2022-05-19 Minutes

Owned by Lynzie Adams
Last updated: Jun 14, 2022
4 min read

Attendees:

Voting Participants: Andrew Hughes, Martin Smith, Mark Hapner, Mark King, Maria Vachino, Richard Wilsher
Other IAWG Members: Eric Thompson
Guests: Matt King
Staff: Lynzie Adams, Kay Chopard

Proposed Agenda

  1. Administration:
  2.  Discussion: 
    • New Chair - Introduction & Overview 
    • VP of Assurance Report
    • 2022 Action Item List - Overview & Structure
    • IAWG role in 800-63 Rev. 4
    • Addressing assessor/field observations about new ways of doing proofing/authentication - and how to incorporate into SAC
  3. Any Other Business

Meeting Notes 

Administrative Items:

IAWG Chair Andrew Hughes called the meeting to order.  Roll was called. Meeting was quorate. 

Minutes approval:  The April 28 minutes were updated to reflect Matt King as an IAWG guest rather than a IAWG member. Mark King motioned to approve the draft minutes from the May 5 IAWG meeting. Mark Hapner seconded the motion. The minutes were approved unanimously. 

General Updates:

Kay - Adding an additional assessor and current assessors are adding staff to keep up with the current demand and growth of the Assurance Program. Continued work with ONC, CARIN, and other agencies. 
Andrew - Provided update on EIC pre-conference session. There was an engaged crowed who are happy to hear things are really taking off! As for CARIN, there are hopes that 2 IAWG members can contribute to the CARIN working groups to help them and also bring back the lessons so we can monitor how it is going. 

Discussion:

New Chair - Introduction & Overview

Andrew discussed the new agenda format and the desire to hold meetings weekly. Additionally, in coming weeks the Assurance Report will move from a discussion item to a standing administrative item to be addressed when needed. 

VP of Assurance Report 

Maria reported that a strong concern she is hearing is that non-experts are looking at the Trust Status List and they are confused. They are not understanding what the levels are and the difference between full and component services. We need to be more explicit on what component services are and what is still needed to complete the full service. This can go on with the classes of approval/ service descriptors meeting being held June 9.

Additionally, we need an explanation of component services up front. We need to be explicit about what is missing and what you need to add to make it fully compliant. Would also like to display the SACs in another way as the PDFs are sometimes missing information. Action Item - Figure out how to better display the SACs and in what was we can enhance the TSL to be useful to non-industry folk. 

Action Item List

Andrew reviewed the 2022 Action Item list with updates he found makes it easier to use, including a column for next action date. 

We want to clean it up and make it active actions only. Will continue to include the screenshot of the action item list in the invitation and agendas to keep us on task. The group addressed ongoing items and decided to move it to the agenda rather than the action items list. Will reflect on the next agenda.  IAWG leadership will discuss what to do with Rev. 4 suggestions and Ken’s report on the action item list at their next planning meeting and bring back to the full group. 

IAWG Role in 800-63 Rev. 4

Maria brought up false non-match rates and the data we need to address that. How are we enforcing the false match rate? We want to make sure that our Approvals are meaningful. Martin asked if adding criteria is one path to achieving this – Andrew and Maria acknowledged it is one way. Further, we need to include the ISO standards directly in the Kantara standards. Richard reminded the group that we currently require the CSPs to show evidence that they are conformant to the standard.

Andrew asked if it would be helpful to have a 3-4 page report on how matching rates work and how they are determined? Point to the NIST REPORT that lists the algorithms and how they work. Is that an action item that would be useful for our CSPs? More explanation of the nature of matching. Maria believes it would be useful. And she wants to see clear and consistent guidelines on what test they must run in an Assessment. Maria does not believe ‘show me whatever evidence you have for match rate’ is sufficient enough. Richard argues that if we do this for one criterion, where do we stop? Further, he believes we should not be trying to define a standard that already has an international standard defining it. Richard thought Maria was going to suggest CSPs would submit data and demographic information, which could be a potential solution.

We need to see the standard and see what it is. Then we can have the discussion. Action Item – buy the ISO standards to further discuss.

This conversation will be carried over to the next meeting. Richard highlighted 63a#0620 as the applicable criteria.

ISO:

63A#0620

 

 

The CSP shall implement biometric systems which have at least the following characteristics:

63A#0620

a)

 

operate with an FMR [ISO/IEC 2382-37] of 1 in 1000 or better;

63A#0620

b)

 

achieved that FMR operation under conditions of a conformant attack (i.e., zero-effort impostor attempt) in accordance with ISO/IEC 30107-1.

Addressing assessor/field observations about new ways of doing proofing/authentication - and how to incorporate into SAC

Ran out of time. Will be addressed at next meeting. 

Any Other Business

Mark Hapner is interested in identity recovery - what happens when you lose your issued credential? Andrew suggested putting it as an item to discuss in an upcoming meeting.