Kantara Initiative Identity Assurance WG Teleconference

Date and Time

Date: Thursday, 2017-03-16
Time: 12:00 PST | 15:00 EST (time zone calculator)
Please join the meeting from your computer, tablet or smartphone. https://global.gotomeeting.com/join/380672837
- You can also dial in using your phone. United States: +1 (312) 757-3119 (more phone numbers)
- Access Code: 380-672-837

Agenda

Administration:
1. Roll Call
2. Agenda Confirmation
3. Minutes Approval:
  - DRAFT IAWG Meeting Minutes 2017-03-09
  - DRAFT IAWG Meeting Minutes 2017-03-02
4. Action Item Review: action item list
5. Organization Updates - Director's Corner
6. Staff reports and updates
7. LC reports and updates
8. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
Discussion
1. Charter vote
2. Report from last week's TFTM meeting on IDEF mapping
3. Discussion of 800-63C (comments so far)
AOB
Adjourn

Attendees

Link to IAWG Roster

As of 2017-01-12, quorum is 5 of 8

Use the Info box below to record the meeting quorum status

Meeting (did / did not) achieve quorum

Voting

Andrew Hughes
Scott Shorter (VC)
Ken Dagg (C)
Denny Prvu (S)
Richard Wilsher

Non-Voting

Staff

Ruth Puente

Apologies

None

Voting Members for Cut/Paste

Ken Dagg (C)
Andrew Hughes (VC)
Scott Shorter (S)
Paul Caskey
Adam Madlin
Richard Wilsher
Lee Aber
Denny Prvu

Selected Non-Voting members for Cut/Paste

Bill Braithwaite
Rich Furr
Devin Kusek
Björn Sjöholm
Susan Schreiner
Jeff Stollman

Notes & Minutes

Administration

Minutes Approval

Motion to approve minutes of 2017-03-09, 2017-03-02: Andrew moves. Denny seconds.

Motion Carried

Action Item Review

Staff Updates

Director's Corner Link

Link to the most recent director's corner.

LC Updates

Consent receipt spec will go up for member ballot soon.
UMA version 2 will be doing the same within 2-3 weeks
IRM report is nearing finalization
Block chain draft report nearing finalization soon
Discussing next piece of work for consent receipt and a possible GDPR toolkit
New Mission Statement: Kantara Initiative is the global consortium improving trustworthy use of identity and personal data through innovation, standardization and good practice

Participant updates

Discussion

Charter vote

Ken will send out the revised charter before we vote - strong recommendation at LC meeting to see how they contribute to the mission statement.

Report from last week's TFTM meeting on IDEF mapping

IDEF mapping - IDESG trust framework and trust mark workgroup had a mapping exercise to see how the KI might meet the requirements of their ID Ecosystem framework, and send it back to use to comment on. IDESG has a self-attestation registry of companies that want to declare that they meet the ID Ecosystem baseline requirements. The idea would be whether a Kantara Initiative assessment could be used to reuse assessment against the IDEF. We agreed with most suggestions, had a meeting last week to check notes, read the response and check notes if they need it. Scott will add email from Andrew following the call - a list of items that IAWG should consider, how to be prepared. Similar guidance to IDESG as well. No major arguments on the call. Compared notes.

Discussion of 800-63C

Collecting comments from those on the call.

Scott - credential generation and other lifecycle issues are missing from the discussion

RGW - agree, not certain those issues need to be in the NIST 800-63 document

Andrew points out 800-63B has a section called lifecycle management. RGW agrees but notes that there are many requirements stuffed in there.

Ken asks if anything changes if it happens in a federated context as opposed to the context B was written in.

RGW suggests that it depends whether the federation includes requirements to be a member of the club. Only becoming more of a concern as reading 63B and 63C. Many SHOULD statements - as we know, if is says SHOULD then they probably won't.

Globally we have a comment that SHALL and SHOULD need to be clear. Each distinct SHALL or SHOULD ought to be in a single paragraph.

Andrew observes it's a similar comment to last week - the document is a mixture of explanatory material, guidance material and requirements material.

Ken suggest we could comment them for adopting a normative style.

General agreement that the document is not ready for prime time.

Andrew notes that we appreciate the shift towards normative language in the requirements, but the phrasing of some requirements makes it difficult to have certainty that the implementation meets those requirements. As assessors there is also uncertainty about how to evaluate the conformity. Uncertainty then leads to inconsistency.

RGW has one other broad topic - 4.2 of 63C - requirements on federal agencies slapped on the end of the section. Perhaps including it in an annex instead of including in the rest of the flow of the document. The agency guidance at the end of the privacy section is a non-sequitur with respect to the rest of the document

Andrew notes that the audience section of 63-3 is blank.

We could use clarity from the authors on when the agency specific text applies.

Next week we will take the first cut at looking at the comments. We can package and submit them early if we're happy with them next week.

Note from Colin - think about the process with this. If we can share a thought as to how NIST can improve the process, but it is not always suitable for community comments that way. If we can think of a better suggestion we will suggest that.

AOB

Attachments

Next Meeting

Date: Thursday, 2017-03-23
Time: 12:00 PT | 15:00 ET
Time: 12:00 PDT | 15:00 EDT
United States Toll +1 (805) 309-2350
Alternate Toll +1 (714) 551-9842
Skype: +99051000000481
- Conference ID: 613-2898
International Dial-In Numbers

Browser not supported