2020-05-27 Meeting Minutes - Final Meeting
Attendees: Ken Dagg, Martin Smith, Mark Hapner, Richard Wilsher, Sato Hiroyuki, Colin Wallis, Ruth Puente
Draft reviewed during the meeting: KIAF-1450 SP 800-63C Service Assessment Criteria v0.12.0.xlsx
- Richard started the meeting by saying that the revision will go through all the comments in yellow first.
- Richard mentioned that last week there was a discussion about optimization on Privacy Risk Assessment. He mentioned that he created a requirement that there SHALL be a Privacy Risk Assessment (63C#0340). Ken asked what happens if the Federation is multinational (if it has a Federation Agreement,) what if they in the Federation Agreement identify how Privacy Risk Assessment should be undertaken. Richard responded that it would be an industry standard presumably. Ken asked if it should say ‘as identified in the Federation Agreement’, another requirement on the Federation Agreement. Richard argued that since it is a clear requirement, and considering it is written in the context of the US Federation, he would have thought it is sufficient. Richard stressed it is important to bear in mind that because these are Kantara’s criteria, as an interpretation of 800-63 which is itself a suite of applicable NIST created standards, the whole of this would have to be undertaken in a Federal scope NIST context. 63C#0340 and 63C#0350 were agreed.
- 63C#0570 and 63C#0580 were agreed.
- Richard said about 63C#0610, that he thinks it was Martin who raised a question. Martin confirmed it, and now he said he is clear. 63C#0610 was agreed.
- In relation to 63C#0730, Richard explained that this was about Assurance levels being met, because when it comes to different Assurance levels, it would be different levels of control. Ken suggested if instead of ‘met’, it should be ‘required’. It was finally changed as ‘asserted’. 63C#0730 and 63C#0740 were agreed.
- 63C#0760: Richard commented that in here it was only included ‘mutually’. Ken said he would agree with the duplication of them, it is specifically being dealt with Front-Channel in some cases and Back-Channel in others. In row 176 it was added in the Criterion ‘Separate Clause’. ED said that he will have to review or re-write these criteria (rows 167-184). He asked if he should present this tomorrow, the group agreed.
- Richard explained that in columns T (ABC) and U (Comment) he will retain what is there but, he will clean this out and invite people to comment and suggest some changes. Ken suggested to change ABC initials because it is confusing, Richard wrote ‘Initials’ instead.
- Richard will send a revised version of this document to Ruth.
Next steps on 63C_SAC at FAL2:
- Ken said that about tomorrow, the Group is presenting this for the IAWG general membership. He does not think they could call for a vote, even if there is quorum. He stressed that it would be better to give a few days (5 days- 1 week) for IAWG to digest it and maybe make comments.
- Ken asked Richard, ED and Ruth if the expectation of the client who is contracting Kantara to develop this, is it expected to be released the four Assessment Criteria at once or how? Ruth responded that the idea will be that these documents will go through all the review process, public comments in 45 days and LC confirmation, and all the member ballot, but it will not be published until there are all the other set of criteria reviewed and approved. It will reduce the workload for review.
- Ken summarized that FAL2 SAC will go to IAWG, they will have one week to raise issues and then, the following week there will be a vote to approve it if there are not major issues.
New subgroup for xAL3 criteria:
- Ken commented that he wanted to introduce the idea of calling for new members for the Sub-Group to participate in the development of the level 3 criteria, level 3 SAC. Then, there will be a call for volunteers to join the level 3 special Sub-Group and proceed from there.
- Richard commented he realized that what needs to be done in creating IAL3, is that there are some criteria which apply to the assurance level, and unlike when there is a Word document, there are no means to show that. Therefore, he introduced a column to the right of the criteria which tells you whether it is level 2 or level 3. Ken said that his expectation would be if it is all been agreed for IAL2, that there are no changes for IAL3. Richard said yes, unless there are explicit requirements to change. Ken clarified if there is a criterion that is applicable word for word requirement, for IAL2 and IAL3 and there is a criterion identified for that, it would not change for level 3. Richard said that there will be a single criterion applying for level 2 and level 3, the way the documents are written is for both or explicitly for one. Ken clarified that he just does not want to get into long discussions for things that were already agreed. Ken said his original question was how long it will take to do IAL3, AAL3 and FAL3. Richard said the IAL3 is a small set of criteria, he would say it is not going to be as long as for FAL. Ken said that it would be then a period of 4-5 weeks.
- Mark asked what is going to be specifically reviewed. Richard explained it is the spreadsheet.