IAWG Meeting Minutes 2013-08-1

Owned by Former user (Deleted)
Last updated: Jan 13, 2014 by Former user (Deleted)
5 min read

Kantara Initiative Identity Assurance WG Teleconference

Minutes approved by IAWG 8 August 2013

 

Date and Time

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Minutes approval: IAWG Meeting Minutes 2013-07-18
    4. Action Item Review
    5. Staff reports and updates
    6. LC reports and updates
    7. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
  2. Discussion
    1. Roadmap review
    2. IAF Tickets and Issues Review
      1. IAF Ticket #527461 (13 June 2013)
      2. IAF Ticket #328495 (July 13, 2013)
      3. IAF Ticket #314131 (July 13 2013)
      4. IAF Ticket #770408 (13 July 2013)
      5. Discussion of AL2_CM_CTR#028 and AL2_CM_CTR#025 questions
    3. Glossary status update
    4. Modular IAF Sub-group update
  3. AOB
  4. Adjourn

 Attendees

Link to IAWG Roster

As of 1 July 2013, quorum is 5 of 9

Meeting was quorate, with 5 voting participants present.

 

Voting

  • Andrew Hughes
  • Scott Shorter
  • Matt Thompson
  • Bill Braithwaite
  • Cathy Tilton

Non-Voting

  • Ken Dagg
  • Jeff Stollman

Staff

Apologies

  • Myisha Frazier-McElveen
  • Richard Wilsher

 

Notes & Minutes

Administration 

Minutes Approval

IAWG Meeting Minutes 2013-07-18

Motion to approve minutes of 2013/7/18: Cathy Tilton
Seconded: Matt Thompson
Discussion: None
Motion Passed

Action Item Review

See running table below

Staff Updates

  • Director's Corner Link
    • August 8-9 meeting planned in Portland/Vancouver, WA - Kantara strategy and internal operations. Please contact Joni for details.
LC Updates
  • No meeting this cycle 
Participant updates
  • none new

Discussion

Roadmap review

IAWG Roadmap - 2013

 

IAF Ticket Review

IAF Ticket #527461 (13 June 2013)

IAF Ticket #328495 (July 13, 2013)

IAF Ticket #314131 (July 13 2013)

IAF Ticket #770408 (13 July 2013)

Discussion of AL2_CM_CTR#028 and AL2_CM_CTR#025 questions

 

IAF Ticket #527461 (13 June 2013)
New ticket #527461 created.
-------------------

The process below does not clearly state if the ARB must vote to accept 
an application and list it as registered applicant or if the application 
can be accepted by the secretariat upon performance of review that the 
application is not a wast of time (so far out of scope or not aligned 
with mission).

I apologize for the line numbers but the below, I believe, references 
the section where the clarification is needed.

Could you please ensure this is entered as a change request for the AAS 
officially?

Thank you!

Quoting from AAS v3-0:
6.7 Specific Evaluation Steps 651
The Secretariat will validate the initial Application submission up to 
and including Part I clause 652 4.1, step 9. 653 Where the Application 
is for a Full Service Approval, the Secretariat will ensure that the 
overlay 654 of the collective criteria covered by the combination of 
the Applicant’s SoC and those of its 655 component parts encompasses 
100% of all SAC for the chosen Assurance Level. 656 When all of these 
validation steps are completed affirmatively, the Secretariat shall 
advise the 657 Applicant’s Point of Contact (APoC) that the Application 
has been found fit for assessment. The 658 Secretariat shall then take 
these additional steps: 659

a) Counter-sign and return the SPA to the CSP’s APoC; 660
b) File the Application for later reference, and; 661
c) Notify the Chairman of the ARB of the Application’s receipt (simply 
for advisory purposes 662 – no action is required of the ARB at this 
stage). 663
Evidence of its acceptance of the SPA is a necessary pre-requisite to 
enable the Applicant’s chosen 664 Assessor to formalize the contract 
for Assessment (see clause 6.8, below).

Discussion of ticket

  • Request is clear
  • Request is not Errata
  • Experience with TrustX was that there was a lengthy delay between submission and approval of receipt.
  • Where applicants see a business benefit in being listed as 'in progress' on the Trust Status List, a quicker turn-around time is preferred
  • Opinion is that early list as in-progress is preferred - no downside anticipated.

 

Disposition: Add to IAF enhancements list

 

IAF Ticket #328495 (July 13, 2013)
IAF-1400-SAC
Line: 1417, 1598

Reason:
It is listing particular techniques. IAF wants to be protocol and techniques independent.

