2021-07-29 Minutes

Attendees:

Voting Participants: Ken Dagg, Martin Smith, Mark Hapner, Mark King

Non-voting participants: Jimmy Jung, Chris Lee, Roger Quint

Staff: Kay Chopard

Agenda:

  1. Administration:
    1. Roll Call and quorum determination
    2. Agenda Confirmation
    3. Minute approval (DRAFT minutes of 2021-07-15)
    4. Staff reports and updates
    5. LC reports and updates
    6. Call for Tweet-worthy items to feed (@KantaraNews)
  2. Discussion 
    1. Review the roadmap for moving a consolidated set of criterion changes through the Kantara approval process. 
    2. Discussion of GSA question about Kantara criteria referencing "presentation attack detection" (PAD) , and possible clarification of the relevant Kantara criteria. 
    3. Decide if IAWG should respond to a public consultation on a new (July 19) UK Government Cabinet Office draft paper on "Digital identity and attributes", response due 13 Sept
  3. Any Other Business and Next Meeting Date

Meeting notes: 

Administrative items:

IAWG Chair Ken Dagg called the meeting to order at about 1:06PM (US Eastern), and called the roll. It was noted that the meeting was quorate. 

Minutes approval:  Mark King moved approval of the draft Minutes of the IAWG meeting of July 15. Mark Hapner seconded. The minutes as distributed were approved unanimously.

Staff reports and updates: ED Kay Chopard – Lynzie Adams has been hired to replace Ruth P. She is currently in training, and will be reporting Aug 23 on a full-time basis. She should be able to provide some support to IAWG. None of the candidates interviewed were expert on topics specific to the Kantara assurance program such as NIST 800-63. Lynzie is well qualified for all other aspects of the job and is a fast learner. 

LC reports and updates:  Ken again recommended that WG participants have a look at the P&I DG's very thorough mDL Report. He noted that the DG is being archived and that a new WG is being chartered to carry on the work.  Ken also mentioned that the FIRE WG is preparing a grant proposal. If that is successful, IAWG may be asked to help create an new set of assessment criteria. These would be the basis for certification of commercial consumer applications as capable of meeting HHS/ONC requirements for processing patients' PHI downloaded from electronic medical records (EMR) systems. 

Ken  reminded WG participants that Kantara staff is ready to help them publicize their newsworthy activities via the @KantaraNews Twitter handle. Requests can be sent to Ken D or Kay C.

Discussion:

Ken suggested reversing the order of the Agenda's discussion items to address the decision items first. 

c.  UK Government Cabinet Office draft paper on "Digital identity and attributes", response due 13 Sept.--Ken asked for WG views on whether and how IAWG should respond. Mark King noted that the paper did not include a process for certification of scheme participants (mainly CSPs.) … the issue of most direct concern to Kantara. Given that, he suggested the WG wait and see if an opportunity to address this issue might present itself. Ken D. wondered if Kay C., using the occasion of her appointment as Exec Director, might contact the UK program leads and indicate Kantara's interest in providing input regarding a certification process.  §§I would suggest that the text I made bold and italicized be removed. While it was said, it is somewhat derogatory §§ He observed that Kantara had been trying for some time, with limited success,  to establish a productive relationship with the UK Government, and this might provide a fresh start with a new face representing Kantara. Kay C. noted she is acquainted with one of the UK program managers via their participation in Women in Identity.  It was agreed she would make a contact in her new Kantara role, mention Kantara's interest in providing input to the UK program (in particular from the perspective of our experience in operating a certification process), and assess opportunities to develop the relationship. Ken suggested we should would return to the issue of a possible response to the UK consultation call in late August, perhaps with some additional input from Kay's contact. 

