IAWG Meeting Minutes 2017-03-16

Kantara Initiative Identity Assurance WG Teleconference

 

Date and Time

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Minutes Approval: 
    4. Action Item Review: action item list
    5. Organization Updates - Director's Corner
    6. Staff reports and updates
    7. LC reports and updates
    8. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
  2. Discussion
    1. Charter vote
    2. Report from last week's TFTM meeting on IDEF mapping 
    3. Discussion of 800-63C  (comments so far)
  3. AOB
    1.  
  4. Adjourn

 Attendees

Link to IAWG Roster

As of 2017-01-12, quorum is 5 of 8

Use the Info box below to record the meeting quorum status

Meeting (did / did not) achieve quorum

 

 

Voting

  • Andrew Hughes
  • Scott Shorter (VC)
  • Ken Dagg (C)
  • Denny Prvu (S)
  • Richard Wilsher

Non-Voting

Staff

  •  
  • Ruth Puente

Apologies

  • None

 

Voting Members for Cut/Paste

  • Ken Dagg (C)
  • Andrew Hughes (VC)
  • Scott Shorter (S)
  • Paul Caskey
  • Adam Madlin
  • Richard Wilsher
  • Lee Aber
  • Denny Prvu

Selected Non-Voting members for Cut/Paste

  • Bill Braithwaite
  • Rich Furr
  • Devin Kusek
  • Björn Sjöholm
  • Susan Schreiner
  • Jeff Stollman

 

Notes & Minutes

Administration 

Minutes Approval

Motion to approve minutes of 2017-03-09, 2017-03-02: Andrew moves. Denny seconds.

Motion Carried

Action Item Review

  •  

Staff Updates

LC Updates
  • Consent receipt spec will go up for member ballot soon.
  • UMA version 2 will be doing the same within 2-3 weeks
  • IRM report is nearing finalization
  • Block chain draft report nearing finalization soon
  • Discussing next piece of work for consent receipt and a possible GDPR toolkit
  • New Mission Statement: Kantara Initiative is the global consortium improving trustworthy use of identity and personal data through innovation, standardization and good practice
Participant updates
  •  

Discussion

Charter vote

Ken will send out the revised charter before we vote - strong recommendation at LC meeting to see how they contribute to the mission statement.

 Report from last week's TFTM meeting on IDEF mapping 

IDEF mapping - IDESG trust framework and trust mark workgroup had a mapping exercise to see how the KI might meet the requirements of their ID Ecosystem framework, and send it back to use to comment on.  IDESG has a self-attestation registry of companies that want to declare that they meet the ID Ecosystem baseline requirements. The idea would be whether a Kantara Initiative assessment could be used to reuse assessment against the IDEF. We agreed with most suggestions, had a meeting last week to check notes, read the response and check notes if they need it.  Scott will add email from Andrew following the call - a list of items that IAWG should consider, how to be prepared. Similar guidance to IDESG as well.  No major arguments on the call. Compared notes.

 Discussion of 800-63C  

Collecting comments from those on the call.

Scott - credential generation and other lifecycle issues are missing from the discussion

RGW - agree, not certain those issues need to be in the NIST 800-63 document

Andrew points out 800-63B has a section called lifecycle management.  RGW agrees but notes that there are many requirements stuffed in there.

Ken asks if anything changes if it happens in a federated context as opposed to the context B was written in.

RGW suggests that it depends whether the federation includes requirements to be a member of the club. Only becoming more of a concern as reading 63B and 63C. Many SHOULD statements - as we know, if is says SHOULD then they probably won't.

Globally we have a comment that SHALL and SHOULD need to be clear. Each distinct SHALL or SHOULD ought to be in a single paragraph.

Andrew observes it's a similar comment to last week - the document is a mixture of explanatory material, guidance material and requirements material.

Ken suggest we could comment them for adopting a normative style.

General agreement that the document is not ready for prime time.

Andrew notes that we appreciate the shift towards normative language in the requirements, but the phrasing of some requirements makes it difficult to have certainty that the implementation meets those requirements. As assessors there is also uncertainty about how to evaluate the conformity.  Uncertainty then leads to inconsistency.

RGW has one other broad topic - 4.2 of 63C - requirements on federal agencies slapped on the end of the section.  Perhaps including it in an annex instead of including in the rest of the flow of the document.  The agency guidance at the end of the privacy section is a non-sequitur with respect to the rest of the document

Andrew notes that the audience section of 63-3 is blank.

We could use clarity from the authors on when the agency specific text applies.

 

Next week we will take the first cut at looking at the comments. We can package and submit them early if we're happy with them next week.

 

Note from Colin - think about the process with this.  If we can share a thought as to how NIST can improve the process, but it is not always suitable for community comments that way. If we can think of a better suggestion we will suggest that.


AOB

Attachments

 

 

Next Meeting

  • Date: Thursday, 2017-03-23
  • Time: 12:00 PT | 15:00 ET
  • Time: 12:00 PDT | 15:00 EDT
  • United States Toll +1 (805) 309-2350
  • Alternate Toll +1 (714) 551-9842
    Skype: +99051000000481
    • Conference ID: 613-2898
  • International Dial-In Numbers