IAWG Meeting Minutes 2013-08-8

Owned by Former user (Deleted)
Last updated: Aug 27, 2017 by Former user (Deleted)Version comment

Kantara Initiative Identity Assurance WG Teleconference

Meeting Minutes approved by IAWG 22 August 2013

 

Date and Time

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Minutes approval: IAWG Meeting Minutes 2013-08-1
    4. Action Item Review
    5. Staff reports and updates
    6. LC reports and updates
    7. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
  2. Discussion
    1. Disposition of Comments for SP800-63-2 v IAF v3.0 mapping (continuted)
    2. IAF Tickets and Issues Review
      NOTE: All tickets now posted at Identity Assurance Framework - Working Drafts
      1. Myisha to present ARB feedback
  3. AOB
  4. Adjourn

 Attendees

Link to IAWG Roster

As of 1 July 2013, quorum is 5 of 9

Meeting was quorate, with 7 voting participants present.

 

Voting

  • Myisha Frazier-McElveen
  • Rich Furr
  • Andrew Hughes
  • Bill Braithwaite
  • Scott Shorter
  • Matt Thompson
  • Cathy Tilton
  • Richard Wilsher

Non-Voting

  • Jeff Stollman

Staff

Apologies

  •  Ken Dagg

 

 

Notes & Minutes

Administration 

Minutes Approval

IAWG Meeting Minutes 2013-08-1

Motion to approve minutes of 2013/8/1: Rich Furr
Seconded: Bill Braithwaite
Discussion: None
Motion Passed 

Action Item Review

See running table below

Staff Updates

  • Director's Corner Link
    • August 8-9 meeting planned in Portland/Vancouver, WA - Kantara strategy and internal operations. Please contact Joni for details.
LC Updates
  • No meeting this cycle 
  • New format for quarterly report - easier to distribute
Participant updates
  •  

Discussion

Disposition of Comments Continued
  • Furr reviewed Wilsher's response to comments, and accepts the responses as written.
IAF Ticket Review

UPDATE: ARB comments on #527461

  • ARB has a preference to review applications and vote to accept as valid or reject as incomplete application
  • Discussion about ARB turnaround time concerns
  • Good for ARB to see the applications
  • Update procedure to include ARB vote

 

  • Noted that Tickets originators should both highlight the issue area, and also propose text
  • Further discussion on Ticket #328495
    • This text looks like it originated from 800-63
    • This may be a profile candidate
  • Request to be made to Staff to discuss this ticket with the originator.
  • Decision made to Delete the noted lines
  • Same for #314131
  • Minor edits:
    • Section 5.3.1 Line 2149: add newline
    • Section 5.4.1 Line 2725: add newline

#770408 discussed on 1 August and 8 August 2013 calls.

IAF Ticket #770408 (13 July 2013)
IAF-1400-SAC
Line:  1636 - 1640, 2149 - 2198

Reason: 
This is permitting only three protocols making IAF protocol dependent. 
Currently, it is listing tunneled password, zero knowledge-base password; SAML assertions. 

Proposal: 
Delete

Discussion of ticket

  • More research required - Need to know the source of the 3 Protocols listed (are they specified in 800-63?)
  • The list is specific to the 3 protocols - is this the intent? "Permit ONLY the following ..." 
  • This looks like a candidate for a US-Specific Profile
  • The point appears to be to avoid password eavesdropping or message replay
  • Defer further discussion to next meeting

(8 August 2013) Discussion:

  • This is 800-63 specific, and is lagging the current technologies available.
  • Suggestion to specify requirements for the strength of the credential rather than the specific protocols
  • Issues include how to demonstrate 'strength'
  • An analysis is needed to update the technologies list to current.
  • "Apply only authentication protocols <text that refers to strength needed at this AL> for example: tunneled password; zero knowledge-base password; SAML assertions."
  • Defer text writing to next meeting.

Disposition:  Return for clarification | Add to IAF enhancements list

 

The text from last week's meeting is copied here for reference. Myisha to discuss ARB feedback on Ticket disposition decisions.

NOTE: All tickets now posted at Identity Assurance Framework - Working Drafts

Identity Assurance Framework - Working Drafts

IAF Ticket #527461 (13 June 2013)

IAF Ticket #328495 (July 13, 2013)

IAF Ticket #314131 (July 13 2013)

IAF Ticket #770408 (13 July 2013)

Discussion of AL2_CM_CTR#028 and AL2_CM_CTR#025 questions

 

IAF Ticket #527461 (13 June 2013)
New ticket 527461 created.
-------------------

The process below does not clearly state if the ARB must vote to accept 
an application and list it as registered applicant or if the application 
can be accepted by the secretariat upon performance of review that the 
application is not a wast of time (so far out of scope or not aligned 
with mission).

I apologize for the line numbers but the below, I believe, references 
the section where the clarification is needed.

Could you please ensure this is entered as a change request for the AAS 
officially?

Thank you!

Quoting from AAS v3-0:
6.7 Specific Evaluation Steps 651
The Secretariat will validate the initial Application submission up to 
and including Part I clause 652 4.1, step 9. 653 Where the Application 
is for a Full Service Approval, the Secretariat will ensure that the 
overlay 654 of the collective criteria covered by the combination of 
the Applicant