2021-10-28 Minutes
Attendees:
Voting Participants: Ken Dagg, Martin Smith, Mark Hapner, Mark King
Non-voting participants: Jimmy Jung, Eric Thompson
Staff: Kay Chopard, Lynzie Adams
Proposed Agenda
- Administration:
- Roll call, determination of quorum
- Agenda confirmation
- Minutes approval - 2021-09-23 DRAFT Minutes and 2021-10-07 DRAFT Minutes
- Staff reports and updates
- International liaisons updates
- LC reports and updates
- Call for Tweet-worthy items to feed (@KantaraNews)
- Discussion:
- Update on open issues regarding the pending package of proposed criteria changes
- Initial discussion on component services
- Any Other Business and Next Meeting Date
Meeting notes
Administrative Items:
IAWG Chair Ken Dagg called the meeting to order at 1:04PM (US Eastern). Roll was called. Meeting was quorate. Distributed agenda was confirmed.
Minutes approval: Martin Smith moved approval of the draft Minutes of the IAWG meetings of September 23 and October 7. Mark Hapner seconded. The minutes as distributed were approved unanimously.
Staff Reports and Updates:
Lynzie reported the first organization seeking FAL certification recently reached out. They are still a few months out from getting started but wanted to begin learning more. Numerous other organizations have been reaching out with interest in Kantara certification - including companies from Korea, Japan, and India who are looking to get into the US market and believe a Kantara certification can assist them with that.
International Liaisons Updates:
Kay provided an update on:
- OSIA (France): They are not looking for a new assurance program, it's a much smaller scale project. Conversations are continuing of how we can fit into their future.
- UK: Had a meeting regarding certification and seemed positive. They are interested in Kantara pursuing certification - allows Kantara to be a certifying body in the UK. Similar to Kantara/GSA, but more formalized. Mark King asked if Kantara is part of the International Accreditation Forum. It's relevant for international collaboration. Nobody was sure at the moment but we will revisit. Mark King shared the link: https://iaf.nu/en/home/
- New Zealand: They requested a meeting but this has not occurred yet.
- Australia: Continued discussions are occurring with Jonathan Thorpe. Mark King reviewed Australia's Draft Law document and it seems much we said was not taken into consideration nor was there a response as to why much of this was overlooked. Ken asked to send IAWG's apologies that we were not able to address the latest request.
Ken requested adding this new 'international liaisons updates' standing agenda item given the amount of work we've done in the past for other governments. We tend to get involved in a lot of these things and it is part of the mandate of IAWG to know what is going on around the world and aide them.
LC Reports and Updates:
A new working group, "Privacy Enhancing Mobile Credentials" is being set up. John Wunderlich is the chair. If you'd like to join, reach out to Ken and/or John.
Discussion:
Update on Open Issues Regarding the Pending Package of Proposed Criteria Changes:
Ken noted that the pending package is set on all the criteria except for the ones around alternative controls. Kantara is currently trying to schedule a meeting with GSA/NIST to have an initial discussion around the package. Kay has sent the request.
Eric Thompson proposed focusing on publishing guidance around alternative controls measurement. He sees this as an area holding agencies back and with some leadership and guidance from Kantara it could move the discussion forward immensely. Ken suggested this be proposed as a new discussion group. He believes there would be interest from folks in other groups as well. Ken requested a half page overview with the scope of the problem to take to LC for approval to get this going. Eric and Ken will work together to propose this discussion group.
Initial Discussion on Component Services:
The ARB shared concerns with the IAWG regarding how the assessment views component services, particularly what requirements are the responsibility of the full service and what is the responsibility of the component service. This raised the general question - What kind of requirements do we place on a full service and what do we place on a component service? ARB feels a general review of criteria to consider how it works with a component service could be beneficial. Ken was unsure if such a review has occurred. Jimmy worries it could be a complicated lift to address.
Martin suggested we consider a need for a contract between the parties that clarifies the relative responsibilities. Have we addressed what the contract has to cover when a component service is in use? Ken will review the CO_SAC for any contractual obligations already listed and see if this is a place we could clarify.
Ken asked everyone to think on it more and we will address further on the next call.
Other Business:
Eric asked if anyone heard any updates or any movement on NIST 800-63-4? We submitted feedback on the last call for feedback. Nobody has heard anything further at this point. Kay will ask David Temoshok if there are any updates besides what NIST has already published.
The next IAWG meeting will be Thursday, November 11 at 1pm EST. Continued discussion on component services will occur.
Ken adjourned the meeting at 1:50 pm EST.