2020-05-28 Minutes
Attendees
Voting Participants: Ken Dagg; Mark Hapner; Martin Smith; Richard Wilsher.
Invited guests: Tom Jones
Staff: Colin Wallis and Ruth Puente
Quorum: As of 2019-12-19, quorum is 3 of 5. There was quorum
Agenda
- Administration:
- Roll Call
- Agenda Confirmation
- Action Item Review: action item list
- Minutes approval: 2020-04-16 Draft Minutes
- Staff reports and updates - Keeping up with the Kantarians and Director's Corner
- LC reports and updates
- Call for Tweet-worthy items to feed (@KantaraNews)
2. Discussion
- Presentation of KIAF NIST SP 800-63C Service Assessment Criteria at FAL2 - KIAF 1450 - Attached (It was also sent yesterday in the request for comments).
- Preparation of new criteria for each of 63A/63B/63C_SAC, for IAL3, AAL3 and FAL3 respectively (xAL3) - Call for volunteers.
3.Any Other Business
Updates:
- Ken mentioned that LC has not met for the last couple of months. LC is discussing how to, and what should be done about Mobile Drivers Licenses, which will form probably a Work Group in the near future. Ken said there is still room on the email list for interested people (contact ED for this).
Minutes approval:
- Motion: To approve 2020-04-16 Minutes.Moved: Richard Wilsher; Seconded: Mark Hapner. Unanimous Approval.
Presentation of KIAF NIST SP 800-63C Service Assessment Criteria at FAL2 - KIAF 1450
- Ken explained that yesterday it was accomplished a set of Service Assessment Criteria for 63C that the subgroup is happy with.
Richard presented the 63C FAL2 draft: KIAF-1450 SP 800-63C Service Assessment Criteria v0.13.0.xlsx
- Richard explained that a decade back, the criteria was written in Word. Now, with 63C rev.3 it is being used Excel.
- In columns A to H, it has been replicated the source, the reference text from 800-63C. From A to F, it is clause structure from that document.
- H is the extracted Normative text. It is not the whole text; this only include those statements which are clearly normative because they have the word “SHALL or required”. All the statements saying “may” or “should”, have been omitted and have not contributed to writing the criteria.
- The other thing that is different about 63C is that it very clearly refers to specific entities (Columns I to L), like RP, IdP, FA and US Fed Agcy.
- Column M contains a tag to each criterion. Index is sub-criteria (column N-P). Then, there is the KI Criterion (Column Q). This was written with consistent terminology.
- Finally, in column R are the editor’s comments and queries.
- Column S: Determines the status of each criteria.
- Ken added that Classes of Approval could be an RP getting an assessment, CSP and IdP could get an assessment, a Federation Authority can get an assessment or any combination of those can get an assessment. That is important because if it is an already stablished Federation and if an RP wants to join it, and there is a specific set of criteria that they have to meet, similarly if a CSP wishes to join an already existing Federation, there is maybe a set of criteria that they have to meet. It will open up the Assessment business.
- Richard pointed out that having described the vertical perspective of what this is all about, he highlighted a couple of features and explained what has been done in the document. One of the things was a few words about Federation Authorities and Federation Agreements, he thought it would be helpful for reviewers.
- Richard explained that in column H, it was explained that it contains NIST text, it is true, but it is important to understand that there will be occasions in which will be Kantara’s specific requirements (special shade).
- Richard commented that in 7.1 NIST talks about Back-Channel Presentation of Assertions and in 7.2 it talks about Front-Channel Presentation of Assertions. Richard said that they basically made a number of reflective statements upon what RPs will do with subscribers and with IdPs, what IdPs will do with RPs and subscribers. Therefore, he wrote all of those comments up into a single or small set of clauses.
- Richard added that NIST identifies a role as a Federation Authority and it does not much define it. However, NIST also says that it does not have to be one. From a perspective of performing an Assessment for Federation, if you do not know what a Federation is trying to achieve, it is going to be a little tough to assess any of the participants because you do not have a concrete specification. Accordingly, Kantara introduced the idea of a Federation Agreement, being a document or set of documents which define how the participants in the Federation will behave and will construct their assertions, etc. There were also defined sub-criteria that define good practices in establishing a Federation.
- Mark clarified it is basically a contract among the parties, whether it is issued by the authority or the participants.
- Tom asked if when he evaluates this, the IdP in fact is under the control of the subscriber. He said that if he gives weird feedback, it is because he is looking at it from the point of view of the IdP being in the user’s telephone for example. He added that a user can have several identifiers, he also explained that subjects are not looked like humans specifically.
- Richard explained that in Kantara speak, there are used two terms: Subscriber and Subject. They are very often the same entity, but in the case of a corporate entity having a number of none of a life form identity operated within it, the Subscriber would be the corporate entity and the Subject would be the individual identities for whatever representation that corporation requires.
Call for comments:
- Since it only came out yesterday, Ruth sent a note yesterday afternoon with a request for comments.
- The idea is to get comments by next Tuesday at CoB. Ken asked the group to let Ruth and him know if there are major concerns or comments to be addressing them in a future meeting. The comment period for IAWG will be about a week, and the plan is to approve the document on Thursday, June 4.
- Richard said that comments will be appreciated, the idea is to write those in the Comments column. He asked to please add the initials (name) and a number, and add comments with reasons supporting them.
Next steps:
- After the draft is approved by the IAWG, it will enter a 45-day Public Comment and IPR Review; after which it should be approved by Kantara All-Member Ballot.
- It was explained that publishing 63C FAL 2 will take place at a later date; this work is under contract to one of Kantara’s members. They requested that the level 3 criteria takes place at the same time, therefore both documents will be released at the same time. Ken pointed out that IAL3, AAL3 and FAL3 will go as separate documents and get them done for public review (IPR Public Review) and then, All-Member Ballot independently. The work who developed the level 3 for FAL, IAL and AAL, it would be good for FAL2 to form a Sub-Group within Kantara to work this through. The drafts of these documents are almost done, IAL3 is the shortest.
Preparation of new criteria for each of 63A/63B/63C_SAC, for IAL3, AAL3 and FAL3 respectively (xAL3) - Call for volunteers.
- Ken mentioned that there is a Call for Volunteers to review the xAL3 SACs. He asked to let Ruth or him know if someone is going to volunteer or interested people can show up at next Wednesday meeting call. For those who are part of the Sub-Group for FAL2, the same URL will work.
- Ruth added that she plans to create a new mailing list to avoid confusions, if it is not an issue for the participants. Ken agreed and he said that he will send an email to thank everyone and to inform that Ruth is going to send information about the new mailing list.
- Ken clarified that this is a group for a very specific task.