Kantara Initiative Identity Assurance WG Teleconference

Date and Time

• Date: Thursday, 22 August 2013
• Time: 07:00 PT | 10:00 ET | 14:00 UTC (time chart)
• United States Toll +1 (805) 309-2350
  Alternate Toll +1 (714) 551-9842
  Skype: +99051000000481
  
  • Conference ID: 613-2898
• International Dial-In Numbers

Agenda

1. Administration:
   
   1. Roll Call
   2. Agenda Confirmation
   3. Minutes approval: IAWG Meeting Minutes 2013-08-8
   4. Action Item Review
   5. Staff reports and updates
   6. LC reports and updates
   7. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
2. Discussion
   
   1. Call for IAWG Charter Review (ref. Email to IAWG Chairs and WG)
   2. IAF Tickets and Issues Review
      
      1. IAF Ticket #770408 (13 July 2013)
      2. NOTE: All tickets now posted at Identity Assurance Framework - Working Drafts
3. Updates
   
   1. IAF Glossary Update status (Dagg)
   2. Modular IAF status (Hughes)
4. AOB
5. Adjourn

 Attendees

Link to IAWG Roster

As of 1 July 2013, quorum is 5 of 9

Voting

• Andrew Hughes (S)
• Scott Shorter
• Rich Furr (V-C)
• Matt Thompson
• Bill Braithwaite
• 
  

Non-Voting

• Jeff Stollman
• Ken Dagg
• Linda Goettler
• 
  

Staff

• Joni Brennan

Apologies

• Myisha Frazier-McElveen (C)

Notes & Minutes

Administration 

Minutes Approval

IAWG Meeting Minutes 2013-08-8

Motion to approve minutes of 2013/8/8: Bill Braithwaite
Seconded: Scott Shorter
Discussion: None
Motion Passed 

Action Item Review

See running table below

Staff Updates

• Director's Corner Link

LC Updates

Participant updates

Discussion

Call for IAWG Charter Review

(ref. Email to IAWG Chairs and WG)

Link to current IAWG Charter (July 2009)

Kantara Portland retreat in August 2013 created plans to sharpen focus for Kantara WGs. Review and update of existing WG charters was requested, due September 25 for review by LC.

The text of the request:

During the recent Kantara Leadership Retreat, we focused on the question of why Kantara exists (seehttp://kantarainitiative.org/pipermail/lc/2013-August/002348.html for a high level summary out of that retreat).  The idea is that with a clear "why", we can make sure the actions we take truly support the goals of the Kantara Initiative.  The current working DRAFT of Kantara's "why" statement is:  

DRAFT: Kantara exists to define rules of engagement for operators of online services, enabling high-value, privacy-preserving identity and access.

In order to incorporate this concept in to the Innovation side of Kantara, the work groups, we are initiating a Work Group recharter effort.  This will help make sure that the Work Groups are on track with solid deliverables and timelines that support the goal of the organization.  Work Groups can expect to receive more organizational support in terms of marketing to increase group participation and the creation of industry-driving Kantara Recommendations.  For Work Groups that do not recharter, their status will change to that of a Discussion Group, which is considered a much more informal effort. (Please see the Kantara Operating Procedures for a more detailed definition of Work Group and Discussion Group: http://kantarainitiative.org/confluence/x/owVAAg .)

The link to your current charter can be found on your space in the Kantara wiki.  The LC would like to have the updated charters in by September 25.  The LC will discuss and review the charters over the month of October.

Discussion

• Need to assemble a subgroup to look at the charter
  
  • Volunteers: Rich Furr; Linda Goettler; Andrew Hughes; Scott Shorter
• Deeper discussion deferred to subgroup

IAF Ticket Review

IAFTicketReview

NOTE: All tickets now posted at Identity Assurance Framework - Working Drafts

#770408 discussed on 1 August and 8 August 2013 calls.

IAF-1400-SAC
Line:  1636 - 1640, 2149 - 2198

Reason: 
This is permitting only three protocols making IAF protocol dependent. 
Currently, it is listing tunneled password, zero knowledge-base password; SAML assertions. 

Proposal: 
Delete 

Discussion of ticket

• More research required - Need to know the source of the 3 Protocols listed (are they specified in 800-63?)
• The list is specific to the 3 protocols - is this the intent? "Permit ONLY the following ..." 
• This looks like a candidate for a US-Specific Profile
• The point appears to be to avoid password eavesdropping or message replay
• Defer further discussion to next meeting

(8 August 2013) Discussion:

• This is 800-63 specific, and is lagging the current technologies available.
• Suggestion to specify requirements for the strength of the credential rather than the specific protocols
• Issues include how to demonstrate 'strength'
• An analysis is needed to update the technologies list to current.
• "Apply only authentication protocols <text that refers to strength needed at this AL> for example: tunneled password; zero knowledge-base password; SAML assertions."
• Defer text writing to next meeting.

(IAWG Listserv email contribution - Wilsher)

Re. today's discussion on the criterion below, I propose the following text
(there is no stipulation at AL1;  AL3 would be the same, except for the
existing qualifier "For non-PKI credentials, apply ...", and of course 'AL2'
would be replaced with 'AL3'; AL4 is also no stipulation).  

Regards,
RGW

AL2_CM_CTR#025   Authentication protocols

Apply only authentication protocols which, through a comparative risk
assessment appropriate for AL2, are shown to have resistance to attack at
least as strong as that provided by commonly-recognized protocols such as:

a)                  tunneled password;

b)                 zero knowledge-base password;

c)                  SAML assertions.

Guidance:  Whilst many authentication protocols are well-established and may
be mandated or strongly-recommended by specific jurisdictions or sectors
(e.g. standards published by national SDOs or applicable to
government-specific usage) this criterion gives flexibility to advanced and
innovative authentication protocols for which adequate strength can be shown
to be provided by the protocol applied with the specific service.

Disposition:  Add to IAF enhancements list

Updates

IAF Glossary Update status (Dagg)

• One set of comments received
• Deadline for comments is August 26 2013
• Ken to proceed with final draft after this point

Modular IAF status (Hughes)

• Subgroup is working on a draft report
  • Table of Contents is firm
  • Material from previous documents has been merged into the ToC
  • Currently developing function/service -> Role -> organization mappings that describe existing Deployment Patterns such as FICAM & Government of Canada
  • Expect to distribute to IAWG within 5 weeks for discussion

AOB

• Expect a new ticket on the requirement to retain identity proofing data for PKI credentials for 7.5 years. This is not specified for non-PKI credentials. Could imply an infinite retention requirement.
  
  • General support
  • Suggestion that the period of time should be non-specific but guided by sectors or regulations.

Action Items

Recently Closed Action Items

Attachments

Next Meeting

• Date: Thursday, 29 August 2013 
• Time: 07:00 PT | 10:00 ET | 15:00 UTC (time chart)
• United States Toll +1 (805) 309-2350
  Alternate Toll +1 (714) 551-9842
  Skype: +99051000000481
  
  • Conference ID: 613-2898
• International Dial-In Numbers