/
IAWG Meeting Minutes 2014-11-13

IAWG Meeting Minutes 2014-11-13

Nov 20, 2014

Kantara Initiative Identity Assurance WG Teleconference

1 Date and Time | 2 Agenda | 3  Attendees | 4 Minutes Approval | 5 Staff Updates | 6 Participant Updates | 7 AOB | 8 Carry-forward Items | 9 Attachments | 10 Next Meeting

 

Meeting Minutes approved 2014-11-20

 

Date and Time

Agenda

  1. Administration:

    1. Roll Call

    2. Agenda Confirmation

    3. Minutes approval: IAWG Meeting Minutes 2014-10-23

    4. Staff reports and updates

  2. Discussion

    1.  Review of joint TFP submission to FICAM TFS regarding criteria assignments to service provider roles.

  3. AOB

    1.  

  4. Adjourn

 Attendees

Link to IAWG Roster

As of 2014-09-29, quorum is 8 of 14

Use the Info box below to record the meeting quorum status

Meeting achieved quorum

 

Voting

  •  

  • Rich Furr ( C)

  • Andrew Hughes (S)

  • Ken Dagg

  • Matt Thompson

  • Cathy Tilton

  • Devin Kusek

  • Scott Shorter

  • Richard Wilsher

  •  

Non-Voting

  •  

  • Björn Sjöholm

  • Peter Alterman

  • Lee Aber (ID.me)

Staff

  •  Joni Brennan

Regrets

  • None

 

 

Notes & Minutes

Administration 

Minutes Approval

IAWG Meeting Minutes 2014-10-23

Motion to approve minutes of 2014-11-13: Shorter
Seconded: Kusek
Discussion: None
Motion Carried 

Staff Updates

  • Events

    • IRM Conference - well attended

    • CA World

    • PII2014 

  • Board of Trustees has done a review of policies and procedures - plan to work with LC to update/refine

  • OpenUMA is now live - hosted at ForgeRock

  • Presidential Executive Order in October directed at Federal agencies requirement to plan for and implement MFA

Participant Updates

  • ID.me announcement: ID.me has chosen a new VP of Security and Risk Management: Lee Aber

    • Strong background, great contacts

Discussion

  • FICAM TFPAP v2.1 split the CSP into several roles

  • This work is a response to FICAM TFS on the TFP proposal on how to map TFPAP requirements to those new roles

  • This should help to ensure alignment and cross-recognition between TFP applicants and approved service providers

    • i.e. If two different approved service components are approved by different FICAM TFPs, they should be allowed to apply for FICAM approval directly

    • The assessor would only have to examine the 'glue' requirements that are not part of one or the other role

  • Review the "FICAM Requirements Spreadsheet for IAWG Processing 111214.xls"

    • This work serves the immediate needs for FICAM TFS and the TFPs - there are longer term objectives still to be addressed

  • Comment: the requirements on the T M tab appear to be related to components other than the T M 

  • Question: are there requirements that applied to both IM and T M

    • A: The terms in the text were updated to the new meanings before mapping

  • Comment: This analysis is being done in the context of Kantara and SAFEBioPharma only. FICAM TFS would need to incorporate this into future versions of TFPAP to have best effect.

  • Comment: The next step is for the TFPs to map their own criteria to this component mapping

    • One approach: from the bottom up, the 'Receiving' assessor should act as the glue & use the already-assessed criteria as input into the final assessment of the combined entity (and so would not double-assess any entity)

      • i.e. from the full list of criteria, the assessor should exclude those criteria that are already in scope for the Service Component Approval from the other TFP

    • Another approach: from the top down, once approved by FICAM as a service component, by definition that SC's policies and practices are equivalent/comparable under any other FICAM Approved TFP

    • In either case, FICAM must be satisfied that the applicant meets the FICAM TFS TFPAP requirements in total

  • Comment: There is a difference between an IM satisfying FICAM requirements versus satisfying a TFP's requirements

  • The key point is that FICAM Approval is against the TFPAP list of Trust Criteria - not the individual TFPs criteria

  • Downside - the spreadsheet only applies to FICAM Approvals

    • Kantara has criteria that go beyond FICAM Trust Criteria

    • If Kantara is the only TFP, it uses its full range of criteria

    • If a Service Component is accepted from another TFP, there's no certainty that all Kantara criteria have been satisfied - only those criteria that meet FICAM criteria

  • This distinction might form part of a Kantara roadmap activity to extend more globally

  • Note that this exercise does not create a strictly-defined Profile since it excludes criteria rather than constraining

  • Proposal: use email as the primary comment/feedback method; call an ad hoc meeting on Wednesday if needed

    • Plan to present to FICAM at Thursday November 20 monthly call

  • Discussion about presentation format ensued

  •  

AOB

 

Carry-forward Items

 

Attachments

 

 

Next Meeting