IAWG Meeting Minutes 2017-04-13
Kantara Initiative Identity Assurance WG Teleconference
Date and Time
- Date: Thursday, 2017-04-13
- Time: 12:00 PT | 15:00 ET (time zone calculator)
- Please join the meeting from your computer, tablet or smartphone. https://global.gotomeeting.com/join/380672837
- You can also dial in using your phone. United States: +1 (312) 757-3119 (more phone numbers)
- Access Code: 380-672-837
Agenda
- Administration:
- Roll Call
- Agenda Confirmation
- Minutes Approval:
DRAFT IAWG Meeting Minutes 2017-04-06
DRAFT IAWG Meeting Minutes 2017-03-30
DRAFT IAWG Meeting Minutes 2017-03-23 - Action Item Review: action item list
- Organization Updates - Director's Corner
- Staff reports and updates
- LC reports and updates
- Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
- Discussion
- Gather comments on the Revised Draft of the parent document for Special Publication 800-63-3 (attached).
- AOB
Attendees
Link to IAWG Roster
As of 2017-03-16, quorum is 4 of 8 (see list box below for voting members)
Meeting did not achieve quorum
Voting
- Andrew Hughes
- Denny Prvu
Non-Voting
- Angela Rey
- Boris Kronrod
Staff
- Colin Wallis
- Ruth Puente
Apologies
- Ken Dagg
Notes & Minutes
Discussion
800-63-3
- NIST updated the risk assessment section and asked for additional review of the parent document for Special Publication 800-63-3, whose comment period closes May 1, 2017. Andrew believes that this is a initial step between NIST and OMB to begin the update of the binding Memo 0404 from the EO 2003 (Assurance Levels and Risk Assessments).
- It was shared the NIST note on the changes made to the parent document: http://trustedidentities.blogs.govdelivery.com/2017/03/31/a-minor-plot-twist-comment-period-extended-for-part-of-sp-800-63-3
The plan is to start collecting and organizing the comments, and by April 27th work on the consolidation of comments. Andrew encouraged the IAWG to send comments to the mailing list before the meetings.
Risk assessment and future Kantara approach
- Andrew provided an overview of the initiative to create a structure mapping between the KI IAF and other frameworks towards the improvement of comparability and IAF.next project
- KI assessment framework and the associated program need to be updated.
- During the TIIME Meeting it was discussed the need to work together and find common ground within the informal profiles based or inspired in KI IAF. The interested parties will meet during Internet2 Global Summit and start creating a straw man for a structure mapping between the frameworks and the KI IAF, including a common catalogue of risks. They will seek for common approaches, common requirements and work together on developing the next stage that would imply updates, transformation and modernization of the frameworks.
- Andrew pointed out that the SAC is clearer for assessors. The requirement is implied in the criteria but not stated. He is trying to document the requirements.
- Assurance Levels are defined as a result of a risk assessment but all the frameworks are written and organized as if there was not risk assessment.
- If we have a universal set of requirements for the functions involved in federation, and we have a mechanism for the risk analysis, any federation could come up with the number of levels they want. Instead of pre writing the criteria, 800-63 levels and common levels, it is an opportunity to focus on a standardized way of doing the risk analysis and come up with levels from which you can tailor a base of criteria.
- The requirements are universal but the control and technologies applied are specific to the federation.
- One of the main objectives of the initiative is to make the KI IAF more universal.
- Colin commented that KI is seeking funding for this work.
Next Meeting
- Date: Thursday, 2017-04-20
- Time: 12:00 PT | 15:00 ET