2021-09-02 Minutes
Attendees:
Voting Participants: Ken Dagg, Martin Smith, Mark Hapner, Mark King, Richard Wilsher
Non-voting participants: Roger Quint
Staff: Kay Chopard, Lynzie Adams
Proposed Agenda
Administration:
- Roll call, determination of quorum
- Agenda confirmation
- Minutes approval - 2021-08-26 DRAFT Minutes
- Staff reports and updates
- LC reports and updates
- Call for Tweet-worthy items to feed (@KantaraNews)
Discussion:
- Approve criterion language for CO_SAC.
- UK open consultation response.
Any Other Business and Next Meeting Date
Meeting notes
Administrative Items:
The meeting was called to order at about 1:05PM (US Eastern). Roll was called. The meeting was quorate.
Minutes approval: Mark King moved approval of the draft Minutes of the IAWG meeting of Aug 26. Mark Hapner seconded. The minutes as distributed were approved unanimously.
Staff reports and Updates:
Kay intends to move Kantara away from Virtual, a contractor that currently supports Kantara finances, membership, and other areas. She's looking for new company who can provide more services and at a better cost. Also, she is looking to not renew our contract with GTM and transition to Zoom, as people have requested. The GTM contract ends at the end of September, so the decision will be happening soon. A question regarding federal agencies use of Zoom has been investigated and the understanding is that classified meetings cannot be held via Zoom. Kay asked for concern within this group. After addressing functionality concerns and capabilities, the group was content with switching to Zoom.
Ruth Puentes has agreed to be contracted for a few hours a month to continue to provide support in making the transition to the new Assurance Program Manager (Lynzie Adams) as smooth as possible.
In recent talks with some UK government contacts Kay addressed the perception in Kantara that the UK identity program was not interested in Kantara input. They acknowledged there is some validity to that perception, but explained that with new people things should be different. Kay's goal was to ensure they understood our perception and they did acknowledge it. She has a meeting with another official next week and will continue the conversation.
Kay has been approached by a French organization (OSIA) to submit a proposal regarding third-party assessment of service-providers' implementations of open source standards. She's spoken to some people within Kantara about potentially expanding the assurance program but needs to talk with the assessors regarding their interest level in another line of work. The informal proposal needs to be prepared for the OSIA board meeting at the end of this month.
There is a call scheduled for next week between GSA and New Zealand and Australia about interoperability. They're looking for ways to let CSPs avoid going through multiple similar certification processes in different countries.
Mark King raised two questions - He asked if Kay was referring to the APPG as an additional UK contact - if so, he said it seems like the right place to be for contacts with knowledge of views on identity matters in Parliament. He also asked if the potential OSIA work would have to be translated into French. Kay said she doesn't believe so but we are having some language issues in other areas so it is a good question to have confirmed.
Richard raised a few other questions. Is OSIA trying to get assessments that would conduct testing to validate interfaces, or more of a paper-based review? Kay would need to confirm but she believes it's more paper-based.
Kay then noted that there has been a lot of work around healthcare recently. We are partnered with the CARIN alliance. A very recent development is that Direct Trust has taken over Safe Identity as of this week. We had an MOU with Safe Identity but as a part of Direct Trust, Safe Identity will apparently not be bound by that agreement. Kay has meetings scheduled to see how we move forward. TEFCA, which is responsible for implementing key identity-related HHS/ONC initiatives, has specific objectives on identity proofing and requires healthcare providers and their vendors to be approved at several levels of assurance. Phil Lam is going to make some introductions so we can alert these groups that Kantara is available for this service.
Ken thanked Kay for the information and intelligence provided to the working group, as it helps with planning and priorities.
