2020-06-11 Minutes

Attendees:

Voting participants: Ken Dagg, Tom Jones, Mark Hapner, Martin Smith, Richard Wilsher

Non-voting participants: Pete Palmer

Kantara staff: Colin Wallis and Ruth Puente

Quorum: As of 2019-12-19, quorum is 3 of 5. There was quorum

Agenda

Administration:
1. Roll Call
2. Agenda Confirmation
3. Action Item Review: action item list
4. Minutes approval 2020-06-04 Draft Minutes
5. Staff reports and updates - Director's Corner
6. LC reports and updates
7. Call for Tweet-worthy items to feed (@KantaraNews)

2. Discussion

1. DIACC request for Comment and IPR Review:PCTF Credentials (Relationships & Attributes) - See initial comments attached.
2. Call for comment: Revised Glossary terms.
3. NIST opens a formal review and submission of comments on SP 800-63-3 to ultimately lead to Revision 4 - See https://csrc.nist.gov/publications/detail/sp/800-63/4/draft.
4. Update on xAL3 Sub-group, which is preparing new criteria for each of 63A/63B/63C_SAC, for IAL3, AAL3 and FAL3 respectively.

3. Any Other Business

Minutes Approval:

Motion: To approve 2020-06-04 Draft Minutes.

Moved: Martin Smith; Seconded: Mark Hapner. Unanimous Approval.

LC Updates:

Ken mentioned that the LC meeting is next week.
Ken said that mDL is moving forward at some point into a Work Group.
ED pointed out that the Secure Technology Alliance has been taking the lead on advancing the course of mDL in the US specifically. There has been significant help from Kantara with the preparation of the white paper, now they are preparing a series of webinars to highlight aspects of the white paper that they released a couple of months ago. At this point it is webinar 3, Kantara is pretty much taking that whole thing. Matt Thompson is giving an overview of the perspectives around Trust and Privacy in this area. The second speaker probably is Andrew Hughes, he will be talking about what the Identity Assurance Framework does and how potentially it could have a Conformity Assessment for mDL. It was said that the the STA webinar, “Privacy & Trust in the mDL Ecosystem” will be held Thursday, June 25 at 1pm ET/10am PT. Registration is available at https://securetechalliance.webex.com/securetechalliance/onstage/g.php?MTID=e966db1bd86f0be6d86fe10fc09ed171b.

Staff reports and updates - Director's Corner:

ED mentioned he has been discussing with Leadership Council and the Working Group Chairs on furthering a Webinar Summer Series, to do them over the course of July. It would be nice that the IAWG can step up to lead one of these, Ruth is going to be leading one specifically on the Trust Framework Assurance Program.

Call for Tweet-worthy items to feed (@KantaraNews):

Tom commented that there is call issued by OpenID to look at self-issued identifiers over OpenID providers, which stands for decentralized identity foundation. ED said he has tried to join up.

Call for comment: Revised Glossary terms:

Ken explained that as a result of the work that the ARB has done, the Service Assessment Handbook has been revised. Richard Wilsher was the main editor behind it and as a result of that work, some terms came up and had to be added to the Glossary Overview.
Richard added that what they are asking for, is a review of those terms that have been revised or introduced and to identify any problems with the scope of the definition. It is important to understand that it cannot be used another term unless that term has already been defined.
Comments have to be added in the Comment’s sheet that Richard provided. Ruth added that she posted on the chat the instructions and the Comment’s sheet that Richard provided Call for comment: Revised Glossary terms
Tom commented that there is one term in there “Credential Management” he has doubts about, he has not seen it in the 800-63 document. Is it part of the group scope? Or is it linked in some other way? Richard explained that there is a broader scope than just the 800-63, the Glossary addresses everything within the Identity Assurance Framework. Tom asked if it was intentionally included complaints management as part of the scope of the group. Ken and Richard answered yes. Richard said that having gone through proofing and then bound to an Identity, thus to a credential, credentials need to be managed, to be revoked or renewed and they may need to be destroyed at some point. Tom argued he has a problem with the idea of a Credential Service Provider maintaining information about users. Richard stressed that someone has to revoke the credentials, Tom said he disagrees this is a function of the Credential Service Provider.
Tom continued saying that in an online world you do online certificate validation, probably revocation is the wrong term; and online validation probably is the right term. It was argued that it is not that revocation is wrong, to the contrary, both would be necessary.
Ken suggested to move this discussion as a discussion point for next meeting, so a further analysis can be done.

NIST opens a formal review and submission of comments on SP 800-63-3 to ultimately lead to Revision 4 - See https://csrc.nist.gov/publications/detail/sp/800-63/4/draft:

Ken commented that the IAWG will start coordinating this submission of the comments for NIST.
NIST Deadline for Comments: August 10, 2020

2.Update on xAL3 Sub-group, which is preparing new criteria for each of 63A/63B/63C_SAC, for IAL3, AAL3 and FAL3 respectively:

Richard commented that the IAL3 was sort of completed yesterday. It will be given one last review next week at the Sub-Group, and there probably will be 2 weeks for the IAWG to look at it.
Richard added he is doing some additional criteria in relation to FAL3. FAL3 is virtually there, but he will mention this in the end.
He guesses it will take 6 weeks.

DIACC request for Comment and IPR Review: PCTF Credentials (Relationships & Attributes)

Document reviewed during the meeting: DIACC-Comment-Submission-Spreadsheet-PCTF-Credentials-Relationships-Attributes-Draft-Recommendation-V1.0-ENG.xlsx

Ken explained he worked to develop some initial comments, Martin also helped providing some.
Martin explained that in line 26, they basically talk about Attributes and Relationships as different types of things. It seems to him that they could be combined, thus Relationship is one type of Attribute, rather than having a whole separate parallel discussion. There seems to him that a Relationship type Attribute could be associated with whatever additional metadata might be necessary to fully describe a Relationship.
Tom commented that database technology for long time has distinguished between Attributes and Relationships. Partly because there are two subjects in a Relationship and only one in an Attribute. Ken asked if it is not enough of a reason just to have two separate paths for managing them. Tom argued that adding legal opinions does not seem right to him.
Martin explained that the primary topic of this DIACC document is Authorization, Tom said he has to have a look at that.
About line 28, Martin pointed out that there is a big hole over all system, what it is going to take for emergent digital authoritative attribute sources.
Ken added that he would agree with this even if it is public agencies and public sectors, organization would become the authoritative sources for a lot of Attributes.
Tom said that use/business cases are a good idea.
Ken mentioned they should provide an overview in this document, giving the benefits of doing this to anyone, specifically to public agencies.
About line 29 it was added to “Consider including a discussion of ‘client’ versus ‘server’ approaches during implementation”. Tom pointed out that Martin is not going to win this discussion against them. Ken stressed that the idea is to at least have a discussion about this.
Ken asked the IAWG to go to him if there is any question or comment about the spreadsheet. Following that, if there is not a resolution there will be a 3^rd and final set of discussion on the 25^th, because these comments need to be into DIACC by July 2^nd.
It was added that mDL on the 25^th is the same time of this meeting.