2021-07-08 Minutes

Attendees:

Voting Participants: Ken Dagg, Martin Smith, Richard Wilsher, Mark Hapner, Mark King

Non-voting participants: Jimmy Jung, Roger Quint, Eric Thompson, Chris Lee

Staff: Kay Chopard

Agenda:

1. Administration:
   1. Roll Call and quorum determination
   2. Agenda Confirmation
   3. Minute approval (DRAFT minutes of 2021-06-24)
   4. Staff reports and updates
   5. LC reports and updates
   6. Call for Tweet-worthy items to feed (@KantaraNews)
2. Discussion
   1. Consideration of 'comparable alternatives' - See: https://groups.google.com/g/idassurance/c/GIGLjValdg4
   2. Australian Digital Identity Legislation Consultation Phase 2 - See: Public consultation on Australia’s Digital Identity legislation
   3. Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity. See: https://digital-strategy.ec.europa.eu/en/library/trusted-and-secure-european-e-id-regulation
   4. d. Component Service Consumer criteria.

Meeting notes: 

Administrative items:

IAWG Chair Ken Dagg called the meeting to order at 1:05PM (US Eastern), and called the roll. It was noted that the meeting was quorate. 

Minutes approval: Mark H moved approval of the the draft Minutes of the IAWG meeting of June 24.  Richard W seconded.  The Minutes, as written, were approved unanimously.   

Staff reports and updates: ED Kay C. Focus is finding a replacement for Ruth as Program Manager (PM) for the Assurance Program. After first pair of finalist candidates both dropped, starting interviews again. Looking for more junior PM rather than trying to replicate Ruth's deep experience out-of-the-box. Best case for new IAF PM to be on-board is some time in August. Still open to getting more applicants referred by WG members.

LC reports and updates:  Ken D: LC had one meeting. Of interest, long-time Chair of UMA has stepped down due to business demands. mDL Privacy report is out for review–have a look. 

KenD:  reminded WG participants that Kantara staff is ready to help them publicize their newsworthy activities and via the @KantaraNews Twitter handle. Or send to Ken D or Kay C.

Discussion:

Continued consideration of 'comparable alternatives' - See: https://groups.google.com/g/idassurance/c/GIGLjValdg4

Ken D: noted that a listserv discussion is accessible via a link in the Agenda emailed before the meeting. He then invited Richard W to lead the resumed discussion.

Richard W: believed we should do something in this space and it may not be just for Federal agencies. Suggested that we need a capability to assess alternative controls, based on a thorough process based on evidence regarding risk, etc. 

Eric T:  agreed that there is a need and opportunity to provide some rigor around alternative controls. Key thing is needing to quantify risk being controlled.  Need to remember that service providers want to let appropriate people in, not just keep inappropriate people out.  Agencies / orgs don't have ability themselves to do the rigorous analysis develop and document use of "comparable alternative controls."  

Mark H: agreed that there is a broader need than just for CSPs serving Federal agency customers. 

Kay C: identified that other Federal agencies with whom she has talked feel that they need unbiased technical help to make their decisions on IAM risk.  Understands that NIST (David T) is very wary about Kantara involvement but believe that his concern can be reconciled. 

Roger Q:  asked if we do work in this area, will NIST welcome or oppose? 

Richard W:  we should respond to what our customers request and work on getting acceptance, if not support, from NIST. 

Ken D:  maybe an approach to GSA would work as they owned FICAM.  We need a Federal central-agency supporter of our work in this area. 

Kay C:  Kantara is still meeting with GSA regularly. It will be just her until the new IAF PM is on-board. It was noted that things might be slow for a bit as everyone in Government seems to be planning deferred vacations.  

Roger Q: Kantara needs some awareness at, or at least tolerance from, NIST and/or GSA for anything we do in this area.   

Eric T:  asked if there is an opportunity for IAWG to help move this forward by putting out guidance related to quantifying risk and the effectiveness of alternative controls for ID proofing systems?

Richard W: noted that Kantara having a set of criteria for evaluating risk and control effectiveness would be useful for assessors who have customers (e.g., private sector or non-US) that are not strictly locked into (very conservative, tech-focused) NIST standards. 

Mark K:  asked if this is just a US issue?  (He will check to see if he can locate any EU-developed materials for risk analysis/quantification and controls effectiveness.)

Jimmy J:  believed that many US Fed agencies are thinking "I need IAL2", and would not want to get involved with something "comparable." 

Richard W:  reminded the meeting that Kantara has been asked by a Member CSP working with a real Federal agency that has a business need to identify public clients who cannot provide the proofing documents required by NIST standards. Believes that Kantara should respond to those needs. 

Jimmy J:  stated that he is not sure that every KI assessor is going to be able to make and document these judgments about risk and effectiveness. Inconsistent assessments would create a risk to Kantara's reputation. 

Mark H: believed that the risk to Kantara can be reduced if Kantara is transparent about what it is doing and shows that it is doing this analysis of an alternative control’s effectiveness based on reasonable criteria

Jimmy J:  believed Richard W's suggested additional IAF criteria seem a reasonable basis to begin developing a process for evaluating alternative controls. 

Ken D: noted that the NIST language seems directed at Agencies, not CSPs. Not sure how to put the onus on the Agency. 

Eric T:  believed that, as a supplier, we must do is make sure an agency (customer) is aware of the requirements of accepting "comparables" 

Richard W:  noted that Kantara assesses CSPs and not RPs. (But Kantara has criteria for federations, and federations would presumably impose various requirements on their member RPs.) 

Jimmy J: asked how Kantara would express the results of an assessment based on the use of a comparable alternative control?

Eric T:  indicated that, as a supplier, they would provide a memo to their customers clarifying that the service is/uses an alternative control. 

Ken D:  thanked everyone for the good discussion. Summary:  seems worth pursuing, building on Richard W's draft criteria. 

Richard W, Eric T, Mark H., Jimmy J. and Roger Q. agree. No dissent.

Ken D: asked Richard W when he could be ready to discuss initial draft criteria.

Richard W: noted that he might not be available for a couple of meetings in August. 

Ken D: asked Richard W if something could be available IAWG to look at for next week's meeting on the 15th.

Richard W:  indicated that he could. 

Jimmy J: asked if the ARB needs to get involved?  What's the process where an alternative control is involved? 

Richard W: agreed that there needs to be a process to communicate the decision to the CSP and to the (RP) customer. 

Roger Q: identified that Kantara need to coordinate and communicate with NIST to avoid appearance of going around them.

Richard W: agreed but stated that Kantara is not asking for permission. 

Ken D: indicated that Kantara would inform NIST for their information.

Other Business:

Mark K: asked if individual submissions only for providing input to Australia?  Ken: yes. Deadline 7/14. 

Ken D:  identified that the Pan-Canadian Trust Framework has a new document out for comment by 28 July. Seems to be revisiting the "vectors of thrust" concept. Doesn't seem too relevant to IAWG but will send around, and WG can decide at next meeting if we want to submit comments.

Other topics on the agenda deferred to the next meeting.

————————
Next meeting July 15th, 1PM US Eastern as usual. 

Ken D closed the meeting at 2:05.