Proposal:
Change the line to as follows.

These criteria apply to any credentials.

Discussion of ticket

  • Suggestion from group is to use "These criteria apply to any credentials, for example, PIN, Password or SAML Assertions"
  • Editor to search for similar specification of particular methods, and include generalizing text as above.

Disposition: Add to IAF enhancements list

 

IAF Ticket #314131 (July 13 2013)
IAF-1400-SAC
Line: (not listed)

Reason:
Again, it is listing limited number of technologies. Generalization is sought.

Proposal:
Replace including after "These criteria apply to ... " with "These criteria apply to any credentials."

 

Discussion of ticket

  • Same disposition as Ticket # 328495

Disposition: Add to IAF enhancements list

 

IAF Ticket #770408 (13 July 2013)
IAF-1400-SAC
Line:  1636 - 1640, 2149 - 2198

Reason: 
This is permitting only three protocols making IAF protocol dependent. 
Currently, it is listing tunneled password, zero knowledge-base password; SAML assertions. 

Proposal: 
Delete

 

Discussion of ticket

  • More research required - Need to know the source of the 3 Protocols listed (are they specified in 800-63?)
  • The list is specific to the 3 protocols - is this the intent? "Permit ONLY the following ..." 
  • This looks like a candidate for a US-Specific Profile
  • The point appears to be to avoid password eavesdropping or message replay
  • Defer further discussion to next meeting

Disposition:  Return for clarification | Add to IAF enhancements list

 

Discussion of AL2_CM_CTR#028 and AL2_CM_CTR#025 questions
1. AL2_CM_CTR#028 seems to stipulate OTPs that are both event- _and_ time-base
which is a bit strange. It seems this confusion is in 800-63-1 aswell. If (for instance) 
b and c were combined, and there was an OR in the lead-in (line 1642) then the 
criterion would allow both (sensible) time and event-based OTP-devices which I 
suspect was the intent.

2. AL2_CM_CTR#025 doesn't permit the use of public key-based authn for AL2. This
must be an oversight right?

If you all agree we should open tickets for these and probably talk to somebody 
at NIST about (1).

 

Discussion of Questions

  • Comment appears valid
  • #1 is Errata - Need to raise with NIST for direction, but the requester makes a reasonable case
  • #2 is the same as Ticket #770408

Disposition: Errata | Add to IAF enhancements list

AOB

 Defer to future meeting

Action Items

Item #DescriptionAssigned toEst. CompletionStatus
2013-06-06-002

Review RGW 800-63-2 vs KI IAF mapping documents and provide feedback

  • (2013-Jun-20): Minimal comments and feedback received from IAWG by email; last chance for IAWG comments on the 2 documents Tuesday 25 June 2013
  • (2013-Jun-27): Discussed specific clauses on-call.
All27 June 2013In progress
2013-06-06-005

IAWG-NIST F2F in DC area to discuss approach and feedback on 800-63 v IAF analysis approach

(2013-Aug-1): Comment that perhaps ICAM should be invited as well.

Staff / IAWG LeadsTBDNot started
2013-06-13-001

Chair to discuss with Exec. Director the need for a Content Management System analysis and potential tool for IAF/SAC & funding options

  • (2013-Jun-20): Discussion occurred; vision has been always to have a CMS - possibly a database with online self-serve document generation capability (in whichever output format is needed); team will be needed to draw up a wireframe and requirements for a custom developed tool
  • (2013-Jun-27): Call for lead is required. Myisha to send a call to list for volunteer lead.
Myisha20 June 2013In progress
2013-06-13-002

Glossary updates underway. Next draft should be available in 4 weeks

(11July2013): Defer item to future meeting

(1Aug2013): No comments on new additions received yet - reminder sent to sub-group.

Ken Dagg

Updated:12 Sept 2013

In Progress
2013-08-1-001

The text of the Tickets is not easily accessible.

This is due to the policy that the source of comment must be kept confidential, and the Confluence Ticket system does not permit sequestration of the commenter identity.

Secretary to create a place on the wiki for disposition of Tickets, including the ticket text itself.

Andrew Hughes8 August 2013Not Started
2013-08-1-002Forward Ticket items that have been resolved to correct lists for next action.Andrew Hughes8 August 2013Not Started

 

Recently Closed Action Items

Item #DescriptionAssigned toEst. CompletionStatus
     

 

 

Attachments

 

 

Next Meeting