2018-10-11 Meeting Notes

Attendees:

Andrew Hughes

Matt King

Tom Barton

Colin Wallis

Scott Shorter

David Simonetti

JJ Harkema

Richard Wilsher


Incommon Report provided by Tom Barton 


  • Incommon Baseline Expectations Program: Ongoing processes to improve metadata quality and other aspects of Federation Operations. 75% of Incommon Members fully meet the baseline expectations on metadata quality. The deadline to meet the requirements is December 14th.
  • REFEDS: Completed the work on Assurance framework, including single-factor authentication (SFA) and multifactor authentication (MFA) profiles. Also, they have defined two assurance profiles called Cappuccino and Espresso. Cappuccino applied together with the SFA authentication profile match the AARC project’s requirements for low-risk research and Espresso together with the third specification, REFEDS MFA, are aimed to serve research use cases with stronger assurance needs. The specification make use of existing frameworks, such as NIST 800-63b, Kantara Identity assurance framework and eIDAS.
  • SIRTIFI  is still active.
  • Trusted CI, National Science Foundation Cybersecurity Centre of Excellence: Another area of collaboration. In a recent workshop it was discussed the increasing amount of secured data which researchers need to do the work. The security requirements in the field meet NIST 800-171, which is a good baseline of security obligations for research and education in the US. Also. it Profiles 800-63 at a certain level.


Kantara IAWG Report provided by Scott Shorter and Colin Wallis


  • IAWG has updated the Service Assessment Criteria in response to the memos that were issued in the summer. The memos included a recommendation that when the CSP is approved there be some way in addition to the LoA to  share information about the specific mode of identity proofing that is used. 
  • Colin commented that Jim Sheire said is trying to coordinate an Industry Day like it was held in WDC in January 2015. 


SAFE-BioPharma Report provided by Matt King


  • During the Policy Authority Meeting for Federal PKI it was commented that they adopted some minor changes around 800-63-3 requirements and it was clarified that unsupervised remote identity proofing is not allowed. There were no comments on OMB. 
  • During the discussions about the Federal PKI Program Matt had with LaChelle, it was stressed that they need clear use and business cases to show the value to the government of using commercially available federated credentials to access government applications. 
  • Matt encouraged to consider situations and government agencies that are actively using certified credential from a credential provider and that it would be beneficial to explore that further and present it as use case so we can build a value proposition. He added that it would be good to coordinate this effort in order to have better impact on the message to the government. 
  • Andrew suggested to create a User Work Group or social group for the customers of our providers, offer them a forum to meet once a quarter to discuss issues and find common cause that may show industry adoption. Matt supported the concept and suggested to define that further. 
  • Matt commented that we should show to the federal government that insurance banking and state governments are looking at our certification as requirements.
  • Andrew said that if State and/or industries have made TFS Approval a procurement minimum requirement they will be not pleased if this approval is eliminated.
  • Matt suggested to develop the justification based on the feedback we can get from our CSPs. Therefore, he recommended that TFPs reach out the issuers (approved providers) and ID proofers that have been certified and ask them if the RFPs to which they responded include 800-63-3 as a requirement, and if so, ask them if we can we get a copy of that RFP.


Action items

  • Build together a value proposition.
  • Discuss and define the scope of the potential User Work Group.
  • Reach out the CSPs to confirm 800-63-3 is included as a requirement on the RFPs.