2022-01-27 Minutes

Attendees:

Voting Participants: Ken Dagg, Martin Smith, Mark Hapner, Jimmy Jung, Richard Wilsher, Mark King

Non-voting participants: Andrew Hughes, Eric Thompson

Staff: Lynzie Adams

Proposed Agenda

  • Administration:
    • Roll call, determination of quorum
    • Agenda confirmation
    • Minutes approval - 2022-01-13 DRAFT Minutes
    • Staff reports and updates
    • International liaisons updates
    • LC reports and updates
    • Call for Tweet-worthy items to feed (@KantaraNews)
  •  Discussion: 
    • Component services language update/review
    • Brainstorm/compile list of 800-63 rev. 4 revision suggestions
  • Any Other Business and Next Meeting Date
    • Next meeting - February 3

Meeting Notes 

Administrative Items:

IAWG Chair Ken Dagg called the meeting to order.  Roll was called. Meeting was quorate. Distributed agenda was confirmed. 

Minutes approval:  Mark Hapner motioned to approve the draft minutes from the January 6 IAWG meeting. Martin Smith seconded the motion. The minutes, as distributed, were approved unanimously.

Staff Reports and Updates:

Kay is unable to join today. As mentioned, the Assurance Program is extremely busy. ZenKey was fully ratified by the Board last week. One CSP was just recommended by the ARB for Board approval. Another will be going to an eBallot today for the ARB to vote. 

International Liaisons Updates: N/A

LC Reports and Updates:

LC is putting together a pre-conference workshop for EIC in Berlin this May. Look for more details if you're heading to the conference in May. 

Discussion:

Component Services Language 

Lynzie identified specific criteria the ARB continually addresses as needing to be modified to include component services. The ARB has now motioned to approve two CSPs under the condition that their first ACR will need to meet this new criteria, if available by that time. 

63A criteria includes - #0040 - Privacy Policy, #0060, #0062, #0070 - Redress, and #0100 Credentialing Practices Statement. 

The ARB does not feel that component services should get a pass from these requirements due to the fact that they do not engage with the end user (applicant). One assessor provided feedback regarding use of the word applicant: "use of the word ‘applicant’ in some of the requirements makes it nearly impossible for some component providers to agree to those requirements and get them passed through their legal review – in cases where they are more focused on the B2B experience for example."

IAWG members discussed the issue at length and weighed different options to correct including revision, leaving as-is, or adding a (b) criteria for component services. Richard is worried we may have lost some good criterion in transitioning away from the OP_SAC. Jimmy raised the fact that as a component service, none of these criteria are required for Kantara certification. 

Richard raised that revising 63a#0030 could correct the issue with #0040. In #0040, they can say that they don't interact with the applicant, but #0030 would oblige them to make the policy available. The guidance on #0030 should make a note about component services. "This criterion implies that...." Richard suggested moving the guidance from #0040 to #0030 and then edit to include that it implies the privacy policy is available. 

NIST Rev. 4 Suggestions

The group had limited time to expand upon the proposed list from the last meeting. General thought to approach NIST before the general comment period with a few questions and/or suggestions. Eric Thompson, Matt Thompson and Kay are working on a similar list for the Board. The two lists should be complied before one representative group speaks with NIST on Kantara's behalf. 

Possible areas to comment on Rev. 4:

  • 5.3.3.2 - Requirements for Supervised Remote In-Person Proofing - The CSP SHALL employ physical tamper detection and resistance features appropriate for the environment in which it is located. For example, a kiosk located in a restricted area or one where it is monitored by a trusted individual requires less tamper detection than one that is located in a semi-public area such as a shopping mall concourse. - Send guidance on what we consider appropriate for an environment. 
  • Comparable Alternative Controls – how they will be addressed?
    • Inclusiveness suggestions
    • Bring up impact of current controls, inefficiency and lack of inclusion
  • Federation Agreements
  • Inclusion of NIST white paper - new ways to look at authentication? 

Less content/ more clerical:

  • Document structure - separating the criteria from the normative statements
  • Consistency in use of terms

Other Business:

The next IAWG meeting will be Thursday, February 3 at 1pm EST. We will continue with today's agenda items.