Kantara Initiative Identity Assurance WG Teleconference

Date and Time

Date: Thursday, 2015-04-30
Time: 12:00 PST | 15:00 EST | 20:00 UTC (Time chart - US Standard Time )
Time: 12:00 PDT | 15:00 EDT | 19:00 UTC (Time chart - US Daylight Saving Time )
United States Toll +1 (805) 309-2350
Alternate Toll +1 (714) 551-9842
Skype: +99051000000481
- Conference ID: 613-2898
International Dial-In Numbers

Agenda

Administration:
1. Roll Call
2. Agenda Confirmation
3. Minutes approval:
4. Action Item Review
5. Staff reports and updates
6. Assurance Review Board (ARB) and Leadership Council (LC) reports and updates
7. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
Discussion
AOB
Adjourn

Attendees

Link to IAWG Roster

As of 2015-01-22, quorum is 6 of 11

Use the Info box below to record the meeting quorum status

Meeting achieved quorum

Voting

Scott Shorter
Andrew Hughes
Lee Aber
Ken Dagg
Cathy Tilton
Devan Kusek

Non-Voting

Steve Skordinski
Ann Racuya-Robbins
Steve Loshenski from Internet Society

Staff

Regrets

None

Notes & Minutes

Discussion

Andrew Hughes - please don't redefine authentication. Does not believe the definition is accurate. Electronic authentication is comparison of something the verifier knows with something that the verifier can prove. Within matching limits. 1. Identification, how to narrow it down to a single entity.

Wouldn't go as far as to say identification in the larger scope

Ken: the comments to make to NIST is a clear separation of the terms. International specifications. Clearly using. Comment that existing definitions should be used. Several simple models proposed that have been in use, a matter of getting to principles of those models. Separating token from credentials from binding models.

Scott suggests comment or changing model to adknowledge that identity provider is multiple concepts, identity proofing service provider as well as the entitiy that maintain the binding.

Cathy mentions that the definition of credentials and tokens and issuance. The paradigm is somewhat reversed.

Ken suggests getting to the state where future technologies can be incorporated without modifying the document. Risk mitigating authentication supporting technologies.

Andrew says a challenge with the document is that is it broadly used without knowledge of the underlying risk profile. The risk profile is understood to be risk profiles. When applying the doc to a non federal agency there is no way to create a risk profile.

Ken suggests suggests that commercial authentication is not part of what the doc should be aspiring to. The profile needs to be created for non commercial use, but the risk profile should be based on the level of assurance that has been provided.

Angela Rey says this may be an example of failures in the risk mitigation process. Financial process has lack of consistency in risk profiling different systems. E.g. Invoicing systems are implemented in silos and this can result in incompatible implementations, external access is provided to vendors, contractors, grantors, identity organizations are at different levels of assurance for different agencies. There's a lot of duplication of effort and lack of consistency how the exact same. Ken responds that sharing best practices is a good effort, in his opinion it is more the lack of a user group in the discipline that try to resolve the issues but don't arrive at same understanding of what the risks are. Different agencies will interpret things different things differently and result in different loa guidelines.

Andrew asks a question about 800-63. Relationship of docs to FICAM process. What is difficult when doing an assessment for FICAM, what should be fixed that's making it hard to make the assessments.

Cathy could use greater document organization, helping to understand what is required and when.

Ken thinks that anything that helps tighten things to help not have to interpret if you're compliant.

Cathy, commercial applicability. Cathy thinks there is a need for commercial usefulness. Even this was originally to answer the mail on 0404. Because of NISTs function in the Department of commerce.

Angela cites EO 13681 which requires chip and pin emv.

GSA smart pay RFI for improving the authentication process. Looking for improved methods of conducting transactions online. How can they better track their fleet? How to decrease fraud in credit card transactions. 3.5% of federal payments are lost in transit.

Make agenda item to discuss how to vote on this.

Ken notes that privacy is a concern, does it belong in 800-63 or should it be addressed by another special publication. Document should be privacy respecting, not sure the what has been defined.

FICAM TFPAP 2.0.2 pulled in FIPPS with NSTIC. Privacy requirements focus on govt to citizen, move to business are different. Ncitizen to business and business to government.

Ken thanks for a great discussion, ways of moving forward.

AOB

Carry-forward Items

Scott to revise comments in light of this week's discussion and email traffic.

Attachments

Next Meeting

Date: Thursday, 2015-05-07
Time: 12:00 PT | 15:00 ET | 20:00 UTC (Time chart - US Standard Time)
Time: 12:00 PDT | 15:00 EDT | 19:00 UTC (Time chart - US Daylight Saving Time )
United States Toll +1 (805) 309-2350
Alternate Toll +1 (714) 551-9842
Skype: +99051000000481
- Conference ID: 613-2898
International Dial-In Numbers

Browser not supported