IAWG Meeting Notes 2015-07-16
Kantara Initiative Identity Assurance WG Teleconference
Date and Time
Date: Thursday, 2015-07-16
Time: 12:00 PST | 15:00 EST | 20:00 UTC (Time chart - US Standard Time )
Time: 12:00 PDT | 15:00 EDT | 19:00 UTC (Time chart - US Daylight Saving Time )
United States Toll +1 (805) 309-2350
Alternate Toll +1 (714) 551-9842
Skype: +99051000000481Conference ID: 613-2898
Agenda
Administration:
Roll Call
Agenda Confirmation
Minutes approval:
Action Item Review
Staff reports and updates
Assurance Review Board (ARB) and Leadership Council (LC) reports and updates
Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
Discussion
Service Assessment Controls
IAWG review of NIST 8062 Privacy Risk Management for Federal Information Systems
Discussion of potentially merging Kantara IAF with PKI governance model
FISMA security controls and evaluation methodology
Review of 2015 objectives
AOB
Adjourn
Attendees
Link to IAWG Roster
As of 2015-01-22, quorum is 6 of 11.
Meeting did not achieve quorum
Voting
Ken Dagg (C)
Andrew Hughes (VC)
Adam Madlin
Richard Wilsher
Scott Shorter
Non-Voting
Peter Alterman
Staff
Ruth Puente
Regrets
None
Voting Members for Cut/Paste
Ken Dagg (C)
Andrew Hughes (VC)
Scott Shorter (S)
Rich Furr
Paul Calatayud (VC)
Devin Kusek
Adam Madlin
Kenneth Myers
Richard Wilsher
Lee Aber
Selected Non-Voting members for Cut/Paste
Bill Braithwaite
Björn Sjöholm
Susan Schreiner
Jeff Stollman
Notes & Minutes
We moved Cathy Tilton and Kenneth Myers to non-voting status.
Administration
Minutes Approval
Motion to approve all minutes: Richard Wilsher
Seconded: Adam Madlin
Discussion:
Motion Carried | Carried with amendments | Defeated
Action Item Review
See the Action Items Log wiki page
Staff Updates
Staff Updates
Kantara attended CIS Assurance program is busy, the pipeline continues to grow
There are a number of reviews of the program going on
Joni Brennan expressed her thanks to Cathy Tilton
ARB and Leadership Council (LC) Updates
ARB pipeline is full, next meeting first week of August
LC met yesterday, some wrap up work after virtual plenary, producing quarterly reports. New workgroup approved - uma-dev will develop code libraries and APIs. New group created for new IPR license to release code. Congrats to Eve Mahler for this achievement.
LC is working with board of trustees to determine how to handle portability of information between different information property regimes
Participant updates
Discussion
SAC
RGW: three things going on
editorial or technical changes in current draft
Ken's proposition to recast the SAC as a spreadsheet / hypertext form
Define a set of criteria that were core for the annual conformity review
Regarding the first item - Andrew asks do we have a list of changes? RGW responds that he circulated the editor's version recently. There's been an opportunity to review.
Joni is concerned about losing issues - who is keeping track of issues? Ruth can provide issue tracking.
We need to come up with a way to create issues and get them in the queue.
Andrew points out that a release schedule could manage the amount of changes that impact the approved systems.
Ken mentions that IAWG had done issue tracking previously, using the built in tools of the confluence platform. We could bring that back if that makes sense. A publicly available table that lives in the IAWG wiki could probably be used for issue tracking.
Andrew asks what is a good release process. Errors/errata can be published, criteria changes that have an effect should be published in the body of the work once approved. Not sure how this fits with public review process. If IAWG decides on a chance, what are the review cycles required to happen?
RGW notes that documents are either approved by ARB or go through a public review. When a document is released the tickets it has incorporated are closed.
Joni describes the 45 day comment paper. CSPs have a period of time to obtain compliance with the new criteria.
Andrew suggests setting a date target, and comments that are ready to be resolved are rolled in to the next stage of the process.
Andrew asks if we should set a date for publication?
RGW responds that we need a version 5 that IAWG considers to be stable, but we have a few items for discussion that need to be resolved.
Andrew suggests we table this to get on to the next point.
Ken's opinion is that a target to go to 45 day review around early-mid september. Agree to table.
Ken's proposition to recast the SAC in a new format. RGW pointed out that tool development would need to be funded in order to happen in short order.
Joni says that IAWG can capture feature sets and submit that to the conversation that Eve has started.
Ken mentions that the core criteria was discussed with the ARB. Issuance, trusted roles and revocation criteria are considered core criteria. A grantee's license is for 3 years. First assessment is a full assessment, 2nd and 3rd ACR are half of the criteria. These core criteria are core to ensure the licensees are maintaining their criteria.
RGW says that the ARB maintains the Rules for Assessments (RAA) is being updated to give more definitive guidance on how ACRs should be performed. According to the new draft, there should be a site visit on first review for AL2+ and should consider the need for an onsite review during ACRs at AL3+.
RGW asks whether the core area will be variable by assurance level or not.
Ken suggests we table for now, review and pass it.
RGW states that a formal request will come from the ARB before long.
RGW says that the RAA will describe the process. The SAC could be updated to flag which ones are mandatory.
Ken opines that the RAA is the best place to capture it all.
Time ran out without further resolution.
It was moved to resume a weekly meeting schedule, passed without objection.
NISTIR 8062
AOB
Carry-forward Items
Attachments
Next Meeting
Date: Thursday, 2015-07-23
Time: 12:00 PT | 15:00 ET | 20:00 UTC (Time chart - US Standard Time)
Time: 12:00 PDT | 15:00 EDT | 19:00 UTC (Time chart - US Daylight Saving Time )
United States Toll +1 (805) 309-2350
Alternate Toll +1 (714) 551-9842
Skype: +99051000000481Conference ID: 613-2898