2020-06-17 Meeting Notes IAL2 & IAL3; AAL3

Attendees: Andrew Hughes; Richard Wilsher; Martin Smith; Nathan Faut; Colin Wallis; Ruth Puente

Drafts that were reviewed during the meeting:

KIAF-1430 SP 800-63A Service Assessment Criteria v3.1.6.xlsx

KIAF-1440 SP 800-63B Service Assessment Criteria v3.0.2.xlsx

Key discussion items:

63A_SAC IAL2 & IAL3

Richard noticed that somebody started commenting on criteria (IAL2) that are already approved and published. Given that there is a provision in the document to review it every twelve months, Richard proposed to revise these comments under that review option.
Richard commented that this document is almost ready. Moreover, there were additional criteria that needed to be checked.
Richard explained he has arranged logically rather than strictly by source section.
Richard said that the comment in row 98 was accepted with modification.
Richard added that he will have to work out the appropriate text for section 5.3.2.
He is planning to replace all of the old text with a new text, by starting the number sequence again. To account to the fact it is the new IAL3 criteria. Until he applies new text in pending new 63A tag, he cannot resolve references in the criterion (rows 121-125).
Martin expressed he likes the requirements’ language on line 125.
Martin asked Ruth what the plan with this document at tomorrow’s meeting is. Ruth said that if it is finished, it can be presented during the IAWG meeting and then, it will be needed one week (at least) for comments.
Andrew commented about line 125 that it is clarification of the SHALL be expected to be known only. He suggested to take that out and make it guidance in 123. Richard added that comment in row 123.
Andrew proposed to leave it and have the CSP prove that this is entropy and they can figure it out (Row 130). Richard said it is a good idea.
About rows 134-135, Richard explained that you cannot include the SHALL unless you accommodate the SHOULD / MAY. Row 135 criterion was modified as “require responses which are not based on selection from a pre-determined list”.
Andrew commented that line 137 reduces the fact of the entropy anyways.
Row 138 was corrected according to the comment.
Row 142 criterion was modified as “no question SHALL provide the Applicant the opportunity to infer answers to any other KBQs in any subsequent session.” Andrew commented it is an impossible requirement anyways, he said that the challenge with these criteria is that the only scenario where it would work is when the attacker has linkage between sessions because they are doing multiple sessions.
About 145, Andrew said that we need to think on how this will apply under Kantara’s approval.
Andrew stressed that the IAWG should be informed by the Sub-Group that this set of criteria are very problematic. Richard said these criteria are meant to provide a normalized interpretation of 63 rev.3 but do not invent any alternatives. Andrew asked Martin if he would raise this point to the IAWG, Martin said he would do so. Andrew pointed out it is necessary to say watch out, they are really hard and problematic to achieve. Richard said that whether liked it or not, it was agreed that they are some correct and acceptable interpretations of what NIST is asking.
Ruth mentioned she posted on the chat the link to the NIST answer and that includes the use of KBV. She said that David’s answer is quite clear. It was pointed out that something else was needed. Link to NIST response on use of KBV at IAL2: Download doc
Richard explained that the Group is trying to do its own representation of what NIST is asking for.
About line 169, Richard clarified that TR is a Trusted Referee, it is somebody who is on the applicant’s side of the process, not a supervisor who is on the CSP’s side of the process overseeing application. Richard added he does not understand the comment in there. The Trusted Referee has gone through the proofing process at the same level at which the person for whom they are acting as a referee does.
Ruth provided the link to the FAQ where NIST provide clarification on "What is the difference between the conventional proofing process and using a trusted referee at IAL2?" - https://pages.nist.gov/800-63-FAQ/

Next steps on 63A_SAC IAL2 &IAL3

Richard said it was now reviewed all of the proposed changes to bring this up to IAL3, including some retrospective changes that were determined necessary. It was disposed of the comments submitted with regard to the draft criteria. In the other comments submitted there was gotten a case for suggestion to the IAWG, which may add a week or two to the process.
Ruth will add to the agenda that Richard is presenting it tomorrow at the IAWG meeting.

63B_SAC AAL3

Richard said that it could be launched into looking AAL3, or it could be deferred until next week.
Martin proposed to see if there are any observations about the nature of AAL3.
Richard explained that essentially is the same deal, he added the columns S-T to indicate the assurance levels. He extended column B to explicitly state AAL2 when the section is exclusively addressing AAL2, some of the criteria actually apply equally to AAL3.
Richard said that with AAL3, he stated in bold the deltas between 2 and 3.
Martin asked if column B is obsolete and replaced by column S and T. Richard said no, it is still perfectly relevant, it is showing the numbering of the source reference.
The criteria that are not in bold is because they have not changed, they work either way.
Richard introduced requirements that are specific for Federal Agencies, which he previously ignored.
About lines 133-140 it was added a note in Guidance column “Create the basic requirement”.
Andrew commented that one of the challenges with the NIST approach, is that instead of saying counting these threads, it says two password delay.
Martin asked if there is anybody in particular among the Kantarians that is wanted to get involved in this review and that is not here. It was agreed to share it with KI CSPs and Assessors.

Next meeting: 2020-06-24 - review the AAL3 criteria