2020-06-18 Minutes

Attendees: 

Voting participants: Ken Dagg, Tom Jones, Mark Hapner, Martin Smith, Richard Wilsher

Non-voting participants: Pete Palmer

Kantara staff: Colin Wallis and Ruth Puente

Quorum: As of 2019-12-19, quorum is 3 of 5. There was quorum

 

 

Agenda

Administration:

  1. Roll Call
  2. Agenda Confirmation
  3. Action Item Review: action item list
  4. Minutes approval 2020-06-11 Draft Minutes
  5. Staff reports and updates - Keeping up with the Kantarians
  6. LC reports and updates
  7. Call for Tweet-worthy items to feed (@KantaraNews

Discussion

  1. Presentation of KIAF 1430 "Identity Assurance Framework:  NIST SP 800-63A Service Assessment Criteria (at IAL3)" - Please see attached. 
  2. Comments on PCTF Credentials  - Please see the latest version of the IAWG comments attached (Changes to the last version are highlighted in yellow). 
  3. NIST Call for Comments on SP 800-63-3 to ultimately lead to Revision 4 https://csrc.nist.gov/publications/detail/sp/800-63/4/draft.
  4. Revised Glossary terms.
  5. Update on xAL3 Sub-group, which is preparing criteria for 63B at AAL3. 

Any Other Business 


 

Minutes Approval 2020-06-11 Minutes:

  • Motion: To approve 2020-06-11 Draft Minutes.

Moved: Martin Smith; Seconded: Mark Hapner. Unanimous Approval.


LC Update 

  • Tom commented that there is a motion approved in the Health Identity Assurance Work Group to look at how IAL2 and AAL2 might be implemented with guidance in Health Industry in the US. The second item is that their proposal was made to the Foundation Board to apply for a grant, in order to set up a registry service that would involve Assurance for device apps. Tom will let IAWG know how that goes, if the Board gives unanimous approval it would move forward.


Presentation of KIAF 1430 "Identity Assurance Framework:  NIST SP 800-63A Service Assessment Criteria (at IAL3)":

Document reviewed during the meeting: KIAF-1430 SP 800-63A Service Assessment Criteria v3.1.7.xlsx

  • Richard explained that new criteria was added. It was also included criteria specifically related to RPs and Federal Agencies. When FAL criteria was done, the Federation Part of 63 rev.3, 63C, very specifically talks about the IdPs or the CSPs as they are called, RPs, Federation Authorities and Federal Agencies. Now it has been replicated in the Identity Assurance criteria, those for entities; now columns I to L are the four entities to which each criterion might apply. In column M there are the old tags and in column N there are the new tags. Columns S and T indicate the Assurance levels 2 and 3 and they are indicating the level at which every criterion applies. Column U is for comments and guidance, V is for initials and W for comments. Anything that is new is in red text.
  • A question was raised about line 85, is it supposed to be this way what was highlighted in red? Richard answered that in IAL3 the equivalent is high baseline and high impact. It was asked what the difference is between row 85 and 86. Richard explained that the difference is that NIST made this descript differentiation between these selected controls from this baseline sets, but then there are controls which relate to the impact rating of the system to which they are being applied. Therefore, you do need two descript criteria.
  • It was asked what the time for comments is, Ken said that two weeks would be good. Ken asked that if someone is going to take longer than two weeks for comments, to please send an email to him and Ruth.
  • Ken mentioned that July 2nd is not a good time for having the meeting due to Canada’s day and July 4th in the States.
  • The deadline for comments will be two weeks from now.
  • There was a question about line 66, is the text faded out not valid anymore? Richard explained that it was created criteria for normative statements, for those that have a SHALL. The ones that say SHOULD or MAY are left aside, there are no criteria created for them. There are some cases where it says “the CSP SHOULD do something and if it does it, it SHALL”, in those cases the criteria created is “If you do this, you SHALL”. The idea is to cover the SHALLs, but essentially it was created criteria for explicitly normative statements.
  • Richard stressed it is not being asked for review of anything which is in black text, it is there, it is published, and it is not up for review at the moment. It is only being asked for feedback on changes in red. It was received comments on published criteria, which brings him to a second point but not related to this review directly. It will be reviewed every twelve months.
  • Ken clarified that then the Sub-Group has three tasks, one is the creation of level 3, the other is to review level 2 and the last one is to note anything that is of interest and might become a suggestion for improving into rev.4.

 

Comments on PCTF Credentials 

Document reviewed during the meeting: Comment Sheet V0.2.xlsx

  • Ken re-sent a note with a reminder with the latest comments sheet. He incorporated the changes agreed last week.
  • There was an incomplete comment that he fixed which is on row 41, definition of subject. A subject is not necessarily the holder or applicant for a credential, it could be, in many cases it is. Ken suggested to them that the definition of subject should be an Entity, this Entity may or may not be the Holder of the Credential or the Applicant for the Credential.
  • It was asked about line 53, that the subsequent ethicist Canadian is available in French. Ken answered it will be. Ken said in essence you are assuming a request, but why would anyone provide their digital identity unless it was asked for.
  • It was mentioned that the problem is that one of the requirements of all of the privacy laws is that you are required to have noticed, and you cannot really have noticed if you do not have a place to notice.
  • Ken added “why would I ever wish to assert something, when I am not asked to assert it?”. Ken will reword line 53.
  • Ken said that if someone has comments on this document they have to be sent before June 25th, because on July 2nd he will submit it.


NIST Call for Comments on SP 800-63-3 to ultimately lead to Revision 4 https://csrc.nist.gov/publications/detail/sp/800-63/4/draft:

  • Ken said that there is a real Call for Comment to work that through the xAL3 Sub-Group. It is being revised Service Assessment Criteria at level 3 on Wednesdays at noon for two hours. 


Revised Glossary terms:

  • Work is still being done on the Revised Glossary terms and Richard gave un update on the level 3 Sub-Group.


Update on xAL3 Sub-group, which is preparing criteria for 63B at AAL3:

  • Richard commented that IAL2 and IAL3 is under review by the IAWG at the moment. He added that there is still public comment and IPR review on FAL2 until  July 24th. Everything is proceeding well.


Any Other Business:

  • Ruth will send the information to Mark about joining the Sub-Group.
  • Ken mentioned that comments are up for IAL3 (Comment Submission form).
  • Ken said there will not be a meeting next week, so we will reconvene on July 9th.
  • Ruth reminded the group about the STA Webinar “Privacy & Trust in the mDL Ecosystem” that will be held on Thursday, June 25 at 1pm ET.