IAWG Meeting Minutes 2013-11-07

Kantara Initiative Identity Assurance WG Teleconference

 

IAWG approved on 21 November 2013

Date and Time

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Minutes approval: IAWG Meeting Minutes 2013-10-31
    4. Action Item Review
    5. Staff reports and updates
    6. LC reports and updates
    7. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
  2. Discussion
    1. Status of DC F2F IAWG 13 November 2013
    2. Status update on Resilient Trust Network sub-group progress
    3. Richard Wilsher's Antecedent Theorem thread 
  3. AOB
    1. Modular IAF paper status
  4. Adjourn

 Attendees

Link to IAWG Roster

As of 1 July 2013, quorum is 5 of 9

 

Meeting achieved quorum

Voting

  • Myisha Frazier-McElveen (C)
  • Rich Furr (V-C)
  • Andrew Hughes (S)
  • Richard Wilsher
  • Bill Braithwaite
  • Scott Shorter
  • Matt Thompson
  • Cathy Tilton

Non-Voting

  • Matt Woodhill
  • Kenneth Myers

Staff

  •  

Apologies

  • None

Notes & Minutes

Administration 

Minutes Approval

IAWG Meeting Minutes 2013-10-31

Motion to approve minutes of 2013-10-31: Rich Furr
Seconded: Matt Thompson
Discussion: None
Motion Passed 

Action Item Review

See the Action Items Log wiki page

Staff Updates

LC Updates
  •  No LC meeting this period
Participant updates
  • Andrew reported that he has been assigned as the liaison from IDESG to Kantara.

Discussion

DC F2F IAWG 13 November 2013
  • Joni sent the info for the session to the list - very limited space so please RSVP to Joni
  • Morning is FCCX discussion
  • Afternoon is digging into the Modular IAF
  • Please send written comments to Myisha or Joni to read into the meeting
Status update on Resilient Trust Network sub-group progress
  • Work will pick up on 2014Q1
Richard Wilsher's Antecedent Theorem thread 
  • 'Current relationship' and 'affiliated relationship' criteria in the 800-63-2 IAF mapping require clarity on 'antecedent' data
  • 'Enterprise antecedent' == 'affiliated relationship' are covered in the FB Supplemental Guidance
  • Furr -  thinks that it will be difficult to map this to 800-62-2 because it was developed by the FBCP working group
  • Furr - please refer to the Federal Bridge guidance doc for the definition of 'antecedent data' - only applies to LOA2 LOA3 (equivalent to LOW and MEDIUM FBCA levels)
  • Furr - in the prior 9 years the individual must have gone through a face-to-face identity proofing by a qualified individual
  • This is not at odds with 800-63-2, but 800-63-2 does not have specific guidance related to antecedent data - that's why the FBCA did the work to write the guidance document
  • Furr - in Enterprise case, the Department of Homeland Security requirement to complete I-9 data by Human Resources dept - this is acceptable for use as antecedent data
  • Furr - if non-Enterprise case - can use identity verifiers (Lexis Nexis, Experian, Equifax etc) - they will build a set of 7 KBA questions that the individual must pass (4 out of 5) within 2 minutes & fallback processes that on failure the individual must go face to face with a Notary
  • Wilsher - all the guidance will fit within the IAF
  • Wilsher - the FBCA guidance is jurisdiction-specific but IAF should be non-specific to jurisdiction - the FBCA guidance specifics should go into a US Federal Profile
  • Issue is: should Kantara put that level of detail in the SAC? e.g. the I-9 is a US Process so should not be in Kantara SAC
  • Need to ensure that what is introduced into SAC does not break implemented arrangements/agreements
  • If the level of detail in SAC is high-level it should work - the specific implementation could fit within
  • Wilsher will draft material for antecedent data for  LOA2/LOA3 on this and submit it for review (does this go into 45 day review? or IAWG first?)
  • After discussion: material will go into SAC draft for 45 day review directly

AOB

Modular IAF paper status
  • Andrew gave a quick overview of the current status of the paper
Discussion on 'non-PKI' LOA
  • Cathy requested clarification on the term "LOA3 non-PKI"
  • This is a FICAM designation - will only recognize PKI credential that falls under the Federal Bridge PKI scheme

Attachments

 

 

Next Meeting