/
IAWG Meeting Minutes 2013-08-1

IAWG Meeting Minutes 2013-08-1

Jan 13, 2014

Kantara Initiative Identity Assurance WG Teleconference

1 Date and Time | 2 Agenda | 3  Attendees | 4 Minutes Approval | 5 Action Item Review | 6 Staff Updates | 7 Discussion | 8 AOB | 9 Attachments | 10 Next Meeting

Minutes approved by IAWG 8 August 2013

 

Date and Time

Agenda

  1. Administration:

    1. Roll Call

    2. Agenda Confirmation

    3. Minutes approval: IAWG Meeting Minutes 2013-07-18

    4. Action Item Review

    5. Staff reports and updates

    6. LC reports and updates

    7. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)

  2. Discussion

    1. Roadmap review

    2. IAF Tickets and Issues Review

      1. IAF Ticket #527461 (13 June 2013)

      2. IAF Ticket #328495 (July 13, 2013)

      3. IAF Ticket #314131 (July 13 2013)

      4. IAF Ticket #770408 (13 July 2013)

      5. Discussion of AL2_CM_CTR#028 and AL2_CM_CTR#025 questions

    3. Glossary status update

    4. Modular IAF Sub-group update

  3. AOB

  4. Adjourn

 Attendees

Link to IAWG Roster

As of 1 July 2013, quorum is 5 of 9

Meeting was quorate, with 5 voting participants present.

 

Voting

  • Andrew Hughes

  • Scott Shorter

  • Matt Thompson

  • Bill Braithwaite

  • Cathy Tilton

  •  

Non-Voting

  • Ken Dagg

  • Jeff Stollman

Staff

Apologies

  • Myisha Frazier-McElveen

  • Richard Wilsher

 

Notes & Minutes

Administration 

Minutes Approval

IAWG Meeting Minutes 2013-07-18

Motion to approve minutes of 2013/7/18: Cathy Tilton
Seconded: Matt Thompson
Discussion: None
Motion Passed

Action Item Review

See running table below

Staff Updates

  • Director's Corner Link

    • August 8-9 meeting planned in Portland/Vancouver, WA - Kantara strategy and internal operations. Please contact Joni for details.

LC Updates

  • No meeting this cycle 

Participant updates

  • none new

Discussion

Roadmap review

IAWG Roadmap - 2013

 

IAF Ticket Review

IAF Ticket #527461 (13 June 2013)

IAF Ticket #328495 (July 13, 2013)

IAF Ticket #314131 (July 13 2013)

IAF Ticket #770408 (13 July 2013)

Discussion of AL2_CM_CTR#028 and AL2_CM_CTR#025 questions

 

IAF Ticket #527461 (13 June 2013)
New ticket #527461 created. ------------------- The process below does not clearly state if the ARB must vote to accept an application and list it as registered applicant or if the application can be accepted by the secretariat upon performance of review that the application is not a wast of time (so far out of scope or not aligned with mission). I apologize for the line numbers but the below, I believe, references the section where the clarification is needed. Could you please ensure this is entered as a change request for the AAS officially? Thank you! Quoting from AAS v3-0: 6.7 Specific Evaluation Steps 651 The Secretariat will validate the initial Application submission up to and including Part I clause 652 4.1, step 9. 653 Where the Application is for a Full Service Approval, the Secretariat will ensure that the overlay 654 of the collective criteria covered by the combination of the Applicant’s SoC and those of its 655 component parts encompasses 100% of all SAC for the chosen Assurance Level. 656 When all of these validation steps are completed affirmatively, the Secretariat shall advise the 657 Applicant’s Point of Contact (APoC) that the Application has been found fit for assessment. The 658 Secretariat shall then take these additional steps: 659 a) Counter-sign and return the SPA to the CSP’s APoC; 660 b) File the Application for later reference, and; 661 c) Notify the Chairman of the ARB of the Application’s receipt (simply for advisory purposes 662 – no action is required of the ARB at this stage). 663 Evidence of its acceptance of the SPA is a necessary pre-requisite to enable the Applicant’s chosen 664 Assessor to formalize the contract for Assessment (see clause 6.8, below).

Discussion of ticket

  • Request is clear

  • Request is not Errata

  • Experience with TrustX was that there was a lengthy delay between submission and approval of receipt.

  • Where applicants see a business benefit in being listed as 'in progress' on the Trust Status List, a quicker turn-around time is preferred

  • Opinion is that early list as in-progress is preferred - no downside anticipated.

