IAWG Meeting Notes 2013-03-28

Kantara Initiative Identity Assurance WG Teleconference

Call not at quorum

Date and Time

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
  2. Discussion
    1. Agile IAF
    2. Haka Federation and the IAF
    3. Errata
  3. AOB
  4. Adjourn

Attendees

  • Matt Thompson
  • Myisha Frazier-McElveen
  • Richard Wilsher

As of 14 January 2013, quorum is 4 of 7

Non-Voting

  • Kenn Dagg
  • Nathan Faut
  • Rich Furr
  • Jeff Stollman

Staff

  • Heather Flanagan (scribe)
  • Andrew Hughes

Apologies

  • Cathy Tilton

Notes & Minutes

Agile IAF
  • waiting for a write up from Andrew; discussion will be postponed until next week
  • arrived at the point where we figured the IAF could handle this, the smaller segmentation of the rules, but more would will need to be done esp. on the assessment side on what it means to have a Kantara assessment versus a FICAM assessment, and what value each of the approvals has
    • given there is a huge difference between US-centric Kantara and global Kantara; if you look at what is going on globally esp. in the EU, component certification does have value; as long as there is some way to assess an overall end-to-end service
    • this reflects the way the market is, and not doing this could leave Kantara behind; if we want to stay in the game of approving what is quality, we have to be quicker and more open to a variety of ways of doing things
    • as we see in some of the other NSTIC pilots, the scope of the approved component is getting tighter and tighter, and function-specific components are being declared
    • maybe stop talking about components and talk about services, and not even full-services; Daon wants to provide everything BUT identity proofing; and if a self-relying party is willing to accept that, and if it's only used within that entity, that should be fine
      • if it is used outside that entity, we'll have to consider how to indicate that (though perhaps not if we step back and just look at services?)
      • in the KTR we can provide near-real-time information on certifications
      • it is up to the person accepting the service, whether it is one or many, to determine if that service is enough to offset their own risk
      • Kantara's concern then will be that if they approve a service, we have to approve as far as it goes and no farther
    • do we want to look at pre-defined components, or groups of components? certifying one of the components as opposed to groups of components might be cleaner
      • (some disagreement within the group here)
      • a single service provider could provide both A and B, or they could just provide A and going with an external B that is Kantara approved, so when A is assessed, it is assessed because it has that prior approved component behind it
      • it might come down to what we believe the purpose of a certification is: is it for a certifying body to produce standard consumable components or to record the correct function of the component? it is neither A or B, it could be both or either; the question is whether we give complete service choice or predefined services; there are arguments for both
      • are we certifying to standard interfaces or an everything is custom world? standard interfaces is significantly easier, and we look to the market to determine what the standard interfaces should be; it would be challenging to go find out what APIs are offered/needed for whatever transactions they are trying to do; we do not want to create an unconsumable trust model
      • as a service provider comes in with an application for certification, we need to look at that application and determine what portion of the SAC need to be met
        • the changes made a year ago to the IAF allow for this already
    • exploring the standard interface idea some more, when looking at the decoupled binding model, would that model if enough functions are put in to the picture, could the interfaces be defined in a reasonable way? if we draw out a more comprehensive general model, could we capture this? 
      • in Canada, have a deployment profile and that defined how they were going to send out requests and receive responses, and every party contracting with them needed to adhere to that; we need to get to that model more than Kantara listing what API we are willing to accept; do agree that if we allow open field in terms of defining interface specs, chaos ensues in the RP world, but it is up to the RP to define what it is they want/need; someone needs to build the black box between the RP and what they are consuming
      • the level of the criteria do not allow us to define or impose any particular API or standard for the interfaces between the components, only the criteria at a high level
      • but do we need to add a criteria that says "you must publish your interface spec"?  maybe; a separate path, not necessarily within the IAF, might be a test harness that represents those interfaces; this seems like something that the IRB is working on
        • perhaps add something like "if you want to use the KTR, you need to define the interface requirements on the trust registry"; this could be a way to hook RPs in to Kantara
      • sometime over the last year, someone volunteered to define typical supporting services - did that ever happen? the initial model Andrew just sent out is a first cut at doing that at a high level

Haka Federation and the IAF

  • this is a higher ed federation looking to the IAF as a reference point for their federation; Kantara has been approached by the Haka Federation with some potential profiling needs for the IAF document.  Haka is a federation in R&E-space (like InCommon for Finland). They've asked to be allowed to profile AL1 and to be granted approval authority for AL1 (note: AL1 only!).
  • Quoting from Sami Silen from the Haka Federation:

 

I’ve been studying SAC and with it profiling would be the proper way to go.

