IAWG Meeting Minutes 2015-04-23

Owned by Former user (Deleted)
Last updated: Jun 02, 2015

Kantara Initiative Identity Assurance WG Teleconference

 

 

Date and Time

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Minutes approval: 
    4. Action Item Review
    5. Staff reports and updates
    6. Assurance Review Board (ARB) and Leadership Council (LC) reports and updates
    7. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
  2. Discussion
    1.  Plan for response to NIST 800-63 RFC
  3. AOB

 Attendees

Link to IAWG Roster

As of 2015-01-22, quorum is 6 of 11

Use the Info box below to record the meeting quorum status

 

Meeting did not achieve quorum.

Voting

  • Ken Dagg (C)
  • Scott Shorter (S)
  • Adam Madlin
  • Cathy Tilton

Non-Voting

  • Peter Alterman
  • Angela Rey
  • Ann Racuya-Robbins

Staff

  •  

Regrets

  • Andrew Hughes
  • Richard Wilsher

Notes & Minutes

Administration 

Minutes Approval

No motion to approve.

Action Item Review

See the Action Items Log wiki page

Staff Updates

Leadership Council (LC) Updates
  •  Kantara liaison subcommittee reports that comments were submitted on ISO/IEC 29003.
  • Peter Alterman points out the idea that identity proofing has been put into operation by many entities, rather than encompass the lessons learned the document seems to try to create to create a new intellectual structure for identity proofings.  Section 6.2 has a table with "core", "additional" and "identity proofing process". The categorization is not useful, national schemes often do specify national schemes, the concept of unique identity in a context not previously defined in the document, inclusion of identity proofing processes creates an unnecessary processes.  Uniqueness comes from validated expressions of identity.  Proofing identity requires establishing uniqueness, which is achieved by validated assertion of entity descriptors.
ARB

A number of CSP applications they are working through as well as a number of assessor organizations.

Discussion

Process for comment on the RFC from NIST 800-63.  Scott offered to produce and compile comments.

Angela Rey asks what is the format for how we should submit.  Scott says any format will be accepted.

 

Ken mentions outcome based requirements, for example there should be data retention, but the document does not have to specify exactly the retention period.

The idea behind the FICAM program was to create a lightweight method for scalable CSP assurance. Application provider was supposed to state what they comply with and what provides a comparable result.  That was a model that turned into the TFPAP 1.0.  Tell me how you get a comparable result by doing it differently than NIST describes by the government.  Kantara turned that into a book of SAC which tells the assessor how to assess.  Does away with the concept of a competent assessor .

Concepts of different levels of assurance for identity proofing.

Angela Rey question about the scope of 800-63.  An executive branch agency claims not to have to follow SP 800-63.  Special Publications are not mandatory like Federal Information Processing Standards (FIPS).

Question about whether to recommend that the document be mandatory.  Angela points out that agencies are being set up that have a low level of identity proofing.  Peter Alterman points out that government setting up as a CSP violates the model that e-authentication has been followed for some time.

Ken poiints out that CA taxpayers were paying approx $600M doing login, and the cost went down to $17M.

Discussion of when it the SP 800-63 is required.  Scott presents the idea of an authentication standard as a way to measure the risk mitigation quality of the processes of a CSP.

Peter brings up ISO 29115, based on risk and risk mitigation.


Scott offers to produce comments by 5/7/2015.  Minority opinions will be presented as well as consensus.

AOB

 

 

Next Meeting