IAWG Meeting Minutes 2015-04-30
Kantara Initiative Identity Assurance WG Teleconference
Date and Time
- Date: Thursday, 2015-04-30
- Time: 12:00 PST | 15:00 EST | 20:00 UTC (Time chart - US Standard Time )
- Time: 12:00 PDT | 15:00 EDT | 19:00 UTC (Time chart - US Daylight Saving Time )
- United States Toll +1 (805) 309-2350
Alternate Toll +1 (714) 551-9842
Skype: +99051000000481- Conference ID: 613-2898
- International Dial-In Numbers
Agenda
- Administration:
- Roll Call
- Agenda Confirmation
- Minutes approval:
- Action Item Review
- Staff reports and updates
- Assurance Review Board (ARB) and Leadership Council (LC) reports and updates
- Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
- Discussion
- AOB
- Adjourn
Attendees
Link to IAWG Roster
As of 2015-01-22, quorum is 6 of 11
Use the Info box below to record the meeting quorum status
Meeting achieved quorum
Voting
- Scott Shorter
- Andrew Hughes
- Lee Aber
- Ken Dagg
- Cathy Tilton
- Devan Kusek
Non-Voting
- Steve Skordinski
- Ann Racuya-Robbins
- Steve Loshenski from Internet Society
Staff
Regrets
- None
Notes & Minutes
Discussion
Andrew Hughes - please don't redefine authentication. Does not believe the definition is accurate. Electronic authentication is comparison of something the verifier knows with something that the verifier can prove. Within matching limits. 1. Identification, how to narrow it down to a single entity.
Wouldn't go as far as to say identification in the larger scope
Ken: the comments to make to NIST is a clear separation of the terms. International specifications. Clearly using. Comment that existing definitions should be used. Several simple models proposed that have been in use, a matter of getting to principles of those models. Separating token from credentials from binding models.
Scott suggests comment or changing model to adknowledge that identity provider is multiple concepts, identity proofing service provider as well as the entitiy that maintain the binding.
Cathy mentions that the definition of credentials and tokens and issuance. The paradigm is somewhat reversed.
Ken suggests getting to the state where future technologies can be incorporated without modifying the document. Risk mitigating authentication supporting technologies.
Andrew says a challenge with the document is that is it broadly used without knowledge of the underlying risk profile. The risk profile is understood to be risk profiles. When applying the doc to a non federal agency there is no way to create a risk profile.
Ken suggests suggests that commercial authentication is not part of what the doc should be aspiring to. The profile needs to be created for non commercial use, but the risk profile should be based on the level of assurance that has been provided.
Angela Rey says this may be an example of failures in the risk mitigation process. Financial process has lack of consistency in risk profiling different systems. E.g. Invoicing systems are implemented in silos and this can result in incompatible implementations, external access is provided to vendors, contractors, grantors, identity organizations are at different levels of assurance for different agencies. There's a lot of duplication of effort and lack of consistency how the exact same. Ken responds that sharing best practices is a good effort, in his opinion it is more the lack of a user group in the discipline that try to resolve the issues but don't arrive at same understanding of what the risks are. Different agencies will interpret things different things differently and result in different loa guidelines.
Andrew asks a question about 800-63. Relationship of docs to FICAM process. What is difficult when doing an assessment for FICAM, what should be fixed that's making it hard to make the assessments.
Cathy could use greater document organization, helping to understand what is required and when.
Ken thinks that anything that helps tighten things to help not have to interpret if you're compliant.
Cathy, commercial applicability. Cathy thinks there is a need for commercial usefulness. Even this was originally to answer the mail on 0404. Because of NISTs function in the Department of commerce.
Angela cites EO 13681 which requires chip and pin emv.
GSA smart pay RFI for improving the authentication process. Looking for improved methods of conducting transactions online. How can they better track their fleet? How to decrease fraud in credit card transactions. 3.5% of federal payments are lost in transit.
Make agenda item to discuss how to vote on this.
Ken notes that privacy is a concern, does it belong in 800-63 or should it be addressed by another special publication. Document should be privacy respecting, not sure the what has been defined.
FICAM TFPAP 2.0.2 pulled in FIPPS with NSTIC. Privacy requirements focus on govt to citizen, move to business are different. Ncitizen to business and business to government.
Ken thanks for a great discussion, ways of moving forward.
AOB
Carry-forward Items
Scott to revise comments in light of this week's discussion and email traffic.
Attachments
Next Meeting
- Date: Thursday, 2015-05-07
- Time: 12:00 PT | 15:00 ET | 20:00 UTC (Time chart - US Standard Time)
- Time: 12:00 PDT | 15:00 EDT | 19:00 UTC (Time chart - US Daylight Saving Time )
- United States Toll +1 (805) 309-2350
- Alternate Toll +1 (714) 551-9842
Skype: +99051000000481- Conference ID: 613-2898
- International Dial-In Numbers