 

Disposition: Add to IAF enhancements list

 

IAF Ticket #328495 (July 13, 2013)
IAF-1400-SAC Line: 1417, 1598 Reason: It is listing particular techniques. IAF wants to be protocol and techniques independent. Proposal: Change the line to as follows. These criteria apply to any credentials.

Discussion of ticket

  • Suggestion from group is to use "These criteria apply to any credentials, for example, PIN, Password or SAML Assertions"

  • Editor to search for similar specification of particular methods, and include generalizing text as above.

Disposition: Add to IAF enhancements list

 

IAF Ticket #314131 (July 13 2013)
IAF-1400-SAC Line: (not listed) Reason: Again, it is listing limited number of technologies. Generalization is sought. Proposal: Replace including after "These criteria apply to ... " with "These criteria apply to any credentials."

 

Discussion of ticket

  • Same disposition as Ticket # 328495

Disposition: Add to IAF enhancements list

 

IAF Ticket #770408 (13 July 2013)
IAF-1400-SAC Line: 1636 - 1640, 2149 - 2198 Reason: This is permitting only three protocols making IAF protocol dependent. Currently, it is listing tunneled password, zero knowledge-base password; SAML assertions. Proposal: Delete

 

Discussion of ticket

  • More research required - Need to know the source of the 3 Protocols listed (are they specified in 800-63?)

  • The list is specific to the 3 protocols - is this the intent? "Permit ONLY the following ..." 

  • This looks like a candidate for a US-Specific Profile

  • The point appears to be to avoid password eavesdropping or message replay

  • Defer further discussion to next meeting

Disposition:  Return for clarification | Add to IAF enhancements list

 

Discussion of AL2_CM_CTR#028 and AL2_CM_CTR#025 questions
1. AL2_CM_CTR#028 seems to stipulate OTPs that are both event- _and_ time-base which is a bit strange. It seems this confusion is in 800-63-1 aswell. If (for instance) b and c were combined, and there was an OR in the lead-in (line 1642) then the criterion would allow both (sensible) time and event-based OTP-devices which I suspect was the intent. 2. AL2_CM_CTR#025 doesn't permit the use of public key-based authn for AL2. This must be an oversight right? If you all agree we should open tickets for these and probably talk to somebody at NIST about (1).

 

Discussion of Questions

  • Comment appears valid

  • #1 is Errata - Need to raise with NIST for direction, but the requester makes a reasonable case

  • #2 is the same as Ticket #770408

Disposition: Errata | Add to IAF enhancements list

AOB

 Defer to future meeting

Action Items

Item #

Description

Assigned to

Est. Completion

Status

Item #

Description

Assigned to

Est. Completion

Status

2013-06-06-002

Review RGW 800-63-2 vs KI IAF mapping documents and provide feedback

  • (2013-Jun-20): Minimal comments and feedback received from IAWG by email; last chance for IAWG comments on the 2 documents Tuesday 25 June 2013

  • (2013-Jun-27): Discussed specific clauses on-call.

All

27 June 2013

In progress

2013-06-06-005

IAWG-NIST F2F in DC area to discuss approach and feedback on 800-63 v IAF analysis approach

(2013-Aug-1): Comment that perhaps ICAM should be invited as well.

Staff / IAWG Leads

TBD

Not started

2013-06-13-001

Chair to discuss with Exec. Director the need for a Content Management System analysis and potential tool for IAF/SAC & funding options

  • (2013-Jun-20): Discussion occurred; vision has been always to have a CMS - possibly a database with online self-serve document generation capability (in whichever output format is needed); team will be needed to draw up a wireframe and requirements for a custom developed tool

  • (2013-Jun-27): Call for lead is required. Myisha to send a call to list for volunteer lead.

Myisha

20 June 2013

In progress

2013-06-13-002

Glossary updates underway. Next draft should be available in 4 weeks

(11July2013): Defer item to future meeting

(1Aug2013): No comments on new additions received yet - reminder sent to sub-group.

Ken Dagg

Updated:12 Sept 2013

In Progress

2013-08-1-001

The text of the Tickets is not easily accessible.

This is due to the policy that the source of comment must be kept confidential, and the Confluence Ticket system does not permit sequestration of the commenter identity.

Secretary to create a place on the wiki for disposition of Tickets, including the ticket text itself.

Andrew Hughes

8 August 2013

Not Started

2013-08-1-002

Forward Ticket items that have been resolved to correct lists for next action.

Andrew Hughes

8 August 2013

Not Started

 

Recently Closed Action Items

Item #

Description

Assigned to

Est. Completion

Status

Item #

Description

Assigned to

Est. Completion

Status

 

 

 

 

 

 

 

Attachments

 

 

Next Meeting