2021-04-01 Minutes

Attendees:

Voting Participants: Mark King, Mark Hapner, Richard Wilsher, Ken Dagg, Martin Smith

Non-voting participants: Tim Reiniger, Roger Quint, Pete Palmer, Eric Thompson 

Staff: Colin Wallis, Ruth Puente

Quorum: 3 out of 5. There was quorum.


Agenda


1.Administration:
a.Roll Call
b.Agenda Confirmation
c.Minutes Approval 2021-03-25 DRAFT Minutes

2. Discussion

a. Review NISTIR 8344 (Ontology for Authentication) 

b. Review criteria related to component service consumers.  
c. NIST open discussion issues in light of SP 800-63 rev.4.

3. Any Other Business


Minutes Approval

2021-03-25 Minutes were approved by motion. Moved: Mark King. Seconded: Mark Hapner. Unanimous approval. 


Review NISTIR 8344 (Ontology for Authentication) 

  • IAWG comments are being gathered in this GDoC: https://docs.google.com/document/d/1jswnFEpl1kvNmUAYBFa3MMjNXBam2BkYhE3FqbANOKQ/edit?usp=sharing
  • Ken pointed out that extensions of the definitions will be suggested and there will be a clarification request on the purpose of the document. Ken added that there were missing some key terms in the definitions, such as trust  framework and federation and explain the relationship between the two. Furthermore, it will be suggested to add definitions on trust, risk, object, entity. 
  • Mark K. suggested to add a reference of an existing document/standard, such as ISO.  
  • Colin provided a reference to ISO 29115 for "trust framework" definition: "set of requirements and enforcement mechanisms for parties exchanging identity information". Also, he provided a definition of "federation agreement" from an ISO search tool "identity federation agreement between two or more domains (3.2.3) specifying how identity information (3.2.4) will be exchanged and managed for cross-domain identification (3.2.1) purposes".
  • Mark K. pointed out that a request of clarification on digital signatures should be added, based on the statement of Line 625: "Two major forms of digital signatures are DSA and PKI", so he suggested to request clarification on this. 
  • Ken will add a definition of authentication from IS29115. 
  • Mark K. said that he found the diagram confusing. 
  • It will be suggested a circular glossary that provides the relationship between the terms. 
  • Ken will revise the comments and provide a final draft for next week. 


NIST open discussion issues in light of SP 800-63 rev.4

  • Comments on IAL1 update #1, https://github.com/usnistgov/800-63-4/issues/1
  • Eric commented that it seems that the opportunity is to create an interim level, self-attestation and at least fair evidence verification and validation. Moreover, he said that it raises the question about the risk matrix low-moderate-high impact. Furthermore, he stressed that there are no definitions or guidelines for fraud or financial impact. It's very open and generic, so it would be worth to develop guidelines around what insignificant or inconsequential means versions serious to help agencies determine whether or not it's a low or moderate risk. 
  • Colin added that Federal Agencies were looking for an Enhanced IAL1. 
  • Ken mentioned the Canadian solution, which they do zero data associated with a credential that is issued to a an individual and it's up to the RP to collect the identity data, once they get that credential and enrol the person. So, it is the basically the breaking apart of the login from the identity management.

  • Richard said that Kantara criteria provide consistent definition of what xIAL or xAL "n" mean, so a provider can be assessed to meet the minimum requirements regarding a specific AL. In the case there's a defined meaning to IAL1 or "enhanced IAL1" then the RP can use that to decide which service to take.


UK DCMS Update

  • It was commented that UK DCMS requested feedback and offered engagement sessions with industry stakeholders on the UK’s Digital Identity and Attributes Trust Framework alpha. They made questions about compatibility with money laundering regulations; Trust Mark; Portability of digital identities. The deadline to provide inputs is April 30th. Full details can be found at: https://docs.google.com/document/d/1e6pILWpMA09rAZxTmvkzLkGb-0BtMI5eWMELzefqiYI/edit?usp=sharing
  • Moreover, it was reported that DCMS plans to share the draft certification documents with stakeholders before end of June. In July, DCMS expects to provide the next iteration of the trust framework and is
    considering a formal consultation on legislation and governance this starting in July-August.
  • It was agreed to provide high level comments on this. A GDoc to develop comments/responses will be shared with the participants. 


Others

  • Richard commented that NIST wants to convert 63A/B/C rev4. into an international standard.
  • The group continued the discussion on considerations about subject-focused criteria on the OP-SAC and necessary changes were made to address the component service consumer perspective. Richard has made the corresponding revisions to the OP_SAC.