IAWG Meeting Minutes 2011-03-23

Voting:
John Bradley
Patrick Curry
Myisha Frazier-McElveen
Rich Furr

Non-Voting:
Rainer Hoerbe
Bill Braithwaite
Ben Wilson
Tom Smedinghoff
Mark Lizar
Pete Palmer

Apologies:
Richard Trevorah
Ken Dagg

Staff:
Joni Brennan
Anna Ticktin

1. ADMINISTRATIVE:

Announcements : LC ratified the SAC Profiling Guidance Report

Action Item Review:

ACTION ITEM 20110316-Myisha : will circulate a starter list of FAQs for the IAWG to provide feedback. Progressed.
ACTION ITEM 20110316-02 Anna : will coordinate that feedback and expand it to the IAWG wiki space for practical application. Pending IAWG responses to action 20110316-01.

2. RP SCOPE REVIEW AND DISCUSSION

Question: How are we coordinating efforts between the overlap of IAWG, P3 efforts and TFW MM?
There is a new LC subcommittee that will oversee the inter-dependencies between WGs and provide guidance.

Additionally, there is a real need to define the scope of the IAWG effort:
1. Does the IAWG focus efforts in drafting RP guidelines as relates strictly to Identity Assurance, or---?
2. Does the IAWG draft a super-document inclusive of privacy, data protection, identity-- all potential components of TFWs, thus combining all WG efforts--?

Conclusions: IAWG will draft it's RP Guidelines scope, socialize that with other TFW touching groups within Kantara, identify the gaps and overlaps, then elevate that to the LC-TFW subcommittee for direction on a way forward.

The IAWG further discussed obligations of RPs and identified some business cases for protecting PII to further determine the scope.

Question: So what should this document's scope include---?
Response: It should include specific business cases behind RP guidelines.( Example: LOA 2 to avoid providing dubious assurance to RPs...)
Also: The work group must determine if it wants to create guidelines toward the ISO standard for PF certification. Mark Lizar will socialize to P3.

Some proposed use cases that could land as examples in the draft documentation:
ACTION ITEM 20110323-01 John Bradley---will send info of pay pal use case to the group.
ACTION ITEM 20110323-02 Bill Braithwaite---will send use cases to the list that include two different types of interaction with the CSP; one where the RP provides the attributes and asks for verification of identity, the other where the RP is asking for attributes about an identity that it does not already have.

3. FEEDBACK MATRIX

Myisha introduced the matrix currently circulating via the list and has asked that members review, provide feedback and be otherwise prepared to discuss on the next call.

ACTION ITEM 20110323-03 Anna — will parse responses from email thread into the comment form / wiki as members provide their feedback.

4. AOB

Summary:
The IAF is limited to the identity proofing part of an authentication assurance for individuals
The IAF defines a policy for each Level of Assurance using SAC
Such a policy is incomplete to assure to a RP that access to a resource is only granted to the subject in following cases:
1. Session-centric use case: The transaction has to be confined to the authenticated user beyond the authentication instant
2. Subjects other than individuals (companies, devices)
3. Reliance on attributes that cannot be part of a credential
4. Reliance on provisioning processes at the subject's home organization (granting and revocation of authZ attributes)

Either the IAF's LoA are restricted to the defined scope - then we need make clear that RPs will need to deploy other Level of Something for their risk mitigation. Or the scope needs to be adapted.

Joni suggests this sounds like an agenda item for the TFW MM WG or the LC TFW Subcommittee.

These groups will be tasked with providing the overarching guidance on such questions as "What is a TFW? What are its components? How are they "operationalized"?

WG - Identity Assurance New