IAWG Meeting Minutes 2014-03-13

Kantara Initiative Identity Assurance WG Teleconference

 

IAWG approval on 2014-03-20

 

Date and Time

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Minutes approval: DRAFT IAWG Meeting Minutes 2014-03-06
    4. Action Item Review
    5. Staff reports and updates
    6. LC reports and updates
    7. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
  2. Discussion
    1. Discussion of the FICAM approval status for IdP/CSPs
    2. Discussion of 2014 Roadmap
  3. AOB
    1.  
  4. Adjourn

 Attendees

Link to IAWG Roster


As of 2014 March 13, quorum is 5 of 9

Myisha was not able to attend prior two meetings - she is removed from voting list.

Meeting achieved quorum

 

Voting

  •  Rich Furr (C)
  • Bill Braithwaite
  • Scott Shorter (notes)
  • Matt Thompson
  • Richard Wilsher

Non-Voting

  • Ken Dagg
  • Jeff Stollman

Staff

  •  Joni Brennan

Apologies

  • Andrew Hughes (S)

Notes & Minutes

Administration 

Minutes Approval

DRAFT IAWG Meeting Minutes 2014-03-06

Motion to approve minutes of 2014-03-06: Scott Shorter
Seconded: Bill Braithwaite
Discussion: ...
Motion Carried

Item 1e Staff Updates

  1.  FICAM draft has moved forward to the ATO process, in particular the ATOS document. Joni requests that IAWG review the service assessment criteria to see if and how it maps to the role of an attribute provider..  That role is likely tied closely to being an identity provider. There will not be a breakout role for attribute providers that are not identity providers .  We have about 5 months time to develop a path for members to meet those criteria - ideally an attribute provider could be a standalone service.   BOT and ARB will depend on IAWG to identify the path forward.

  2. The BOT meeting at RSA, the BOT set up two subcommittees, one around approved organizations and a 2nd for the accredited organizations, BOT has received feedback that there is a need for organizations to have the ability to have confidentiality around conversations to discuss aspects of the proprietary solutions.  BOT is asking that committee to develop draft recommendations for SAC to determine a path to a new version of the IAF SACs positioned toward the private sector, outside of FICAM. Will take those recommendations as a work item, will be submitted to the IAWG for wide review and to follow the Kantara requirements for an open transparent review process.  

Rich inquired if item 1 can lead to a more global and non-US centric approach?  Joni: Yes, always thought that we should have a multinational focus.

RGW: I put a one page suggestion to the ARB that we didn't discuss last week.  Joni: have not reviewed the doc, the ARB will review and will likely by shared with the approved organization subcommittee and the IAWG.

Jeff (?) the new version should not set as high a bar, is this going to be limited to particular levels of assurance?  My understanding was that some FICAM specific stuff is moving to profiles, LOAs will still group the requirements.  Joni: aiming to make it as flexible as possible but still componentized in a way to map to the 4 LOAs.  It was IAWG work that informed GSA and Anil John and led to the FICAM updates. We can support FICAM and NIST to help recognize new governance of 800-63 and others.

Ken Dagg - to define 2+ or 3- is a big can of worms

Joni: No desire to redefine the LOAs, we have a vision of how the work will progress but its not set in stone. We may develop something that looks like LOA 2+, which governments won't accept.  We still believe alternate assurance levels will be able to serve other markets than government. Industry is asking for this and looking for a way to work together.  Agree with the comment, but this work is more for innovation and bridging to new spaces.  

Ken: if we're  looking for innovations in ways to meet the LOAs that's different than defining a level 2.4.  For example CA did not agree with NIST definition of LOA2, so they defined their own LOA2.  

Rich: as we move forward we must be mindful of assessments and assessment requirements. We're also going through TScheme, may have to do DirectTrust assessment. These all cost $, we should look at the AAS to make sure that IDP/CSPs don't have to go through multiple assessments.

Jeff: componentizing will result in us only having to assess the components that were different. Creating new standards is unlikely to support mapping between them, we'll use component A or B which will both be assessed.

