IAWG Meeting Minutes 2013-05-30

Owned by Former user (Deleted)
Last updated: Jun 27, 2013 by Former user (Deleted)Version comment
4 min read

Kantara Initiative Identity Assurance WG Teleconference

Approved by IAWG 27 June 2013

 

Date and Time

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
  2. Discussion
    1. Feedback to the Government of Canada on "Guidelines on Identity Assurance"
    2. RP Guidelines
    3. Updates
      1. Agile IAF
      2. Alignment with SP 800-63
  3. AOB
  4. Adjourn

 Attendees

  • Scott Shorter
  • Matthew Thompson
  • Myisha Frazier-McElveen
  • Cathy Tilton
  • Richard Wilsher

As of 22 May 2013, quorum is 4 of 7

Non-Voting

  • Ken Dagg
  • Rich Furr
  • Joni Brennan
  • Sal D'Agostino
  • Nathan Faut
  • Jeff Stollman
  • Helen Hill

Staff

  • Andrew Hughes
  • Heather Flanagan (scribe)

Notes & Minutes

Discussion

Feedback to the Government of Canada on "Guidelines on Identity Assurance"
  • Document was attached to the email
  • It is very worthwhile to click on the links to the other documents that the Gov't of Canada is working on; a lot of good information
  • the goal is to create a consolidated feedback document; also asked a few other groups to do the same; would like this to be finished in 7 to 10 days (7 would be nicer than 10, given the schedule they are working under?)
  • Due to particularly bad voice connections to the bridge, this topic is being moved to the mailing list
  • Coming back to this as the connection improved
    • Questions to focus the conversation: is it clear, does it provide good guidance, does it make sense, have we missed anything?
    • This is written from a Canadian public service perspective, not an international perspective
RP Guidelines
  • This has become a big item recently (see mailing list thread); came out of a discussion of what came out of IIW
  • UMA has also been interested in this issue recently to determine questions like log out, RP responsibilities, etc
  • George Fletcher has proposed a few use cases that could help spur the conversation
  • Does this now have enough momentum to create a report, or is it still all discussion point?
    • would love to see this come out as a report along with the Federation Interop Guidelines; this could be a cross-workgroup effort, though the logistics could be challenging
    • an appropriate way forward could be a Discussion Group such as the Attribute Management which in turn led to a full WG, and led to a picture of the landscape on what's out there on this topic
    • could the output of that group be just the landscape, or the landscape and use cases?  Scope should be part of the LC discussion on the topic
    • side note: encouraging the IDESG/NSTIC effort to become a federation operator; Rich Furr leading the effort
  • Would it make sense to have a quick ad hoc focus group to define the problem space to frame the discussion for the LC?
    • we can't make a decision on how to advance forward without understanding the use cases that are being answered, so we should really start with that
  • concern is that we might be reinventing wheels, since there are a lot of RPs that would not be involved in a Kantara WG/DG that might be doing the same work
    • the first step needs to be discover, use case discovery, existing RP guidelines, and then determine actions from there
    • we are trying to answer the call of "Where are the RPs?"; are there any friction points that we need to identify that aren't understood at this time?
  • Goal is to create an ad hoc group
    • volunteers to write up a call for participation: Ken, Myisha; should also follow up with George and the other active people on the thread

Ad Hoc Team Updates

Agile IAF
  • Ken, Scott, and Andrew have been meeting and discussing the idea of introducing more agility in to the IAF; the general idea that the IAF has service components, but what would it mean if we went further?  Need to define what a trust framework actually is, and a white paper has been started to define that, explain how a trust framework works, benefits of a trust framework; there are several blogs and event sites have delved in to this quite a bit, and trying to bring all that information together and forward
  • One of the questions to be answered: what parts of the identity provider/credential provider/RP model absolutely has to be certified, assessed and trust-marked? Are there any parts that do not have to be?  What does that mean in terms of operational practice?
  • If anyone else wants to join the small group discussing this, more than welcome - Cathy Tilton, Myisha Frazier-McElveen to be added
  • Current goal to have this ready go out in 2-4 weeks; this will need to be released in pieces since the content is very dense
Alignment with SP 800-63
  • This is proving to be more challenging, particularly because of changes NIST has made at levels 3 and 4
  • Richard will be exposing a few parts of the standard (800-63-2) that he needs help understanding in order to finish this up
  • there is quite a bit of detail coming in from 800-63-2 that may not be appropriate to include in the SAC in any detail; still, some amount of linking is happening between the SAC and 800-63-2
  • may want to pull these out into an appendix that could be the beginnings of a profile
  • should there be a free standing component to allow for the different countries to have different annexes
  • we cannot show conformity to this without following a similar path, and this could apply to other governmental standards as well
  • expects to have a draft available for IAWG review in about 2 weeks
Glossary
  • Ken distributed a draft of an update to the glossary for review; hope to have this out for more public comment in a few weeks

 

AOB

 

Next Meeting