2020-06-04 Minutes


Attendees

Voting participants: Ken Dagg, Tom Jones, Mark Hapner, Martin Smith, Richard Wilsher

Non-voting participants: Pete Palmer

Kantara staff: Colin Wallis and Ruth Puente 

Quorum: As of 2019-12-19, quorum is 3 of 5. There was quorum


Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Action Item Review: action item list
    4. Minutes approval 2020-05-28 Draft Minutes
    5. Staff reports and updates - Director's Corner
    6. LC reports and updates
    7. Call for Tweet-worthy items to feed (@KantaraNews)

       2.Discussion:

a. Review and Approve KIAF NIST SP 800-63C Service Assessment Criteria at FAL2; KIAF 1450 

b. DIACC Request for Comment and IPR Review.

c. Update on xAL3 Sub-group, which is preparing new criteria for each of 63A/63B/63C_SAC, for IAL3, AAL3 and FAL3 respectively. 

3. Any Other Business.



Minutes approval 2020-05-28 Draft Minutes:

  • Motion: To Approve 2020-05-28 Draft Minutes.

   Moved: Mark; Seconded: Martin. Unanimous Approval.


Staff reports and updates - Director's Corner:

 

Review and Approve KIAF NIST SP 800-63C Service Assessment Criteria at FAL2; KIAF 1450:

Draft reviewed during the meeting: KIAF-1450 SP 800-63C Service Assessment Criteria v0.13.0.xlsx

  • Ken mentioned that last week it was asked for input on this, nothing was received.
  • Tom argued that a comment was posted to the web on the mailing list. Ruth clarified she checked in her inbox and the list archives, and she did not find Tom’s email. There must be technical issues or something, she did not even receive a request for moderation of that email.
  • Richard commented that he talked to David Temoshok last week, and he said they want to try developing a certain type of Assessment or Conformity Framework in rev.4. Certainly, he put aside doing that for Federation until they have a lot more experience.
  • Richard explained that he made a comment on 63C#010, 63C#020 and 63C#030 to eliminate “Federation Protocol” and “Federation’s Agreement Protocol”. It was accepted.
  • Richard also mentioned that Andrew suggested to reorder the four columns I-L. These four columns were reordered considering priority. The CSP is the one with most applicable criteria and the RP is next to Federal Agencies.
  • Richard said he will delete the comment in row 63.
  • Ruth reminded Richard to add on the doc record sheet the Sub-Group participants. Ruth will send the names’ list to him.
  • Richard said that 63C says that Federation Authority will vet participants, which is a very open statement. He does not think that it has to go so far as to mandate Kantara Approval for participants within a Federation, if it is done, it limits the potential for Kantara to offer a Federation Assessment approval scheme. He stressed it cannot be mandated any level of rigor in this process. Tom asked if he is saying that FA could just get the whole concept of 63C and it has to go on with it, he said it seems problematic. Richard agreed, but he explained that there is a limit to the extent to which it can be enforced further requirements; the 63C says that RPs and CSPs have to meet the applicable requirements in IAL and in AAL. However, it does not say how they have to demonstrate that they have done that, it simply fails to address it. Even if the Federation Authority needed to check that they had met those criteria in 63A and B, they could do so by asking the question, and they get a yes or a no. There is nothing in here that imposes real rigor. The idea is to encourage but not mandate the levels of rigor that are liked to see.
  • Tom mentioned that in row 40 it is on encryption; you cannot say you have a certain level of encryption. Richard responded that the only requirement is that it is approved, by the government or industry body. Tom said it is not very good, he said that at least it could have said FIPS 140, but it cannot. Richard said it is possible, because 63C says that. Tom argued he does not think 63C calls FIPS 140. Richard showed it does appear in row 13. Tom said he did not read that.
  • Tom asked if there is a glossary for this. Richard said there is, but it is a separate document. 
  • Tom mentioned there is a typo mistake, it says II, instead of SSI.
  • Richard said that a definition should be included when it is ready for the 45-days revision.
  • Richard showed that in 63C#0330 it says that it should be approved by the Federation Authority itself, or an Independent Framework, or Independent Assessor designated by the Federation Authority. Richard said it could be Kantara, but he does not believe it would be good to go so far as to state it and require it to be Kantara. ED agreed on this, it would go too far. Richard added that the other option is to make NIST to come up with their own Conformity Assessment requirement. ED said they are.
  • Ruth said that SSI definition is on the version 0.12, under the sheet NIST phrasing. She copied it on the chat too. Ken commented he also wrote Federation Agreement in there.
  • Richard will add to the final draft:
  1. A definition tab/sheet and include: Sensitive Subject Information (SSI), information of a personal or sensitive nature relating to a Subject; Federation Agreement. 
  2. On "Doc record" tab/sheet: In status to add "IAWG-Approved Draft Recommendation"; Add IAWG sub-group participants.
  • For the Public Comment notice, Richard should send Ruth the "Overview of the document" section.


Approval of 63C_SAC FAL2 – KIAF 1450 

  • Motion: To approve KIAF 1450 “Identity Assurance Framework:  NIST SP 800-63C Service Assessment Criteria (at FAL2)”. 
  • Moved: Tom; Seconded: Richard. Unanimous approval.

 

DIACC Request for Comment and IPR Review:

  • Ken commented he sent yesterday the Pan Canadian Trust Framework DIACC, the Canadian new component to deal with relationships and attributes. It is an interesting document, and it looks at what they term as credential, which is slightly different. They talk about authentication credential, but that is out of the scope of this component. They are attributes on issued documents. What they are trying to do is to establish a level of Trust in these Credentials, in the issuer and in the holder.
  • It is a good document, but they need a good editor.
  • It was agreed to provide comments on this new set of documents.
  • Deadline for comments: July 2nd


Update on xAL3 Sub-group, which is preparing new criteria for each of 63A/63B/63C_SAC, for IAL3, AAL3 and FAL3 respectively. 

  • Richard mentioned that the first meeting was held yesterday. Basically, the usual prospect plus Andrew Hughes.
  • In the FAL2 it was seen the FAL3 criteria which are very small, now they are going through FAL3 again, because he noticed some were omitted. The other thing he determined to do, is since in the Federation criteria it is addressed Federal Agencies and RPs, CSPs and Federation Authorities; in IAL and AAL there are documents criteria which specifically address Federal Agencies or RPs. He neglected to extend the scope of those sets of criteria, so they are fully inclusive. That is calling him to stand a little more on IAL3.

 

AOB