Joni: envisioning developing a core offering with deltas for govt compliance.  Ways to interoperate with other schemes is a priority.  Can't force other programs to accept Kantara's approvals. We can create liaisons and MOUs and leverage that space. Looking for an end state of cross-recognition where organizations do not have to perform multiple assessments. 

Joni restates that developing the attribute provider criteria is an Urgent Priority.

Rich concurs and states that adding the NASPO trust bundle and being able to verify all those attributes is not trivial. .

LC Updates
  •  
Participant updates

Discussion

Rich asks for tweets, receives crickets.

 

Rich reiterates Joni's focus on the ATOS. Asks if everyone has the ATOS, Rich will forward that to the list.  Biggest change is around the provision of verified attributes to relying parties.

Regarding interop testing, Rich asks if KI is planning to perform testing.  Joni responds that this is something KI has wanted to do. Liberty Alliance used verified test labs.  We'll have to demonstrate we can provide this capability before we will get approved. 

Anil will be doing a one hour webinar with CSPs next week explaining the rationale. Peter Alterman of SAFE-BioPharma is pushing for industry collaboration.

 

Question to Joni on commercial approach (director's remark 2 above) what's the timeframe?  Joni: no expectations, no answer today.

 

Item 2b) Discussion of 2014 Roadmap

New items for the Roadmap?

  • NEW: FICAM ATOS review and IAF update, high priority, generate a recommendation and plan - overall deadline is 5 months. Generate recommendation in 2 months.
  • Rich will lead the group since he's been looking into this for a while (may be able to provide some additional resources from Verizon). Scott and RGW will participate.

 

  • NEW: Commercial IAF as lower priority, no time frame yet.

RGW's white paper - suggested to look at SAC. CO-SAC is common between credentialing services. Some of those criteria in the CO-SAC would have no relevance to an attribute service, so leaving them in the CO-SAC. RGW suggest reviewing the CO-SAC to make it a core SAC, e.g. risk assessment etc. That could be the organizational basis for an attribute service provider. There are modules that willl definne the technical attribute parts of the attribute service.

Ken -= biggest issue with respect to modularization is agreement that those are the right modules. If thats established, which elements are associated with which modules is a next logical step, as well as here are the SACs for attribte provider, token provider, credential provider, identity provider or whatever else. we took modular work as far as we took.

RGW the modular work is overlooking TScheme's approach. Rich Furr appreciates that comment, recalls discussion of cross-recognition between TScheme and Kantara. Joni is working with the UK gov on how to approach this moving forward.

Scott mentions that developing a core is not independent of developing a core SAC. Ken agrees with the proviso to recognize RGW's comment above about removing credential specific language from the CO-SAC.

 

Scott moves to adjourn. Matt seconds.

Initial items for discussion

 



From email:

A couple of thoughts on the roadmap..

1) I think the RP work should be extended to APs as well
2) I think a mapping to t Scheme would really really help the Brits in their endeavours (to say nothing of the IDPs who face the prospect of dual approvals if operating in both continents) and collectively take us closer to pan jurisdiction federation.

 

From email:

I agree with Colin that the requirements APs have of RPs should be part of the definition of RP requirements.

I also agree that a mapping to tscheme should be made an item in the roadmap. I believe that this mapping will be a key component in identifying what components of the IAF are part of the core and which should be part of a profile - whether the FICAM or tscheme profile.

 

AOB

 

Carry-forward Items

Item 2a) Discussion of the FICAM approval status for IdP/CSPs

 The GSA ISS/FCCX procurement has been cancelled “because none of the respondents have yet met the requirement to be a FICAM Trust Framework Solutions Approved Credential Service Provider (CSP) at non-PKI assurance levels 2 and 3.”


Attachments

 

 

Next Meeting

  • Date: Thursday, 2014 03 20
  • Time: 09:00 PDT | 12:00 EDT | 16:00 UTC **** Note meeting is tied to Eastern Daylight time - your local meeting time may have shifted!!!
  • United States Toll +1 (805) 309-2350
  • Alternate Toll +1 (714) 551-9842
    Skype: +99051000000481
    • Conference ID: 613-2898
  • International Dial-In Numbers