an announcement to formally recognize organizations that have a legitimate approval and accreditation process, such as Kantara. In addition, there are positive steps in terms of collaboration with Kantara and soon we may have news in relation to revamping the TFS Sync.