Kantara Initiative Identity Assurance WG Teleconference

DRAFT Meeting Minutes - IAWG approval required

Date and Time

Date: Thursday, 2017-04-20
Time: 12:00 PST | 15:00 EST (time zone calculator)
Please join the meeting from your computer, tablet or smartphone. https://global.gotomeeting.com/join/380672837
- You can also dial in using your phone. United States: +1 (312) 757-3119 (more phone numbers)
- Access Code: 380-672-837

Agenda

Administration:
1. Roll Call
2. Agenda Confirmation
3. Minutes Approval:
4. Action Item Review: action item list
5. Organization Updates - Director's Corner
6. Staff reports and updates
7. LC reports and updates
8. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
Discussion
1. Gather comments on the Revised Draft of the parent document for Special Publication 800-63-3 (attached).
AOB

Attendees

Link to IAWG Roster

As of 2017-03-16, quorum is 4 of 8 (see list box below for voting members)

Meeting (did / did not) achieve quorum

Voting

Scott Shorter (VC)
Denny Prvu (S)
Andrew Hughes
Richard Wilsher
Ken Daag (C)

Non-Voting

Boris Kronrod
Mark Hapner
Angela Rey

Staff

Ruth Puente
Colin Wallis

Apologies

None

Notes & Minutes

Administration

Minutes Approval

Motion to approve minutes: Denny Prvu
Seconded: Andrew Hughes
Discussion:
Motion Carried

Action Item Review

Staff Updates

Director's Corner (Link)

2017: March director's corner
Harmonization of identity and privacy a big topic at the Hamilton SC27 meeting - NIST, gov.uk, Canada Gov TBS and the Province of Alberta. Looking for a forum for such a thing, where such a thing might be standardized. They are canvassing other standards group as well as potential working partners. Colin made an offer to NIST to open up a working group and host the conversation.
ISO 29003 - identity proofing, has failed in the bid for DIS ballot - has been turned into a technical specification. It will probably come around again as an IS (international standard) proposed at a future stage after restructuring.
ISO 29115 - some national bodies have attempted to weaken the controls to match their national body requirements, that vote has failed. 29115 remains as it was, although there's expected to be a revision and study period.

LC Updates

Participant updates

Discussion

NIST 800-63-3 Comments

Denny - observation about glossary section - how much should we pick nits about missing words - "token" for example is missing. Scott notes that other docs are trying switch from token to authenticator.

Angela observes that CSP can mean Cloud Service Provider elsewhere, should the doc take account of that? Andrew points out that since CSP has a meaning in this document they don't need to harmonize with other documents.

Andrew notes about section 5 - can they confirm that the referenced risk assessment is about the relying party's assessment of risk.

Mark Hapner observes that section 5 might be the starting point for a new document about the RP's risk assessment.

RGW notes that section 6 is listed as informative, but contains SHALL statements as if it were normative.

Andrew observes that for CSPs, the Assurance Level is a shorthand for a bundle of controls. For RP, Assurance Level is a business impact assessment that results in a risk impact tolerance for the service in question. (not really a comment on 6303)

General observation that due to Kantara's focus on CSP's, there do not seem to be a lot of direct comments to be made on this particular draft.

RGW offers recommendation that the overall publication be restructured into 5 parts - the first part being informative and descriptive, the four successive parts would be expressly normative, and would address IAL, AAL, FAL and agency obligations respectively.

Ken reiterates that the assurance levels should be able to include more levels, see also comments on the 800-63A.

AOB

Attachments

Next Meeting

Date: Thursday, 2017-04-27
Time: 12:00 PT | 15:00 ET

Browser not supported