2020-03-26 Minutes

Attendees

Voting Participants: Ken Dagg; Mark Hapner;  Martin Smith

Invited guests: Barry Hieb, HIAWG. 

Staff: Colin Wallis and Ruth Puente

Quorum: As of 2019-12-19, quorum is 3 of 5. There was quorum

Agenda

1.Administration:

• Roll Call
• Agenda Confirmation
• Minutes approval 2020-03-19 Draft Minutes
• Action Item Review: action item list
• Staff reports and updates -  Keeping up with Kantara March 2020and February Director's Corner 
• LC reports and updates
• Call for Tweet-worthy items to feed (@KantaraNews)

2.Discussion: Discuss Initial Comments on PCTF Verified Person, Privacy, and Glossary  - Please see Ken's comments for these three PCTF Components attached. 

3.Any Other Business 

Minutes Approval

2020-03-19 Minutes were approved by motion. Martin moved and Ken seconded. Unanimous approval.

Motion to approve minor change on OP-SAC 

• Ken remarked that the proposed revision arises from the ARB’s concerns during review of CSP applications for Approval that phishing was not being adequately addressed. After considering this comment the IAWG has agreed the  revision of the OP-SAC in principle on 2020-02-20.

• Ken said that he has discussed the text with Richard and the revised OP-SAC was sent to the IAWG and ARB. Ruth added that given that the ARB agreed on the change, it might be a good opportunity to make a motion to approve the proposed text. 

• It was said that the modification affects ALx_CM_CTR#020 at ALs 2, 3 and 4. Please see Kantara IAF-1420 Operational -63r2 Service Assessment Criteria v1.0.1.docx It was added that that no change is justified at AL1 since only from AL2 is the extended list of threats introduced (modelled directly from NIST SP 800-63 rev.2). Richard has modelled the revised text on that used for other sub-criteria in the cited criterion, and also allowed for ‘other fraudulent threats’, rather than phishing exclusively. It was pointed out that during the previous IAWG meetings the group was a little uncomfortable with going too far in including this specific threat type, but the fact that the criterion at AL3 and 4 also includes the caveat “The above list shall not be considered to be a complete list of threats to be addressed by the risk assessment”, this should allay those concerns.
• Ken added that ARB asked to add a semicolon after phishing and put other fraudulent attacks as item h. IAWG agreed to that format suggestion.  
• Motion: To approve the proposed revision to OP-SAC ALx_CM_CTR#020. Moved: Martin Seconded: Ken. Unanimous approval. 
• Action item: Ken to notify the LC about this minor change. 

 Updates 

• Colin mentioned that the whitepaper on mDL was released,  a collaborative effort but co-ordinated by STA. Kantara is referenced significantly: https://www.securetechalliance.org/publications-the-mobile-drivers-license-mdl-and-ecosystem/
• He announced that Matt Thompson, Idemia, is the new President of Kantara. 
• It was agreed to add the input provided to the UK government on GPG44 to the Kantara's contributions to industry calls for comments.
• Colin commented that following the mandate of OMB-M-19-17, NIST has created a Program Roadmap for SP 800-63-3 activities, which includes Implementation Resources, Conformance Criteria, and Request for Comments on SP 800-63-3 for potential Rev. 4. The Conformance Criteria will cover all normative requirements and controls for service providers for IALs 2 and 3 and for AALs 1, 2, and 3. See NIST Roadmap HERE

Discuss Initial Comments on PCTF Verified Person, Privacy, and Glossary  

• Ken shared the inconsistencies found in the 3 documents and explained the relevant ones from the comment sheets he has provided beforehand:
  • DIACC_Comment-Submission-Spreadsheet_PCTF-Glossary_ENG KD.xlsx
  • DIACC_Comment-Submission-Spreadsheet_PCTF-Privacy_ENG KD.xlsx
  • DIACC_Comment-Submission-Spreadsheet_PCTF-Verified-Person_ENG KD.xlsx

• Bary pointed out that a relationship diagram was missing to show relationship between subject, user, applicant, subscriber, participant. Ken will work on that and present if for next week.