2020-02-06 Minutes
Attendees
Voting participants: Ken Dagg, Martin Smith, Mark Hapner, Richard Wilsher
Staff: Colin and Ruth
Quorum: As of 2019-12-19, quorum is 3 of 5. There was quorum
Agenda
- Administration:
- Roll Call.
- Agenda Confirmation.
- Action Item Review: action item list.
- Staff reports and updates - Keeping up with Kantara January 2020and January Director's Corner .
- LC reports and updates.
- Call for Tweet-worthy items to feed (@KantaraNews).
- Criteria Guidance - Issues related to OP-SAC criteria, which have been identified by the ARB with regard to phishing attacks, AL3_CM_CRN#040 (Token strength) and AL3_CM_CRN#050 (One-time password strength).
- Any Other Business.
Action Item Review: action item list
- Ken mentioned that comments were made on the Pan Canadian Trust Framework Verified Login component.
Staff reports and updates - Keeping up with Kantara January 2020 and January Director's Corner
- ED said he has not much to comment on the Director’s corner. This time he talked about looking forward to the rest of the year, a very interesting year. He added that there is interest all around the Assurance program. There has been advance and change in GSA, ICAM Program is very conscious of what Kantara has done and other industries. He senses a maturing of the industry in the US and certainly the proliferation of Trust Framework around the world that is quite interesting.
- Identity Assurance Work Group is facilitating discussions with NIST representatives regarding the aspects of the SP 800-63-3 Digital Identity Guidelines that have proven challenging for private sector conformance while also preparing comments on the draft of the Pan Canadian Trust Framework - this month responding to the Verified login component on its second iteration.
- ED also mentioned that the creation of another Trust Framework is going to be launched next week in the UK. In Australia the Digital Identity Framework has been created largely out of Kantara, it would be nice to get back into that one day. Moreover, New Zealand is in a very early stage of conceptualizing. In Papua New Guinea there is a Trust Framework being formed at financial services, Neocapita that has joined Kantara very recently, is the consultant involved on this.
- ED stressed he is very confident this is going to be an interesting year; he hopes to make announcements of new Board Members. He mentioned that Andi Hindle has joined Kantara in the UK, he takes up the new role of Kantara’s UK Ambassador to progress Kantara’s footprint in the UK.
LC reports and updates
- Ken commented that the SAML version 2 Deployment Profile Federation Interoperability has just passed LC ballot.
- ED clarified that Ken did not mention the Information Sharing Interoperability. He said it is very interesting that this is the first time Kantara has tried to move a specification in Consent Receipt. In terms of the current Work Groups, the idea is to have around new three Work Groups to be formed in the next two months.
Discussion
Criteria Guidance - Issues related to OP-SAC criteria, which have been identified by the ARB with regard to phishing attacks, AL3_CM_CRN#040 (Token strength) and AL3_CM_CRN#050 (One-time password strength).
- Ken said that Kantara has been asked by the ARB to consider creating guidance around two of the criteria present in the Service Assessment Criteria Token strength and One-Time Password strength.
- Mark asked if anybody saw that Google announced that they have open source, the software for security Tokens. Soon people will be able to buy their hardware and software separately. Mark will send the link to the group.
- Richard mentioned that this started to be discussed on the previous meeting. He is concerned after the extent to which the ARB should be phishing for changes in criteria, and it is needed to understand extent to which that is permissible. It seems to him that there are three points of consideration, one is that if it is about the classical class of approval, it tries to follow the principles of 800-63 v. 2 but it has not been tighten to it, which gives it more flexibility than 800-63 v.3 class of approval. There is a separate discussion with David Temoshok, as there are queries of interpretation with 800-63 v.3. There will be discussion within this group, which will lead to change some of the criteria in a way which it meets the new requirements.
- Ken commented that with respect to the ARB making suggestions, they are making a suggestion like any other body who is able to make it, and those comments and suggestions are welcome, but they have to be evaluated. He does not see anything wrong with it, he sees the ARB making comments as suggestions for improvements that may be made. Ken added that the third point Richard made is quite valid, if it puts the group into a liability position by making some suggestions and not others, then the group has to be careful not to keep just one particular proposer happy. Ken said he agrees with him on this.
- Richard asked if there has to be guidance provided if the criteria is not changed.
- Martin added that he wonders if it is the objective to provide something that is able to say if you do this, you are conformant with 63-3 and also you meet our standards for actual security. Richard said it sounds back to the quorum got on this call, it seems to him that do not changing these criteria, if it is wanted to have CSP on this, then it would be reasonable. Martin argued that if it is believed that 63-3 does not cover something adequately, should be there some more requirement that is not there? Ken responded that it comes down to the definition of the classes of approval, and the two new classes of approval that were added with respect to 63-3 are one technical, which is strict, you meet the requirements of 63-3 based on these criteria, and the second is a broader one which is in essence technical plus the CO_SAC. If there is a change it will affect both of them, but it also means that the description of the class of approval has to be changed, because it will no longer be purely technical 63-3 compliant or conformance. It was said it basically is conformance versus actual security.
- Ruth clarified that the ARB’s aim with this was not to request a change, it was just to raise a question for IAWG to consider if something needs things that need to be done; if the ARB needs to add guidance to the service assessment criteria or the ARB provides guidance on the certification or the approval notes after the review of the application. The ARB has found some issues with two reviews of AL3 CSPs, the shorter action they decided and it was good to provide to the CSP that is a recommendation that beyond being compliant to the AL3 service assessment criteria to have in mind that they are not protected against phishing attacks. Basically, their question is if they should keep doing that as an additional note to the approval notification just as an informal or part of the formal stuff, or if something more important in terms of service assessment criteria should be changed. They are just asking the question to the IAWG if something needed to be done, it is not a recommendation to change.
- Ken agreed with Martin that either something is done, or something is not done. He mentioned that this meeting is agreeing to postpone the discussion until the next time of meeting, this could be delayed for a couple of weeks.
- Ken also agreed with Richard that CSPs need to be involved in this discussion, ED also agreed. Ruth said that she could invite the CSPs for a special session to discuss these topics, ED said it is a good idea, but he is also thinking on a ‘one on one’ meeting. It was suggested that they (CSPs) should be asked about this, whether if they want to be present in the discussion or not, since it is a business matter.
- Richard commented from the text of the ARB discussion "that is legitimate for Kantara to create guidance for assessors on implementation of specific criteria”, that it is an interesting thought. Ken clarified it is to provide guidance to assessors on how to do business of products or services and offering guidance on the criteria, they are different focus.
- It was agreed to read further the text of the ARB issues over the next weeks, in order to continue the discussion during the next meeting.