2018-06-21 IAWG Minutes
Attendees:
Voting participants: Ken Dagg; Scott Shorter; Richard Wilsher; Mark Hapner; Jose Lopez; JJ Harkema;
Non-voting participants: Roger Quint, Unisys.
Staff: Colin Wallis
Quorum: 5 o 8. There was quorum as there were 6 voting participants of 8.
Minutes approval
2018-04-26 IAWG Minutes were approved by motion.
ED Update by Colin Wallis
- May 22 International Privacy Summit for Privacy in Marketing and Media
- May 14 Kantara European Members Plenary and AGM 2018. It´s was well attended. Kantara´s session was the second most attended, Blockchain session was the most well attended and Open ID Foundation was the third most attended session of the event.
- "Keep up with Kantara June" sent to members included: GDPR; Identiverse in Boston June 24-27; announcement of Webinars in the Summer Australian DTA and MDAV; encouragement to contribute into Standards Drafts for ISO SC27 Working Group 5.
- More information: Director´s Corner 2018: May
Discussion:
NIST 800-63-3 Implementation Guidance - 3 memos by Scott Shorter
Please see the memos here: 800-63-3 Implementation Guidance Reports for NIST
- Zygma is a co-signer of the memos, recommendations.
- The 3 memos are findings found in the course of recent work that all the signers were involved with.
- First memo is around Guidance on Permitting “Commodity” Hardware for Unsupervised Remote Identity Proofing (“Commodity” word from 800-63-3 FAQ that came our recently).
- Second memo how to select and evaluate Authoritative Sources. Geolocation is presented as an additional barrier against international fraud. No identity proofing method is perfect and compensating controls are not perfect either, Geolocation is easy to assert and hard to prove, but it´s an additional barrier for catching the fraud.
- Third one derived from the other 2, recommendation on additional info for the CSPs in the Trust Status List, using the Public Service Description of the S3A for RPs and other potential consumer of the services to understand what´s involved. SS stressed that the Trust Status should have: the name of the service, contact info, Assurance Levels, authoritative sources and Identity proofing methods that are supported.
- RW pointed out that the last statement of memo 3 is different from memo 2. He added that there are 2 solutions for the recommendation on memo 3, S3A is not the absolute path for the additional information as the CSP does not update that info. He suggested that we should change the CO-SAC criteria to require the service definition or CrP documents be maintained and if there are changes the CSP should notify the RPs. His recommendation include 2 actions: Kantara to include within the Trust Status List a link to the CrP and the public service description that is stated in the S3A.
- JL requested more time to read the memos and make comments before moving to approval.
- Next steps: Approve the memos in the next IAWG meeting and request ARB feedback on the 3 memos before sending them to NIST.