IAWG Meeting Minutes 2013-08-22

Owned by Former user (Deleted)
Last updated: Aug 29, 2013
5 min read

Kantara Initiative Identity Assurance WG Teleconference

Meeting Minutes - approved by IAWG 29 August 2013

 

Date and Time

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Minutes approval: IAWG Meeting Minutes 2013-08-8
    4. Action Item Review
    5. Staff reports and updates
    6. LC reports and updates
    7. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
  2. Discussion
    1. Call for IAWG Charter Review (ref. Email to IAWG Chairs and WG)
    2. IAF Tickets and Issues Review
      1. IAF Ticket #770408 (13 July 2013)
      2. NOTE: All tickets now posted at Identity Assurance Framework - Working Drafts
  3. Updates
    1. IAF Glossary Update status (Dagg)
    2. Modular IAF status (Hughes)
  4. AOB
  5. Adjourn

 Attendees

Link to IAWG Roster

As of 1 July 2013, quorum is 5 of 9

Meeting was quorate with 5 voting members present

 

Voting

  • Andrew Hughes (S)
  • Scott Shorter
  • Rich Furr (V-C)
  • Matt Thompson
  • Bill Braithwaite

Non-Voting

  • Jeff Stollman
  • Ken Dagg
  • Linda Goettler

Staff

  • Joni Brennan

Apologies

  • Myisha Frazier-McElveen (C)

 

Notes & Minutes

Administration 

Minutes Approval

IAWG Meeting Minutes 2013-08-8

Motion to approve minutes of 2013/8/8: Bill Braithwaite
Seconded: Scott Shorter
Discussion: None
Motion Passed 

Action Item Review

See running table below

Staff Updates

LC Updates
Participant updates
  •  

Discussion

Call for IAWG Charter Review

(ref. Email to IAWG Chairs and WG)

Link to current IAWG Charter (July 2009)

Kantara Portland retreat in August 2013 created plans to sharpen focus for Kantara WGs. Review and update of existing WG charters was requested, due September 25 for review by LC.

The text of the request:

During the recent Kantara Leadership Retreat, we focused on the question of why Kantara exists (seehttp://kantarainitiative.org/pipermail/lc/2013-August/002348.html for a high level summary out of that retreat).  The idea is that with a clear "why", we can make sure the actions we take truly support the goals of the Kantara Initiative.  The current working DRAFT of Kantara's "why" statement is:  

DRAFT: Kantara exists to define rules of engagement for operators of online services, enabling high-value, privacy-preserving identity and access.

In order to incorporate this concept in to the Innovation side of Kantara, the work groups, we are initiating a Work Group recharter effort.  This will help make sure that the Work Groups are on track with solid deliverables and timelines that support the goal of the organization.  Work Groups can expect to receive more organizational support in terms of marketing to increase group participation and the creation of industry-driving Kantara Recommendations.  For Work Groups that do not recharter, their status will change to that of a Discussion Group, which is considered a much more informal effort. (Please see the Kantara Operating Procedures for a more detailed definition of Work Group and Discussion Group: http://kantarainitiative.org/confluence/x/owVAAg .)

The link to your current charter can be found on your space in the Kantara wiki.  The LC would like to have the updated charters in by September 25.  The LC will discuss and review the charters over the month of October.

Discussion

  • Need to assemble a subgroup to look at the charter
    • Volunteers: Rich Furr; Linda Goettler; Andrew Hughes; Scott Shorter
  • Deeper discussion deferred to subgroup
IAF Ticket Review

IAFTicketReview

The text from prior meetings is copied here for reference.

NOTE: All tickets now posted at Identity Assurance Framework - Working Drafts

#770408 discussed on 1 August and 8 August 2013 calls.

IAF Ticket #770408 (13 July 2013)
IAF-1400-SAC
Line:  1636 - 1640, 2149 - 2198

Reason: 
This is permitting only three protocols making IAF protocol dependent. 
Currently, it is listing tunneled password, zero knowledge-base password; SAML assertions. 

