2021-04-08 Minutes

Attendees:

Voting Participants: Mark King, Mark Hapner, Richard Wilsher, Ken Dagg.

Non-voting participants: Eric Thompson, Jimmy Jung, Adam Cooper

Staff: Colin Wallis, Ruth Puente

Quorum: 3 out of 5. There was quorum.


Agenda


1.Administration:
a.Roll Call
b.Agenda Confirmation
c.Minutes Approval 2021-04-01 DRAFT Minutes

2. Discussion

a. Review Final Comments NISTIR 8344 (Ontology for Authentication) 

b. Review criteria related to component service consumers.  
c. NIST open discussion issues in light of SP 800-63 rev.4.

3. Any Other Business


Minutes Approval

2021-04-01 Minutes were approved by motion. Moved:  Mark King. Seconded: Mark Hapner. Unanimous Approval. 


Review Final Comments NISTIR 8344 (Ontology for Authentication) 

  • Ken commented that he updated the draft with the inputs provided on April 4th, including: purpose of this document; what does it contribute to?; What does it establish a foundation for?; key terms that are missing and we propose some definitions of those terms relating them to standard sources ISO standards and the Oxford dictionary; undefined terms; the relationships between those terms; what it's trust; what is risk, how do they relate to each other?; clarification requests on examples; suggestion to present the terms in a relational order rather than alphabetical. 
  • IAWG approved the final comments, available at https://docs.google.com/document/d/1jswnFEpl1kvNmUAYBFa3MMjNXBam2BkYhE3FqbANOKQ/edit?usp=sharing
  • Ruth will submit the IAWG Comments to NIST on the 9th. 


Responses to UK questions 

  • Comments are being developed here: https://docs.google.com/document/d/103q3NrG31j3dalW3X3UuS_jj8_hWbmXEPSNRSHWlOHA/edit?usp=sharing
  • Ken said that the key comments are in relation to Question 7,  interaction between trust marked organisations and non trust marked organisations. Points made the participants:  KI highly recommends that services are trust marked rather than organisations, which would allow an organisation to offer trust marked and non trust marked services. As well as services with different trust marks are variations of trust marks according to the criteria that the service is assessed against.  The group will take direction from the CO_SAC KIAF 1410 to answer the question, "External Services and Components" section, criteria CO#0320 and CO#0330.
  • The other point made was regarding the question about anti-money laundering requirements.
  • International interoperability approach should be added. 


Review criteria related to component service consumers

  • Further revisions were made to the OP_SAC regarding subject focused criteria; Richard Wilsher has been updating the document accordingly. 


NIST open discussion issues in light of SP 800-63 rev.4.

  • NIST List of issues are available at: https://github.com/usnistgov/800-63-4/issues
  • Ken pointed out that the group has until May 15th to provide comments. 
  • Eric commented on Liveness test for remote identity proofing. He pointed out that in the overview of the general guidance they draw a line between identity proofing and fraud mitigation controls. One of the purpose that NIST points out is to prevent a spoofing attack, which is a form of fraud.He stressed that it's important to make a distinction between fraud versus identity proofing. Any further requirements of this move more towards fraud mitigation as opposed to identity proofing. Therefore, if they are mandating fraud mitigation, in essence it requires additional requirements.
  • Richard added that the reason that one performs identity proofing is to have a degree of certainty as to the authenticity of somebody holding or presenting a claim to this particular individual, and that is therefore done with the intent of achieving fraud mitigation. He highlighted that there is a long line between identity proofing and fraud prevention. For the sake of establishing with a sufficient degree of certitude, the veracity of an identity. A liveliness test is not for fraud mitigation per se, it's still a part of a proofing function. Once you've got an identity proven with sufficient confidence, there are fraud mitigation measures which one might then apply which could arise from application of that identity in a transaction. We're only doing this to prevent fraud, because if people didn't commit fraud we wouldn't need to do identity proofing. 
  • Eric suggested that one of the feedback on this issue is to avoid moving from a "should" to a "shall",  to make it a normative requirement, they should keep it as an optional requirement. 

  • Richard said that a liveness test is actually a valuable test to make to gain greater confidence. We could make it only and IAL3 requirement, that's a way of adding strength over and above IAL2 proofing. It is an available tool to stop people wrongfully getting identity credentials.
  • Eric recommended to make it a requirement for IAL3 and keep it as optional. 
  • Eric offered to lead the development of comments.


Next meeting: 2021-04-15