Discussion:
Kay had a call with Phil Lam this morning. Federal agencies are talking to him about the difficulty they're having with pass rates due to facial recognition (AL2). Kay mentioned IAWG is drafting material to offer guidance/information to federal agencies about alternative controls. Phil agreed with David Temoshok that this is not a good move and does not think Kantara should take this position. He commented that it could negatively impact the relationship Kantara has with both NIST and GSA. Phil suggested if agencies reach out that they should be directed to NIST or even to him. Kay wanted to ensure IAWG was aware before moving forward in the current process.
Richard confirmed that our currently proposed revision is to formalize what is stated in Sec. 5.4 of NIST 800-63. We are not inventing things, just making a stronger case.
Kay suggested it might be worth having further conversations before publishing for public comment.
Richard suggested drafting a very clear document showing which pieces of text in 800-63 our proposed criteria embody, and if anything was invented, to justify it. That would show that there is rigor applied throughout the entire process we have been discussing.
It was noted that the first step of the Kantara review process is to make the proposed criterion changes available for public review. There was concern that putting the draft into the public domain could be perceived negatively by GSA and NIST. After further discussion the WG agreed to have further conversations with Phil, and meanwhile to hold off on initiating the Kantara review. This would delay final approval and publication of the revised criteria until after the holidays.
Regarding the anticipated discussion with GSA, Martin suggested asking whether the current language on comparable alternatives in NIST 800-63-3 would be retained in current or modified form in the nest NIST version of the standard (63-4.) Roger concurred. The group agreed that having GSA on board was critical.
Martin suggested a conversation with the Department of Labor, to validate the our understanding of their intent to explore the use of the alternative controls provision of the current (800-63-3) NIST standard. We have been told they want to enable credentialing of populations who often cannot provide the documentary evidence currently required for identity proofing. He suggested that the current Administration's emphasis on inclusiveness might make it timely to exercise the provisions for comparable alternative controls.
Richard stated he is currently talking to 3 CSPs who are interested in comparative alternatives because they have federal agencies asking about it and they are having difficulties meeting the NIST criteria. He agreed with much of the prior conversation, including the idea of a meeting with DOL's Eric Thompson, to bring him up to speed. Kay undertook to set up a meeting with Eric.
Regarding the schedule for revising the current Kantara criteria, it was noted that the group had previously been concerned with not requiring Kantara reviewers, assessors and services providers to deal with frequent updates. When NIST updates the underlying standard from 63-3 to 63-4, Kantara will definitely have to do its own major update of the criteria. Avoiding updating the current Kantara criteria and then having to do another update soon thereafter was the main schedule consideration that led the WG to set a goal of getting the current revisions approved before the 2021 holidays.
Ken D. believes that at this point we are looking at early 2023 before NIST releases 800-63-4, which would mark the start of the conforming Kantara assessment criteria update. Given that outlook, nobody voiced concern in delaying until January 2022 the final approval and publication of the currently proposed updates. The consensus of the group was thus to delay initiating Kantara review, and thus releasing the package for public comment, until further conversations are had with GSA and potentially NIST. Richard agreed to draft a clear comparison of our proposed language vs. the NIST 800-63 language on comparable alternatives, and provide that to Kay as background for her next meeting with Phil.
Roger stressed that the concern is the inflexibility of the existing NIST standards for identity proofing and uncertainty about the process for using comparable alternative controls.
Kay will continue to keep Ken and the IAWG up-to-date with progress from the discussions with GSA and others.
UK Response:
Ken put together a draft response and will circulate via the WG mailing list after the meeting. He has had preliminary feedback from Martin and Mark King. He asked all WG members to please review and send comments. The group will discuss at next week's meeting as the response is due back to the UK program on Monday, September 13.
Other Business:
Ken D. reported that we have received a call for comments from New Zealand on their planned Framework, and that input is due September 30th. He thinks at this point that we should provide some comment, and noted that we do have a little time before their deadline. Ken will send it around after this meeting for discussion at the next IAWG meeting.
The next IAWG meeting will be Thursday, September 9 at 1pm.
Ken adjourned the meeting at 1:58pm EST.