2018-04-12 IAWG Meeting Notes

Attendees

Voting participants: Jose Lopez, Zentry; Scott Shorter, Vice Chair; Ken Dagg, Chair; Mark Hapner, Resielient

Non-Voting participants: Angela Ray

Staff: Colin Wallis and Ruth Puente

Quorum: There was not quorum (5 voting participants out of 8)

Updates 

• Mark H. shared the recent announcement that W3C and FIDO made on a solution that allows the phone to be the authenticator directly: https://www.w3.org/2018/04/pressrelease-webauthn-fido2.html.en

ED Update:

• KI has participated in 3 bids for H2020 EU grant funding via Kantara Europe.
• Kantara's panel at the KNOW Identity conference with panelists Mary Hodder from IDESG, Scott Shorter from Kantara Accredited Assessor KUMA, Tracy Hulver for Kantara Approved CSP ID.me and Leadership Council Chair Andrew Hughes. The topic was 'Service Provider Certification: Who Cares Anyway?', it was addressed what certification is, the different stakeholder perspectives, and there were interesting comments from the audience. 
  For full report, please see: 2018: March

Update on recent IAF changes and publications

• The Kantara´s Service Assessment Criteria (SAC) for assessments against the requirements of NIST's SP 800-63A and SP 800-63B, KIAF-1430 and KIAF-1440, have been released. Available for Members Only download here:https://kantarainitiative.org/confluence/display/LC/Identity+Assurance+Framework
• KIAF 1400 (OP-SAC and CO-SAC) have been repackaged and replaced by KIAF 1410 (CO-SAC) and KIAF 1420 (OP-SAC). No changes have been made. It reflects the multiple classes of approval. 
• As Kantara added NIST SP 800-63-3 compliance to its Trust Framework, there are new classes of approval. The current Kantara classes of approval are: NIST 800-63 rev.3; NIST 800-63 rev.3 (Technical) and Classic. Full description here: https://kantarainitiative.org/trustoperations/classes-of-approval/

Rework IAF 1000 - Overview and IAF 1100 - Glossary

• Ken D. is preparing a straw man to proceed with the revision of the Overview and Glossary documents, which are out of date. 

NIST 800-63-3 Implementation Guidance and 63A SAC and 63B SAC assessment issues

• Scott S.said that the implementation guidance is what we can use to try to add some light and understanding to 63-3, we hope to make it open and transparent enough, assessor across and between TFPs. 
• Ken D. stressed that the main aim of this tool is to use the same evidence and understand the evidence in the same way.
• Colin W. commented that NIST has shared a spreadsheet with 63A identity evidence list, evaluation for different types of identity documents and they seek the TFS Stakeholders feedback, it is not ready for public consumption.  
  
  
• Scott S. added that KUMA has completed an assessment on 800-63-3 and identified 2 gaps in the requirements, things that are complex to achieve and potentially impossible: 
  a) Authoritative Source. There is a Table 'Validation of the evidence' that states strong evidence must be validated strongly, and the evidence should be checked against an authoritative source. Authoritative sources must be either the issuer or have access to the issuer’s data.  Driver´s license case: It´s not commercially viable to validate driver licenses from 50 states. In the Passport case, it´s no communicating with the Department of State to verify it. AAMVA validation of DMV data is only partial, including the textual data but not the photograph.
  b) Authentication of photograph. 63A Table 5-3 makes a clear distinction that biometrics is one thing and photograph verification is another thing. But the same requirements apply to authenticate the “sensor” (i.e. camera) or an endpoint containing the sensor (i.e. smartphone/laptop). When the applicant is the owner of the device, the IdP doesn’t have a way to authenticate the device.
• Jose L added that when you take a selfie you can print the OTP to proof liveness.  
• Ken said that the implementation guidance should include these 2 issues as well.
• Scott S. asked if there could be a class of approval IAL2 minus something. 
• Scott S. explained that if a RP accepts a service less than a full assurance level, they should fill out a digital identity acceptance statement and submit to GSA, therefore the RP accepts the risk. 
• Ken D. added that in Gov. of Canada, when RPs said L2 token was not good enough, they implemented additional measures to mitigate that risk. That is an approach RPs could use. The RPs could say they are accepting credentials but will add "x" mitigation strategy. He suggested to add this approach as part of the implementation guidance. Also, he recommended to use the eGovernment WG code of conduct in this context. 
  
  
• It was agreed to add this topic as a standing agenda item. 
• There could be a sub-group but open to the other TFPs, and will use IAWG meeting time. 
• Audience for this document: CSPs and Assessors and may also include RPs.
  
  

OMB Policy Draft - Call for Comments

• Document available at: https://policy.cio.gov/identity-draft/
• It was agreed to schedule IAWG weekly meetings to discuss the preparation of comments and consider possible impacts to KI.
• Deadline to submit the comments: May 6th.
  
  

Next Meeting: April 19th