IAWG Meeting Notes 2015-07-16

Owned by Former user (Deleted)
Last updated: Oct 01, 2015
4 min read

Kantara Initiative Identity Assurance WG Teleconference

 

Date and Time

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Minutes approval: 
    4. Action Item Review
    5. Staff reports and updates
    6. Assurance Review Board (ARB) and Leadership Council (LC) reports and updates
    7. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
  2. Discussion
    1. Service Assessment Controls
    2. IAWG review of NIST 8062 Privacy Risk Management for Federal Information Systems
    3. Discussion of potentially merging Kantara IAF with PKI governance model
    4. FISMA security controls and evaluation methodology
    5. Review of 2015 objectives
  3. AOB
    1.  
  4. Adjourn

 Attendees

Link to IAWG Roster

As of 2015-01-22, quorum is 6 of 11.  

 

Meeting did not achieve quorum

Voting

  • Ken Dagg (C)
  • Andrew Hughes (VC)
  • Adam Madlin
  • Richard Wilsher
  • Scott Shorter

Non-Voting

  •  Peter Alterman

Staff

  •  Ruth Puente

Regrets

  • None

Voting Members for Cut/Paste

  • Ken Dagg (C)
  • Andrew Hughes (VC)
  • Scott Shorter (S)
  • Rich Furr
  • Paul Calatayud (VC)
  • Devin Kusek
  • Adam Madlin
  • Kenneth Myers
  • Richard Wilsher
  • Lee Aber

Selected Non-Voting members for Cut/Paste

  • Bill Braithwaite
  • Björn Sjöholm
  • Susan Schreiner
  • Jeff Stollman

 

Notes & Minutes

We moved Cathy Tilton and Kenneth Myers to non-voting status.

Administration 

Minutes Approval

 

Motion to approve all minutes: Richard Wilsher
Seconded: Adam Madlin
Discussion: 
Motion Carried | Carried with amendments | Defeated

Action Item Review

See the Action Items Log wiki page

Staff Updates

Staff Updates
  •  Kantara attended CIS Assurance program is busy, the pipeline continues to grow
  • There are a number of reviews of the program going on
  • Joni Brennan expressed her thanks to Cathy Tilton
ARB and Leadership Council (LC) Updates
  • ARB pipeline is full, next meeting first week of August
  • LC met yesterday, some wrap up work after virtual plenary, producing quarterly reports. New workgroup approved - uma-dev will develop code libraries and APIs. New group created for new IPR license to release code. Congrats to Eve Mahler for this achievement.
  • LC is working with board of trustees to determine how to handle portability of information between different information property regimes
Participant updates

Discussion

SAC

RGW: three things going on

  1. editorial or technical changes in current draft
  2. Ken's proposition to recast the SAC as a spreadsheet / hypertext form
  3. Define a set of criteria that were core for the annual conformity review

Regarding the first item - Andrew asks do we have a list of changes?  RGW responds that he circulated the editor's version recently.  There's been an opportunity to review.

Joni is concerned about losing issues - who is keeping track of issues?  Ruth can provide issue tracking.

We need to come up with a way to create issues and get them in the queue.

Andrew points out that a release schedule could manage the amount of changes that impact the approved systems.

Ken mentions that IAWG had done issue tracking previously, using the built in tools of the confluence platform. We could bring that back if that makes sense.  A publicly available table that lives in the IAWG wiki could probably be used for issue tracking.

Andrew asks what is a good release process.  Errors/errata can be published, criteria changes that have an effect should be published in the body of the work once approved.  Not sure how this fits with public review process.  If IAWG decides on a chance, what are the review cycles required to happen?

RGW notes that documents are either approved by ARB or go through a public review. When a document is released the tickets it has incorporated are closed.

Joni describes the 45 day comment paper.  CSPs have a period of time to obtain compliance with the new criteria.

Andrew suggests setting a date target, and comments that are ready to be resolved are rolled in to the next stage of the process.

Andrew asks if we should set a date for publication?

RGW responds that we need a version 5 that IAWG considers to be stable, but we have a few items for discussion that need to be resolved.

Andrew suggests we table this to get on to the next point.

Ken's opinion is that a target to go to 45 day review around early-mid september.  Agree to table. 

Ken's proposition to recast the SAC in a new format.  RGW pointed out that tool development would need to be funded in order to happen in short order.

Joni says that IAWG can capture feature sets and submit that to the conversation that Eve has started.

Ken mentions that the core criteria was discussed with the ARB.   Issuance, trusted roles and revocation criteria are considered core criteria. A  grantee's license is for 3 years. First assessment is a full assessment, 2nd and 3rd ACR are half of the criteria.  These core criteria are core to ensure the licensees are maintaining their criteria.

RGW says that the ARB maintains the Rules for Assessments (RAA) is being updated to give more definitive guidance on how ACRs should be performed.  According to the new draft, there should be a site visit on first review for AL2+ and should consider the need for an onsite review during ACRs at AL3+.

RGW asks whether the core area will be variable by assurance level or not.

Ken suggests we table for now, review and pass it.

RGW states that a formal request will come from the ARB before long.

RGW says that the RAA will describe the process.  The SAC could be updated to flag which ones are mandatory.

Ken opines that the RAA is the best place to capture it all.

Time ran out without further resolution.

It was moved to resume a weekly meeting schedule, passed without objection.

NISTIR 8062

AOB

 

Carry-forward Items

 

Attachments

 

 

Next Meeting