2021-10-07 Minutes

Attendees:

Voting Participants: Ken Dagg, Martin Smith, Mark Hapner 

Non-voting participants: Jimmy Jung

Staff: Kay Chopard, Lynzie Adams

Proposed Agenda

  1. Administration:
    • Roll call, determination of quorum
    • Agenda confirmation
    • Minutes approval - 2021-09-23 DRAFT Minutes
    • Staff reports and updates
    • LC reports and updates
    • Call for Tweet-worthy items to feed (@KantaraNews)

  2.  Discussion: 
    • Summary of ARB/IAWG meeting
    • Status of open issues regarding the pending package of proposed criteria changes

  3. Any Other Business and Next Meeting Date

Meeting notes 

***This was the first meeting held on the Zoom platform and there were issues with different links being distributed. Additional time and effort was needed to get participants on to the same call. This impacted the length, attendance, and flow of the meeting. 

Administrative Items:

The meeting was called to order at about 1:25PM (US Eastern).

Roll was called. Mark Hapner had not joined at this point and therefore the meeting was not quorate. 

Minutes approval:  Minutes were not approved due to lack of quorum. Minutes will be approved at the next meeting. 

Staff reports and Updates:

None.  

LC reports and Updates:

None.

Discussion:

Summary of ARB/IAWG meeting:

Ken briefly summarized the issues raised in the joint ARB/IAWG meeting held on September 27. All comments were within form 1430.

  • 1430 #510 - remote ID proofing - IAWG has LOA2 & LOA3 checked but NIST only requires this for LOA3. Why do we have it checked for LOA2? Jimmy believes it may just by a typo/mistake. Martin briefly recalls Richard sharing something in form 1440 that then made it applicable to LOA2 as well. He believes we should let Richard review this before making an assumption it was an oversight. 
  • The same holds for 1430 #520-#580. IAWG has LOA2 & LOA3 checked when NIST only requires it at LOA3. Martin added that David Temoshok made it clear that it definitely only applies to LOA3. Richard will look into this one as well to see if there is something in 1440 that makes this also applicable at LOA2. 
  • Many other issues deal with component services, which have already been addressed in the rewording of the new package. The group needs to review one final time to ensure all have been addressed. 
  • The ARB's final area of concern is with the tables (form 1430 T5-1, T5-2, T5-3). Criteria in 63A #190, #210, and #250 make it clear that the tables need to be referenced and used as justification for the strength of proofing that the CSP is doing. It does not say the table must be completed - but it does say tables must be referenced and CSPs must indicate which proofing requirements are being used. ARB wants the tables to be used and checked off as part of the evidence. That is not clear currently. The ARB suggests editing the tables to add columns for the CSP and assessors to checkoff what they are doing. Applications without completed tables would be sent back and requested that the CSP/assessor complete and resubmit once completed. 
    • Jimmy provided some context on how he handled the tables as an assessor. He believes the spreadsheet should make it more explicit that assessors need to fill out these tables. Kay reminded the group that the ARB wants to meet with the assessors and this can be addressed at that meeting.
  • Kay addressed another area the ARB is concerned with regarding when one CSP is using the services of another approved service and how that is documented on the spreadsheet. Jimmy suggested more guidance from the ARB on what they'd like to see and it was agreed to add it to the agenda of the ARB/assessor's meeting. 
    • There was some disagreement on what the ARB was wanting to see. Jimmy believes the ARB should be looking at the full service - reliant on the component service - to get the fuller answer from the full service and minimize the component service. Martin did not feel the ARB has a preference on who was responsible for what criteria, but more so that it is clear who is responsible for each criteria. Ken took it differently. He thought the front facing service that uses the component service, to be responsible for the redress but needed confirmation from the component service. The IAWG needs to ensure there is a place to record how the services integrate with one another. It was agreed that the component services should be able to say what they do and do not provide and it is the job of the full service that wants to use that component service to fill in the missing pieces.
    • Jimmy suggested allowing components to respond with 'supported' rather than the approved verbiage (conformant, non-conformant, etc) with an explanation that shows how far they step into that criteria without actually owning it.  Ken would like to discuss with a larger group as a possible away to get around this issue and put onus on the full service. 

Martin questioned if the whole revision for component services was a prerequisite for submitting the current batch of changes? If it is not a prerequisite, then we should continue to move forward with our current proposal. Ken does not believe a published package will come out until mid-January or February due to the holidays so we are not in a rush to complete but he would like the component service changes integrated into the current revisions if at all possible. 

The group was not prepared to further discuss the 63A#0177 issues on comparable alternatives. This will be addressed at the next meeting. 

Other Business:

The next IAWG meeting will be Thursday, Oct 21 at 1pm EST to discuss status of open issues regarding the pending package of proposed criteria changes and to revisit component services. 

Ken adjourned the meeting around 2:00 pm EST.