IAWG Meeting Minutes 2017-11-30
Agenda
- Administration:
- Roll Call
- Agenda Confirmation
- Action Item Review: action item list
- Organization Updates - Director's Corner
- Staff reports and updates
- LC reports and updates
- Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
- Discussion
Review and approve 63A/B SACs
Discuss approach on new GSA requirements and approve Project Plan
Initial comments on GSA Concept of Operations and Certification Process drafts. - AOB
Attendees
As of 2017-03-16, quorum is 4 of 8 (see list box below for voting members)
Meeting (did) achieve quorum
Voting
- Mark Hapner, Resilient
- Denny Prvu, Secretary
- Scott Shorter, IAWG Vice Chair
- Ken Dagg. IAWG Chair
- Andrew Hughes, LC Chair
- Richard Wilsher, Zygma
Non-Voting
- Aakash Yadav, OKTA
- José Lopez, Zentry
- Christine Abruzzi US Arlington
Staff
- Colin Wallis, KI ED
- Ruth Puente, KI Executive
Apologies
- None
Notes & Minutes
Staff Updates
Director's Corner October Report
Some highlights:
- GDPR Summit beginning of October. http://www.gdprsummit.london/
- Working on Privacy Summit and Standards. Mark Lizar is leading the effort and evaluating the feasibility to held an event in January 2019., which would be the first KI event.
- Pre-conference workshop to curtain-raise Kuppinger Cole's Consumer Identity World Tour 2017 in Paris, 27th November, where Consumer identity and Access management, UMA and Consent Receipt were presented.
Discussion
Review and Approve 63A and 63B SACs
AY asked when 63C SAC would be developed. SSH responded that the work was focused on 63A and 63B (Level 2) as immediate deliverable, in long term we plan to develop criteria for C as well.
AH added that further developments would be demand driven. The current product was developed with the intention that CSPs can be re-certified in alignment with 800-63-3, basically IAL2 and AL2. In the future, KI will be developing criteria for 63-3 AL 1 and 2, IAWL 1 and 3, 63-C.
SS presented 63A/B SACs that SG 800-63-3 has developed:
KD thanked Scott for leading the team that developed the SAC and all the volunteers that helped to develop the SACs. Also, he thanked ID.me sponsorship of this work. CW stressed the relevance of ID.me sponsorship and thanked KUMA for the volunteer effort, as well as to all volunteers.
KD provided SACs next steps and schedule:
- Public Comment Period and IPR Review: Opens: 4 December 2017. Closes: 22 January 2018
- Potential changes implementation according to comments received 22 January - 31 January 2018
- LC to Certify sending the SACs to All Member Ballot: 1-8 February 2018
- All Member Ballot Opens 9 February – Closes (?) 24 March 2018 (maximum). Min 14 days – Max 45 days. Requires a "Supermajority of those voting, with at least 15% of all members voting" (i.e. at least 75% of those casting a vote must vote to approve).
- Implementation Deadline set by NIST: 22 June 2018
AH requested to list the active contributors of this work in the front page or second page.
63A
SS commented about the philosophy that was applied.
- A SHALL was an easy guidance to follow. NIST requirement about SHOULD is not mandatory, but there was a lot of discussion on this. What is intended with SHOULD?, you should but there are not consequences?. Should it be interpreted as a SHALL or weak (no enforceable at all)?.
- Original requirement on the left. In KI criteria we added a Subject as most of the texts were passive.
- The group tunned the requirements to ensure CSP is doing its part.
AH asked if SACs reflect the errata of 800-63-3 documents. He does not see version and date of document, so he suggested to make sure the documents are correctly labeled and identify the date we pulled the source document.
SS commented that as additional value it would be good some exposition about theories of why different types of identity evidence meet different strings, provide specific examples, explanations and analysis. He is not sure if KI would put a stamp on it or GSA would provide a implementation guidance similar to what NIST did with FIPs 114. He said that now that we have new requirements let´s make sure real work examples are following into the same slots when everybody evaluates.
AH added that having guidance documents and real implementation examples would be part of the document kit. He also commented that we can collate the material over the time.
SS said that as part of potential changes to the policy, we can take a proposal to ARB: Take out of each assessment what level of evidence was used, etc. more transparency when possible. CW confirmed that this is a policy decision to ARB.
AH commented that presenting the spreadsheets forms as a traceability matrix, we can demonstrate coverage to 800-63-3 requirements. Others are making mappings to the requirements of 800-63-3. KI criteria has some traceable properties.
63B
SS said that 63A and 63B SACs are ONLY at xAL2.
63B Only one panel, no sub-tables. Types of authenticators are reflected in groups below, there come blocks of applicable criteria that are mandatory.
SS asked to take note to solve Row 91 Number 63B#0280- "Scott to add references".
AH suggested that we should remove the highlights in yellow.
Motions to approve 63A and 63B and move to next step in the process proposed by AH.
Motion: After the cosmetic changes 63A SAC be circulated to public comment and PR Review.
Motion 63B: same motion above.
MH seconded both motions.
Motions carried.
Discuss approach on new GSA requirements and approve Project Plan
KD commented that GSA has circulated process and procedures documents for TFS Program, ConOps and Certification Process drafts. They request to have comments back to them on these 2 documents by December 22, 2017.
He added that second part of KI work will be to identify changes to its internal process (See Project Plan)
KD presented the DRAFT KI approach to GSA process and procedures documents 20171129.docx to tackle comments to GSA and changes to KI Trust Framework Operations Program.
KD proposed to create a sub-group and made a call for participants
Volunteers:
Colin W.
Andrew H.
Scott S.
Mark H.
Richard W.
First meeting of new Sub-group: Tuesday 14:00 ET
AH stressed the importance of this process, as these docs. which are under review at GSA, are the requirements for KI to be able to offer approvals and assessments. He said that there are some significant requirement increases, these are the docs. by which KI operates.
KD informed that he would emphasize this to ARB on Monday and get their input to this process, and will also encourage them to offer their comments.
KD asked RP to re-send the comments of RW as basis for the sub-group.
RW commented that he reviewed the CO SAC and made a cross check with 63A and 63B SACs. 4 or 5 criteria could be withdrawn as they are covereded by 63A or B SAC.
SS suggested to raise the cross check discussion with COSAC next Tuesday in the new SG meeting.
CW encouraged the participants to take this survey as it is related to current IAWG discussion: https://www.surveymonkey.com/r/5YZ3Y9X
Next Meeting
- Date: Thursday, 2017-12-7
- Time: 12:00 PT | 15:00 ET
Write a comment…
Powered by a free Atlassian Confluence Community License granted to Kantara Intiative . Evaluate Confluence today.