b.  GSA question about Kantara criteria referencing "presentation attack detection" (PAD), and possible clarification of the relevant Kantara criteria.  Ken provided brief background on the question from GSA (Phil Lam, speaking with Kay C.) that came up since the last WG meeting, and said this might be an opportunity to enhance our relationship with GSA. He asked for any thoughts from the WG. Roger Q. said several vendors had come up with ideas for detecting/mitigating presentation attacks, and that focus on this by Kantara is timely. Jimmy J. said he has applied PAD, but that it's a bit different from regular assessment activity and may be more like a laboratory standards issue. Roger Q. agreed, and said he had been very interested in seeing the language Richard has come with so far. Ken suggested we should defer this issue also to the next meeting when Richard should be available. Ken confirmed that if IAWG were to develop new or clarifying criteria language related to GSA's question he would expect to make it part of the package of revisions we are working to submit for approval this summer. Kay C. mentioned that she is meeting again with Phil Lam, but has other issue to discuss and would not raise this; Ken suggested that if Phil raised it, she might tell him the IAWG is actively considering it and expects to be able to get back to him soon.

a. Review the roadmap for moving a consolidated set of criterion changes through the Kantara approval process. Ken provided an overview of the process, indicating that the total Kantara approval timeline is about 2 1/2 months.  Given that, he believes the WG should aim for publication of the updated criteria in mid-November, which implies having a package ready to submit by the end of August.  The package would consist of at least one "substantive" update – the "comparable alternative control" criteria we have been discussing – plus several non-substantive revisions that Richard has been accumulating.  If the PAD issue results in revised criteria language, that would also be included. He pointed out that one important consideration is to avoid frequent changes to the criteria as that has an impact on CSP's as well as on all Kantara reviewers. NIST's update of SP 800-63 to version 4 will definitely require another revision of the Kantara criteria, but he believes that NIST's schedule for 800-63-4 will likely slip a bit so there should be at least 18 months between the Kantara update we are now preparing and the major one that will result from the NIST revision.

Mark K. asked if reviewers will be provided with any notes on the rationale for each of the proposed changes. Ken said notes like that have not been provided in the past, but that it might be an idea this time, as a way to expedite review of the package of proposed changes. He noted that the only substantive updates planned are the "comparable alternative" language changes and possibly new PAD-related language.  (He noted that Richard W.'s latest draft of the former was currently being shared on-screen, and that a link to the spreadsheet was included in the email with the invitation and Agenda for this meeting, Revisions since the previous IAWG call are in blue text in the spreadsheet.)   

Mark K. asked how we can expect CSPs to provide a quantitative comparison of the effectiveness of a control specified in 800-63-3 vs. a proposed "comparable alternative", since as far as we know NIST has not provided such data on controls. Roger Q. asked if we could or should be more specific about what should be measured for a "quantitative assessment.  Ken responded that the potential variety of alternative controls and use-cases makes it impossible to be very specific about what data might be relevant.  Jimmy J. suggested that the best Kantara can do is to require transparency about the CSP's analysis of the risk of using an alternative control, and have the assessors apply some basic judgment about the logic of the CSP's risk analysis and the evidence supporting it. 

Several WG members then speculated about possible reaction of NIST to Kantara's acceptance of the use of alternative controls in certifying a CSP. Jimmy J. believes NIST doesn't want to get involved in enforcement; Martin S. agreed. Kay C. recalled that NIST's David T. expressed a strong negative reaction to Kantara involvement in the assessment of alternative controls. Ken thinks our proposed draft language permits an agency to take a political decision (to accept the risk of an alternative control) based on a CSP's documented analysis. Kantara's certification of the CSP would indicate that a quantitative risk assessment has been performed and that it looks reasonable. It would also indicate that RP management is aware of the results of risk assessment.

Ken summarized by saying the WG is close to having the draft of a good process for assessment of alternative controls, but we need to "market" the approach so Kantara's reputation for quality assessments doesn't suffer. 

Noting that the meeting time was up, Ken recapitulated open actions on finalizing the criteria update package:  at the next meeting in two weeks, we need to finalize the "comparable alternative control" assessment language, and also finalize a criteria revision related to PAD.  Ken will remind Richard that we also need to see the non-substantive criteria changes to be included in the package. Martin S suggested that Ken might expedite consensus on the PAD language by circulating the email dialog between Ken and Richard on this topic that took place over the past few days.  

Other Business:

Next Meeting: August 12.   In addition to the items noted above related to finalizing the criteria change package, we hope to get a report from ED Kay C. on her outreach to her contact at the the UK Digital Identity program.  \

Ken adjourned the meeting at about 2:05PM US Eastern.