IAWG Meeting Minutes 2013-10-10

Kantara Initiative Identity Assurance WG Teleconference

 

Meeting Minutes - IAWG approval required

 

Date and Time

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Minutes approval: IAWG Meeting Minutes 2013-10-03
    4. Action Item Review
    5. Staff reports and updates
    6. LC reports and updates
    7. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
  2. Discussion
    1. Endorsement of Draft IAWG Charter
    2. Continued review latest draft material on 800-63-2 v SAC mapping
    3. Continued discussion about ALx_CO_ISM#090 i) frequency of compliance audits and ii) Internal v External v Independent audit and rationale
    4. Volunteers for Resilient Trust Network sub-group
    5. Feedback requested for initial draft of Modular IAF document
    6. If time permits - discussion of flight path of IAF v4.0 timelines/expectations
  3. AOB
    1.  
  4. Adjourn

 Attendees

Link to IAWG Roster

As of 1 July 2013, quorum is 5 of 9

 

Meeting achieved quorum

Voting

  • Myisha Frazier-McElveen (C)
  • Rich Furr (V-C) 
  • Andrew Hughes (S)
  • Scott Shorter
  • Richard Wilsher
  • Cathy Tilton

Non-Voting

  • Peter Alterman
  • Tricia Hammar
  • Ken Dagg

Staff

  •  Joni Brennan

Apologies

    • Matt Thompson

Notes & Minutes

Administration 

Minutes Approval

IAWG Meeting Minutes 2013-10-03

Motion to approve minutes of 2013-October-3: Rich Furr
Seconded: Scott Shorter 
Discussion: None
Motion Passed

Action Item Review

See the Action Items Log wiki page

Staff Updates

LC Updates
  • No meeting this period
Participant updates
  • The RTN Sub-Group call for volunteers and sub-group formation

Discussion

Endorsement of Draft IAWG Charter

Motion to Endorse Draft IAWG Charter for forwarding to LC for review and approval:  Rich Furr 
Seconded: Scott Shorter
Discussion: None
Motion passed

Discussion of 800-63-2 mapping to KI IAF v3
  • Since 800-63-2 has been formally published, there have been significant changes which has resulted in new criteria
  • Overview of the new criteria - request for IAWG to review to confirm correct mappings
    • Look at the in-person proofing at AL3 &AL4 and the permissibility of remote proofing (current relationship) for AL4
    • Antecedent Identity data for ID Proofing - not in 800-63 -> it's in supplemental guidance for Federal Bridge CP; this is accepted by FICAM and FBCA.
      • This might now be covered in 800-63-2 5.3.2.3 Customer Identification Programs
      • This might be a good candidate for National Profiles - to specify Nation-specific processes
      • Enterprise antecedent data (this is actually Affiliation - this is how Verizon and SAFE BioPharma do it today): relationship between employee and employer using KI Approved identity provider for I-9 form data - the 'breeder documents' for this are essentially the same docs as used for in-person verification
      • The other kind of antecedent data (this is online antecedent data): is built and maintained by Identity Provider (Equifax, Lexis-Nexis, etc)
      • These two types of antecedent data are not accepted by US DoD for AL4 - they insist that AL4 requires in-person
      • Suggestion was made that 800-63-1 opened the opportunity to review the qualifications of the "Enterprise Proofing Component Entities" - this might allay the concerns raised
  • Question: does IAWG need more review time before sending out to Public Review? Or send it out for Review now then do further IAWG review during the 45 day period?
    • ACTION: Consensus: Send to 45 day Public Review as soon as they are ready.
  • Question: has the new version of SAC been aligned with the new terms in the Glossary?
    • Not yet. ACTION: Ken Dagg will review for alignment.
Continued discussion about ALx_CO_ISM#090
i) frequency of compliance audits
  • First and fourth year audits should be external/independent audits
  • second and third year audits are "Core plus Half SAC" in a way to cover the whole SAC between the two
ii) Internal v External v Independent audit and rationale
  • Section 5 of the AAS 
    • indicates that a certified entity could submit a report of Internal Audit to the ARB for the second and third year partial audits
    • the ARB is the deliberative body and could make a determination
    • if so, this would significantly reduce the cost to Approved entities (each external audit costs ~$100,000)
  • Another viewpoint: perhaps a robust process that recognizes other Approval schemes would help solve this
  • Suggestion that the scope of audit for the multiple Certification schemes is similar enough that the question should be to use findings to satisfy multiple Certification schemes
  • FedPKI Policy Authority has discussed this before
    • CA Operators made the case that full annual PKI audits were too expensive (2006-2007 timeframe)
    • FedPKI has adopted a policy of incremental assessments with triennial full assessment - similar to the current thinking of Kantara
    • The annual assessment - still done by external/independent auditor (needs to be fact checked)
  • Would be a good idea to get Deb Gallagher's opinion on the FICAM requirement/opinion
  • FICAM AL3 requires third party assessments
    • But this might work because FICAM only requires 'comparability' not the degree of specificity in the current Kantara SAC
  • ACTION: Joni to locate and share the document that describes the annual SAC audit coverage requirement - was created in ARB
  • Resolution: the original motion to remove the CO_ISM#90 was made in a prior meeting. That decision still stands.
  • ACTION: the AAS needs an updating to reflect current thinking on annual criteria audit coverage

All other agenda items to be carried forward to next meeting due to expiry of meeting time.

AOB

 

Attachments

 

 

Next Meeting