 

 

 

There are couple of questions risen:

 

 

 

a)      Can we still do excel with where we also define “Haka Profiling column” in addition to criteria details if needed.  Or should we strictly use and SAC Document (http://kantarainitiative.org/confluence/download/attachments/41649275/Kantara+IAF-1400-Service+Assessment+Criteria.pdf)? Or do you have better template to fill? Or any example of profiled SAC?

 

 

 

b)      For us LoA1 (or 2, I’m  not sure yet) would be a good starting point but even without profiling there are requirement from greater level which goes to greater details, eg. In LoA1 there is
AL1_ID_IPV#010  - Required evidence - Accept a self-assertion of identity.
And in  LoA2 AL2_ID_IPV#010 - Required evidence - Ensure that the applicant is in possession of a primary Government Picture ID document that bears a photographic image of the holder.
If we’re going to fulfill LoA1 can we use AL2_ID_IPV#010 instead AL1_ID_IPV#010 or should we just profile AL1_ID_IPV#010 with details from that greater level criteria.

 

 

 

c)      Even without going greater level in SAC. In case we would just want to fill level2, can we still add some requirements from Level3 only because we want to add that, but still we’re just filling level2.
Or should we still just do it with profiling way? Add that detail to some other Kantara criterion which could be the best fit container for it?

 

 

 

d)     About prices

 

  1.  What kind of pricing scheme there is for Educational federation?
  2. Can we give Kantara LoA1 Approval for IdP’s or SP’s (as a federation operator) or what is the method and price for approval?

 

 

 

// Sami Silén


  • is Kantara willing to create a service approval authority valid only for a specific assurance level? Can Haka approve its members at AL1? Can Assessors be constrained only to do AL1, or must Assessors be able to handle all levels?
    • the way we have the assessment program set up, an Assessor can assess at any given level; but Haka likely can't afford the standard Assessor feeds - would the fees change for an Assessor that would only assess to AL1?  This might be more of a question for the ARB
    • the fee to be a Subscriber is based on the size and type of an organization; the Assessor fees are determined (partly) by the LOA
    • the question is, is there a mechanism where we can help Haka have cheap assessments? could Haka spin up an assessor that is independent enough that has cut a deal with institutions within the Haka federation to work with them?
      • this has also come up with discussions with Educause; higher education everywhere wants to do things as cheaply as possible and still wants to have authoritative standing; one idea that could help but would be up to Haka to implement, and that is: in an effort to jumpstart IT auditors, develop a senior seminar approach to combine IT and accounting, and have the class do the assessment and for LoA1 self assertion is reasonably acceptable
      • could Kantara spin up the service assessment authority approval/certification and approve Haka as a service assessment authority? and then it would be up to Haka to figure out how to do the assessments to figure out how they would do the assessments, and take Kantara mostly out of it; nominal annual fee (number of members in the federation + the non-profit subscriber fee)
        • note that this would only really work for small federations - InCommon and WAYF for instance have many many members and so their overall cost could turn out to be more than what we charge our largest global customers
        • if Haka is made a service approval authority, their approvals would never go to the ARB, they would go straight to the Board
        • we are talking about cross-certifying federations, and this needs to be discussed with both the ARB and the Board
    • if we go through this process, does that mean that what Haka is doing at L1 has to be comparable to what we are doing at L1, or if they start pulling in L2 in to L1, how does that impact what Kantara is doing?
      • unless we restructure the SAC to be part of everyone, then no, they cannot mix and match criteria
      • if they write a profile, fine, but it would be their profile; in the profile creation guidelines, we were clear to define that the profile is to make things more stringent, not to make a hodgepodge of the SAC; we are putting a lot on the profile to make a customizable thing, but we could create too many SACs
      • if the profile is for L1, and if they want to take criteria from other sources and make their profile more stringent for L1, they can, but it will still be an L1 certification
      • this may require a review of the SAC to make sure the language really does allow for this in a clear manner
  • ultimate decision is up to the ARB, but as far as the IAWG is concerned, they can do this with a unique profile; this should also be passed to the LC and the Board for consensus
    • Myisha will review the IAF to verify this is allowed
Errata
  • will review on next call

AOB

Next Meeting