2018-02-08 IAWG Minutes

Attendees

Voting participants

Scott Shorter

Richard Wilsher

Mark Hapner


Non-voting participants

Tara Romeo, Experian

Jose Lopez, Zentry 


Staff

Colin Wallis

Ruth Puente 


Agenda

Discussion

a. Approval of 45-day Public Review 63A/B_SAC Disposition of Comments.

b. Approval of 63A_SAC (IAF-1430) and 63B_SAC (IAF-1440)

c. NIST Internal Report (NISTIR) 8112, Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes.

d. Discussion: Refinement of CO-SAC IAF-1400 (non-material change) and Repackaging into IAF-1410 and IAF-1420.

e. Next steps evaluating strengths of evidence  

Discussion items

ItemNotes
Roll CallThere was not quorum
63A(1430) and 63B (1440) SACs


  • Editor´s comments and observations on drafting will be removed.
  • It was decided to keep columns A to H  that show the source text, the original NIST text, as it would help to have a cross reference between KI criteria and 800-63-3. Also, the participants agreed to hide columns B to H and leave the choice to the user to make them fully visible or not.
  • Scott said we should change "Reviewers guide" to "Users guide"
  • The plan is to initiate an e-ballot and after approval send it to LC for following All Member Ballot. Scott requested Ruth issue the e-ballot and send it to voting participants.
  • Disposition of Comments only applies to 63A as there were no comments on 63B.

NISTIR 8112
  • Scott said that he did not find out what have change from the last time. It is an interesting idea but short of a framework to use it without more use cases and trust model type content.
  • No action expected just to be aware of it.
Refinement of CO-SAC IAF-1400 (non-material change)

Refinement of CO-SAC IAF-1400 (non-material change) and Repackaging into IAF-1410 and IAF-1420.

  • The idea is to move some criteria from the CO-SAC to the OP-SAC
  • Richard commented that if the criteria is addressed by 63A or 63B there is no need to be in the CO-SAC, if you are not using 63A and 63B we still need this criteria, so we moved into the OP-SAC. He suggested that we look at the criteria and ask, is it addressed in 63A and 63B? If it isn’t, we should leave where it is. If it is, that´s the reason for moving it to the OP-SAC.


  • CO-SAC 1410 can be used in the old classic assessment or 63-A/B assessment.
  • Classic can be use the OP-SAC that includes these criteria removed.
  • In case the of 800-63 rev. 3 assessment we use SAC 1410 + IAF 1430 (63A SAC) and IAF 1440 (63B SAC).
  • Richard suggested aligning the tags but Scott sustained that if is not a material change we should not change tags, just ensure the language matches 63-2 and 63-3. 
Next steps evaluating strengths of evidence  
  • Scott commented that it would be good to have a common understanding on what possible evidence options meet the strengths requirements and be accesible to everyone (white paper).
  • Mark said that he is concerned that from disclosure requirements perspective, GDPR will become the bar quickly; services provided to European should meet that bar. Therefore, CSP operation would be constrained with this and should be more open with what they are doing and the level of disclosure of what investigation was done about you in order to issue a credential would be higher. He believes that disclosure requirements about what is going on in the proofing process are significant and it is a higher bar than 800-63-3. He would like to know from the CSPs: How did you validate this? What risk assessment elements did you apply to this?
  • Richard commented that KI requests the CSP to make public the credential policy, so you can see what evidence they would be asking for.
  • Scott suggested we continue this discussion in the next meeting.

Action items

  • @Ruth to create an e-ballot of 63A and 63B and send to voting participants for approval.