IAWG Meeting Minutes 2012-09-27

Minutes Approved by IAWG - 2012-10-04

IAWG Meeting 27 September 2012

Date and Time

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Motion for minutes: IAWG Meeting Minutes 2012-09-13
    4. Update on nominations for Chair
  2. EU participation
  3. KAR feedback from ARB (see v.5 of the document)
  4. Disposition of Comments - https://secure.join.me/398-538-735
    1. Kantara IAF-1100 Glossary (Kantara IAF-1100-Glossary v2.1
  5. Roadmap
  6. Outreach
  7. AOB
  8. Adjourn

Attendees

  • Andrew Hughes
  • Myisha Frazier-McElveen
  • Colin Soutar
  • Bill Braithwaite
  • Richard Wilsher
  • Scott Shorter

Quorum is 4 of 6 as of 17 September 2012.

Staff:

  • Joni Brennan
  • Heather Flanagan (scribe)

Non-voting:

  • Ken Dagg
  • Jeff Stollman

Apologies:

Minutes

Nominations for Chair

  • nomination period closed Sept 24 - one candidate, Myisha Frazier-McElveen
  • Colin Soutar moves to approve Myisha as chair; Bill Braithwaite seconds; no opposition or discussion, and so moved - Myisha is reelected as Chair

Discussion

EU participation

  • looking to start a work item of mapping ISO 29115 from the UK and want to see how the IAF maps to that
  • How can we have a cross-border equivalency or recognition program between, for example, Kantara and KeyScheme.  IAF assessment criteria, which calls back to 800-61 v1, and the UK environment will call back to ISO 29115; looking for volunteers for a cross-border aspect and focused on US and UK to map/compare NIST 800-63 and ISO 29115 with an eye on Kantara and UK programs; some of that mapping may be confidential but Kantara does have access to 29115
    • Scott Shorter, Bill Braithwaite and Richard Wilsher all interested
    • (Richard) note that it will be very helpful to have a scoping statement and set of goals to bound the work; (Joni) has ideas on that and will assist

KAR feedback from ARB (see v.5 of the document)

  • there was some discussion as to whether it was the auditor or the ARB should submit findings to the BoT; ARB recommended removing the auditor submitting the Board
  • Next steps: the IAWG to give this a vote of confidence so it can go to the LC to ratify as a final Report to be approved
    • Richard Wilsher moves to approve the KAR v0.5 and move up the line for formal publication as v1.0; Bill Braithwaite seconds; no objection or discussion; motion approved

Disposition of Comments

  • Kantara IAF-1100 Glossary (Kantara IAF-1100-Glossary v2.1)
  • (Richard) Comments on glossary are out of scope for 45 day review since it was submitted outside the review period, so suggests we go ahead and publish the revised 5 documents and deal with the glossary comments in the next revision; note we also have other comments coming in indicating we're going to have to do a another revision soon in any case
    • (Ken) agrees as long as any changes made so far that would impact the glossary are included/revised in the glossary
    • (Myisha) disagrees that the glossary was out of scope since it is on the public announcement page
    • (Myisha) do the documents be approved as one large set, or can they be approved in discrete components?  (Joni) yes, that is reasonable and acceptable
    • (Andrew) would it be fair/necessary to put a warning on the glossary and the other documents that it is out of sync; (Colin) that makes sense; (Joni) part of this set of changes is that we've talked this through with FICAM and as a result we have two versions of the IAF and the process, and finishing this revision will actually amalgamate that in to one version and will help us with the creation of a document repository of normative documents; (Richard) it should absolutely be in the repository not the documents else you have to revise every document when the glossary is revised, we could include something also in the glossary itself since it will be actively under revision;
      • (Ken) it is only 5 documents that would need to be touched, is that really a problem? Could that be a staff revision without  full approval cycle of the IAWG? (Joni) that would be acceptable
      • (Richard) what should the cautionary note say? "Users of this document should be aware that the Glossary is under revision and certain terms may be inconsistent.  Clarification of terms should be sent to the IAWG."? (Andrew) if the document set says refer to the index for comments and latest versions, that may be enough; (Richard) a distinct statement that there is a fair chance they are not aligned with definitions in the glossary or on the website, either way it needs to be a clear statement and if one just had a more general "look for normative documents here" wouldn't be clear enough
      • (Ken) in looking at the 5 docs, other than the Introduction, all have a glossary section where a sentence could be added; (Colin) in the DoC a comment was provided regarding the authoritativeness of the separate glossary, and if we add that to the point that the authoritative glossary is that separate doc is under update
      • (Richard) perhaps we shouldn't have those separate mini-glossaries, unless the terms are only used in the individual document; (Ken) like to have all the terms in a single glossary whether or not they appear in just one document or not
      • (Myisha) consensus: remove per-document glossary from the documents and move them to master glossary, and add a per-document note that the master glossary is under revision, any uncertainty regarding a definition should be referred to the IAWG, and that removal of that comment should be considered a Secretariat editorial change
        • Richard Wilsher makes a motion to formalize above consensus; Ken Dagg seconds; no objections or discussion - motion passes
        • AI: Richard will send exact text to the list and put them in the documents, pass then to Heather for publication

IAWG RoadMap

  • Document maintenance - this round is just about done
  • KAR - done (as per earlier in the call)
  • PAC - waiting for input from P3WG
  • Relying Parties - push this down on the priority list; doesn't have a work sponsor and the work really needs to start with the relying parties themselves;
    • (Myisha) this is more a work item that credential providers would like to have confidence in the Relying Parties, so while the work effort would require bouncing stuff off the RPs, we need more interaction with the credential providers
    • (Ken) partial agree; RPs need to be involved in order to make sure any requirements placed on them are implementable, but its the CSP/IdP should be setting those requirements; the Service Assessment Criteria should have been developed by Relying Parties because they are the one that have to rely on those assertions
    • (Andrew) background question - do we know of any RPs at LOA3? are there any barriers to RPs coming on board? (Joni) it is in the IdP interest that the RPs are using trusted practices as well, and the biggest RP we work with is the US Fed Gov't, but they don't themselves really certify; what other sets of RPs would consume an LOA-type program?  Health care space would be huge
    • (Andrew) what kind of requirements could we apply to an RP? (Ken) see InCommon as an example of requirements on both RPs and SPs
    • (Andrew) would we / could we ever disconnect an RP if they had repeated egregious issues?  (Myisha) Would these be guidelines or certification criteria? we called them best practices guidelines; (Andrew) and the CSP could put these guidelines in their own agreements with RPs
    • Continue this conversation on next call, how can we move this forward in incremental steps while we wait to find a champion to move it forward

Outreach

AOB

  • (Myisha) October activities
    • we have a F2F at the end of October after the NSTIC IDESG meeting; based on the agenda of the mini-F2F held in August; what topics would the IAWG like to see covered in this F2F, and do we want a working session of the IAWG? 
      • a working session is a good idea; (Richard) what would we be doing in that working session; (Joni) dig in deeper to the pseudononymous approach, have an early thought/input in to cross-border certification, work on the glossary, how to manage documents across all the different workgroups and a higher level of abstraction

 

Next call: