2021-05-20 Minutes
Attendees:
Voting Participants: Mark King, Mark Hapner, Ken Dagg, Martin Smith, Richard Wilsher.
Non-voting participants: Jimmy Jung, Roger Quint, Tim Reiniger
Staff: Colin Wallis and Ruth Puente
Quorum: There was quorum.
Agenda:
1.Administration:
a.Roll Call
b.Agenda Confirmation
c. Staff reports and updates
d.Minutes Approval 2021-05-06 DRAFT Minutes
2.Discussion:
a. UK DCMS May Update Certification Questions & UK Trust Framework Certification Scheme
b. RFI re mDL
Staff reports and updates
- Upcoming events: 1. Think Digital Identity for Government panel, Kantara, DTA, GSA and Swedish government. 2. IdentityNORTH - Aligning DIACC Standards with International Standards panel, Kantara, DIACC, Better Identity Coalition and DTA. 3 Kantara-DIACC-NIST panel about collaboration, similarities and differences of international and national industry associations. 3. Identiverse - Driving digital trust panel, Kantara panel. See more details here: https://kantarainitiative.org/events/
- 1Kosmos BlockID service has been approved by Kantara as a Full Service at IAL2 and AAL2, see PR here: https://kantarainitiative.org/1kosmos-blockid-digital-identity-solution-approved-as-nist-800-63-3-conformant-fido2-certified-powered-by-advanced-biometrics-private-blockchain/
- Colin and Mark attended the Stakeholders meeting for Digital Identity Scotland. They shared lessons learned, still early days. It's similar to RealMe, login.gov, gov.uk accounts, single sign on, centralisation with attributes.
Minutes approval
2021-05-13 Minutes were approved by motion. Moved: Mark King Seconded: Mark Hapner. Unanimous approval.
UK DCMS May Update Certification Questions
- Ken walked the group through the UK DCMS questions and edited the responses during the discussion:
"Q6) We are working on the principle that organisations will be able to be certified:
Directly against the trust framework, with possible ‘add-on’ certifications or signing of t&cs to join particular schemes
Certified against a set of requirements set by the scheme operator (which includes the trust framework requirements), and the scheme operator will be certified against the trust framework
In both of these scenarios we are looking at certification being the responsibility of certification bodies that sit under UKAS. Does this seem appropriate to you?"
Kantara Response: Kantara would strongly recommend that services, rather than organizations, be certified. This would accommodate the situation where one service offered by the organization can be certified while another, that does not meet the requirements, will not be certified. Additionally, it would avoid the situation of relying parties believing that all of an organization’s services have been certified when only one of them has been certified. Kantara would also recommend that a registry of certified services, including details of what the service provides, be maintained.
Kantara would suggest that, in order to allow the scenario where a service has been certified by another recognized certification body that is not under the DCMS, that it be accepted. In this situation, service providers will not have to undergo, and incur the cost of, multiple certifications. Kantara would suggest that DCMS clarify that certification bodies are not organizationally “under” the DCMS.
"Q7) Are there schemes being developed that you would consider joining in the future?"
Kantara Response: Kantara suggests that internationally recognized schemes be accommodated.
"Q9) If schemes do have certification available, would you have confidence that it creates an ‘even playing field’?"
Kantara Response: Yes, assuming that certifications are granted by certification bodies that have been accredited by IAF. There is also an assumption that the requirements are equivalent.
- The group agreed with the responses.
- Ruth will submit them to UK DCMS on May 21st.
Assessment of RPs
- In light of the discussion of UK DCMS certification questions and documents, a question on the RP assessment was raised.
- Richard said that "RP" in the context of proofing and credential management is an entity that relies upon an affirmative authentication of a claim of identity. "User" is what Kantara calls subject of that credential. The RP will receive an authentication and some collection of PII.
- Mark K. stressed that there is no requirement under Europe for RPs to be certified under the scheme.
- Richard remarked that 63A stipulates that the collection of PII is allowed only for the identity proofing purposes.
- It was agreed that it's complex to assess and certify RPs.
RFI re mDL
- Ken said that IAWG plans to comment on question 15 "Obstacles to acceptance".
- Colin commented that Kantara has released a request of technical editor to work on the Kantara combined response to the RFI. He added that the WGs that are interested in providing inputs are FIRE, IAWG and mDL DG.
AoB
- Martin shared a NIST/NCCOE release and call for comments until June 21st. Link to document: https://www.nccoe.nist.gov/sites/default/files/library/project-descriptions/data-classification-project-description-draft.pdf