2021-03-25 Minutes

Attendees:

Voting Participants: Mark King, Mark Hapner, Richard Wilsher, Ken Dagg, Martin Smith

Non-voting participants: Tim Reiniger, Roger Quint, Pete Palmer

Staff: Colin Wallis, Ruth Puente

Quorum: 3 out of 5. There was quorum.


Agenda


1.Administration:
a.Roll Call
b.Agenda Confirmation
c.Minutes Approval 2021-03-18 DRAFT Minutes

2. Discussion

a. Review NISTIR 8344 (Ontology for Authentication) 
b. NIST open discussion issues in light of SP 800-63 rev.4.

3. Any Other Business



Minutes Approval

2021-03-18 Minutes were approved by motion. Moved: Mark Hapner. Seconded: Martin Smith. Unanimous Approval. 


Comments on NISTIR 8344 (continuation from last meeting) 

  • Link to the document: https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8344-draft.pdf 
  • Deadline to comment: April 9, 2021
  • Martin suggested that for identity context it would be better to use the term "reliance" instead of "trust". 
  • Martin commented that we should request the clarification of some of the base terms, such as accountability and trust and maybe provide examples regarding the definitions to avoid overlaps and confusion. In addition, Ken pointed out that we should ask why they didn't use existing standards definitions.
  • Ken said that the limit of the acceptable risk and the consequences for violating that risk are considered in a trust framework, so the parties can conduct business over the internet.
  • Richard pointed out that a trust framework is different from a federation. For instance, a credit card system is a federation where there are known players and known rules for playing; a closed group which you have to fulfil requirements to join. However, a trust framework is established without knowing who all the players are, but applicants go through a test and come out with some kind of positive flag called approval that shows that they've met certain requirements. 
  • The group agreed to ask NIST to define the terms of the relationships between those terms that would enable the establishment of a trust framework that can support the establishment of a federation or operation of the federation. It should also be pointed out that the terms are not sufficiently rigorously defined.
  • Ken will provide a draft of the final comments next week.


 NIST Open Discussion Issues regarding rev.4 

  • Ken commented that NIST has provided a list of open discussion issues in light of revision 4, available at https://github.com/usnistgov/800-63-4/issues 
  • The deadline to comment is on May 15, 2021
  • Ken encouraged the group to review the list of issues and prepare comments for next week. 


AoB - Federation Agreement (63C)

  • Richard commented that in light of a FAL assessment, a CSP asked what happen if they're providing services under more than one federation agreement because they can't be going through a full assessment every time they need to demonstrate that they fulfil the requirements of a particular federation.
  • Mark King recommended to review CCEB Publication 1010, PKI Cross-Certification Between CCEB Nations, available at https://info.publicintelligence.net/CCEB-PKI.pdf. The agreement addressed how the US Department of Defense, UK Ministry of Defence and various other players to talk to each other when they have different laws. The document describe the deltas, so the participant could say "I'm joining this this federation, here is the standard and here are my differences from that". 
  • Richard: Are we trying to demonstrate in the assessment that they're capable of responding to federation agreement requirements or that they meet each discrete federation agreement? and that's where it becomes unscalable.
  • Ken suggested that if a  CSP goes through an assessment with a specific federation agreement, then if they need to go through an assessment with a second federation agreement, it's done purely on the deltas from the original reference agreement and the new one, we look only at the deltas.

  • Mark King added that the equation would include some generic start point plus the deltas. 
  • Richard concluded that the two options would be 1. The simpler choice is to change some of the criteria such that we require CSPs have a policy demonstrating conformity against a federation agreement. 2. Draft a reference federation agreement and then we review how they've managed the deltas from that reference agreement, and we publish the deltas.

  • It was suggested to invite David Temoshok from NIST and Federal Agencies to this discussion.