Proposal: 
Delete

Discussion of ticket

  • More research required - Need to know the source of the 3 Protocols listed (are they specified in 800-63?)
  • The list is specific to the 3 protocols - is this the intent? "Permit ONLY the following ..." 
  • This looks like a candidate for a US-Specific Profile
  • The point appears to be to avoid password eavesdropping or message replay
  • Defer further discussion to next meeting

(8 August 2013) Discussion:

  • This is 800-63 specific, and is lagging the current technologies available.
  • Suggestion to specify requirements for the strength of the credential rather than the specific protocols
  • Issues include how to demonstrate 'strength'
  • An analysis is needed to update the technologies list to current.
  • "Apply only authentication protocols <text that refers to strength needed at this AL> for example: tunneled password; zero knowledge-base password; SAML assertions."
  • Defer text writing to next meeting.

(IAWG Listserv email contribution - Wilsher)

Re. today's discussion on the criterion below, I propose the following text
(there is no stipulation at AL1;  AL3 would be the same, except for the
existing qualifier "For non-PKI credentials, apply ...", and of course 'AL2'
would be replaced with 'AL3'; AL4 is also no stipulation).  

Regards,
RGW

AL2_CM_CTR#025   Authentication protocols

Apply only authentication protocols which, through a comparative risk
assessment appropriate for AL2, are shown to have resistance to attack at
least as strong as that provided by commonly-recognized protocols such as:

a)                  tunneled password;

b)                 zero knowledge-base password;

c)                  SAML assertions.

Guidance:  Whilst many authentication protocols are well-established and may
be mandated or strongly-recommended by specific jurisdictions or sectors
(e.g. standards published by national SDOs or applicable to
government-specific usage) this criterion gives flexibility to advanced and
innovative authentication protocols for which adequate strength can be shown
to be provided by the protocol applied with the specific service.
(22 August 2013 Discussion): 
  • Support was expressed by several participants

Disposition:  Add to IAF enhancements list

Updates

IAF Glossary Update status (Dagg)

  • One set of comments received
  • Deadline for comments is August 26 2013
  • Ken to proceed with final draft after this point

Modular IAF status (Hughes)

  • Subgroup is working on a draft report
    • Table of Contents is firm
    • Material from previous documents has been merged into the ToC
    • Currently developing function/service -> Role -> organization mappings that describe existing Deployment Patterns such as FICAM & Government of Canada
    • Expect to distribute to IAWG within 5 weeks for discussion

AOB

  • Expect a new ticket on the requirement to retain identity proofing data for PKI credentials for 7.5 years. This is not specified for non-PKI credentials. Could imply an infinite retention requirement.
    • General support
    • Suggestion that the period of time should be non-specific but guided by sectors or regulations.

 

Action Items

Item #DescriptionAssigned toEst. CompletionStatus
2013-06-06-005

IAWG-NIST F2F in DC area to discuss approach and feedback on 800-63 v IAF analysis approach

(2013-Aug-1): Comment that perhaps ICAM should be invited as well.

Staff / IAWG LeadsTBDNot started
2013-06-13-001

Chair to discuss with Exec. Director the need for a Content Management System analysis and potential tool for IAF/SAC & funding options

  • (2013-Jun-20): Discussion occurred; vision has been always to have a CMS - possibly a database with online self-serve document generation capability (in whichever output format is needed); team will be needed to draw up a wireframe and requirements for a custom developed tool
  • (2013-Jun-27): Call for lead is required. Myisha to send a call to list for volunteer lead.
Myisha20 June 2013In progress
2013-06-13-002

Glossary updates underway. Next draft should be available in 4 weeks

(11July2013): Defer item to future meeting

(1Aug2013): No comments on new additions received yet - reminder sent to sub-group.

Ken Dagg

Updated:12 Sept 2013

In Progress
2013-08-1-002Forward Ticket items that have been resolved to correct lists for next action.Andrew Hughes8 August 2013Not Started
2013-08-8-001Bring forward ticket #770408 for further discussion of new textChair15 August 2013Not Started
     

 

Recently Closed Action Items

Item #DescriptionAssigned toEst. CompletionStatus
     

 

 

Attachments

 

 

Next Meeting