2021-08-12 Minutes

Attendees:

Voting Participants: Ken Dagg, Martin Smith, Mark Hapner, Mark King

Non-voting participants: Roger Quint, Varun Lal

Staff: 

Agenda:

  1. Administration:
    1. Roll Call and quorum determination
    2. Agenda Confirmation
    3. Minute approval (DRAFT minutes of 2021-07-15)
    4. Staff reports and updates
    5. LC reports and updates
    6. Call for Tweet-worthy items to feed (@KantaraNews)
  2. Discussion 
    1. Finalize proposed criterion language regarding "comparable alternative controls."  
    2. Finalize proposed text (if any) regarding use of "presentation attack detection" (PAD.) 
    3. Confirmation of other non-substantive changes to criteria to be included in the package to be submitted.
  3. Any Other Business and Next Meeting Date

Meeting notes: 

Administrative items:

IAWG Chair Ken Dagg called the meeting to order at about 1:05PM (US Eastern), and called the roll. It was noted that the meeting was quorate. Ken welcomed Varun Lal, noted that he had not participated recently in IAWG calls and invited him to introduce himself. Varun said he is a Senior Consultant at East Dynamics and is particularly interested in the proposal regarding PAD.  

Minutes approval:  Mark King moved approval of the draft Minutes of the IAWG meeting of July 29. Mark Hapner seconded. The minutes as distributed were approved unanimously.

Staff reports and updates: ED Kay Chopard (via email today) said: I did reach out to the UK government contact on the request for comment (not the official title) that the UK has sent out. I saw that they've updated it and I'm not sure if the update addresses your questions about certifications.

The UK government person is on holiday but she did respond to me and promised to get back to me later this month to talk more about what they are doing and planning.

Also just finished a conversation with a government official in Australia. I know that he was working with Colin already about leveraging our assurance program for what they need in Australia rather than requiring companies to do duplicate assurance processes for each company. I have to get up to speed on that as well but he was very supportive so I will also contact Phil Lam to figure out some next steps and what needs to get resolved.

LC reports and updates:  

Ken said the LC had not met since our last call, and there was nothing significant to report. 

Ken  reminded WG participants that Kantara staff is ready to help them publicize their newsworthy activities via the @KantaraNews Twitter handle. Requests can be sent to Ken D or Kay C.

Discussion:


Finalize proposed criterion language regarding "comparable alternative controls."  

Ken noted that in the absence of Richard Wilsher we would not likely be able to finalize the text for comparable alternatives, but asked the WG for any reaction to Jimmy Jung's email sent to the list today. Referencing the draft language for KI criterion 63A#0177, part (f), Jimmy proposed that "we might rather 'inform service's clients/consumers' than just 'make available to the service's clients/consumers' " the results of the CSP's determination of comparability of an alternative control.  After some discussion, Ken suggested the following language: 

(f) "Inform, directly or through a direct link, the service's clients . . ." 

A questions was raised as to how the (CSP) service's (RP) clients would be made aware of the use of an alternative control if the CSP's service incorporated a component service that used an alternative control.  Ken proposed that the main text of the criterion 63A#0177 be revised as follows:

"63A#0177  "If the CSP implements, or incorporates a component service that implements, comparable alternatives . . ."

The WG briefly discussed whether, if a CSP were to replace one component service in its offering with another (Kantara-certified) service, that would require recertification of the CSP's service. Ken stated the view that any change to a certified service would have to be notified to Kantara, and the ARB would determine if the change would require recertification or perhaps some lesser level of review. He thinks that replacement of a component service with one that incorporated a comparable alternative control would be considered a significant change in the CSP's service.

Ken closed the discussion of this item noting that he would bring the revisions discussed today to Richard W's attention so that any issues he might identify with the language could be resolved at the next IAWG meeting. 

Finalize proposed text (if any) regarding use of "presentation attack detection" (PAD.) 

Roger Q. noted we wanted to discuss this matter with both Richard W. and Kay C. present.   

Ken D agreed and said we will have to postpone wrap-up of this issue since neither is present today.

Martin S. asked if Ken thought it was definite that we would want to include some change to the existing Kantara criteria in the package we are currently preparing. Ken said the short answer is "no." 

Ken went on to provide a brief summary of the origin of the issue and discussion to date. The initial impetus for consideration of the issue was a question from Phil Lam at GSA to Kay C. He asked if Kantara required the use of PAD for certification of conformity with 63A. Kay owes Phil a response, and the basic answer is "no," but we wanted to review the issue first to see if we might want to clarify or elaborate the language of the relevant criterion.  Since Kay's meeting with Phil, there have been some email exchanges between Richard W and Ken, but Ken feels further discussion within the WG is needed. 

Varun L said he is familiar with PAD and was wondering what Kantara was thinking. Roger Q. noted that although NIST 800-63-3 does not explicitly require use of PAD ("SHALL"), it does specifically recommend its use in remote proofing ("SHOULD") and even specifies the level of assurance that PAD should attain. 

Ken D. agreed that it seems that NIST strongly recommends use of PAD and might make it a normative requirement in 800-63-4.  However, he noted that Kantara does not add requirements beyond those that NIST specifies, so we would not want to make use of PAD a SHALL in our criteria unless NIST does. 

He added that we really have to wait to discuss this with Richard W. and Kay C. present at our next meeting. He noted that we want to submit the consolidated criteria change package (with or without added PAD-related language) no later than the end of August to have it published by the end of November or very early December. We should therefore meet in one week and plan for another meeting the following week to be sure to finish the work.  

Confirmation of other non-substantive changes to criteria to be included in the package to be submitted.

Ken said that Richard W. has a spreadsheet of these proposed non-substantive changes, so in his absence we would postpone this discussion to the next IAWG meeting as well. 

Other Business:

Next Meeting: August 19, and then August 26 if necessary to finalize the criteria change package for submission to Kantara review. 

Ken adjourned the meeting at about 1:51PM US Eastern.