IAWG Meeting Minutes 2015-04-09

Owned by Former user (Deleted)
Last updated: Jun 02, 2015
4 min read

Kantara Initiative Identity Assurance WG Teleconference

 

 

Date and Time

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Minutes approval: DRAFT IAWG Meeting Minutes 2015-02-26DRAFT IAWG Meeting Minutes 2015-03-26
    4. Action Item Review
    5. Staff reports and updates
    6. Assurance Review Board (ARB) and Leadership Council (LC) reports and updates
    7. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
  2. Discussion
    1. Upcoming NIST RFI on SP 800-63 and the possibility of resuming weekly calls
    2. Richard Wilsher's suggestion to remove ALn_CO_OPN#010
    3. Process for SAC maintenance
  3. AOB
    1.  
  4. Adjourn

 Attendees

Link to IAWG Roster

As of 2015-01-22, quorum is 6 of 11

 

Meeting achieved quorum

 

 

Voting

  • Ken Dagg
  • Scott Shorter
  • Adam Madlin
  • Lee Aber
  • Devan Kusec
  • Richard Wilsher

Non-Voting

  • Ashley Stevenson (Forge Rock)
  • Angela Rey
  • Ann Racuya-Robbins

Staff

  • Joni Brennan 

Regrets

  • Andrew Hughes

 

 

Notes & Minutes

Administration 

Minutes Approval postponed due to lack  of comment

 

Action Item Review

 RGW commits to provide language about alternative to FIPS 140-2 requirements by next week.

See the Action Items Log wiki page

Staff Updates

Joni reports:

Board of Trustees meeting last week. Two working group proposals, from UMA including demo of MVCR and ??.

UMA all user ballot was approved. MVCR review is open - please review and share comments.

Assurance Review Board approved two grantees, SUNET as CSP and Scott Perry as assessor.

Gathering at RSA coming up

European Identity Conference very good workshop with a number of presentations coming up.

Leadership Council (LC) Updates
  •  Meeting postponed until next week.
Participant updates

Tweet worthy items: no response. Maybe we don't need this agenda item, it never generates much.

Discussion

NIST 800-63 RFI

From what we have heard about the RFI on 800-63 is coming out within the next week or so. Expected to be imminent, possibly by the weekend.

Ken - schedule a call for next week?   RGW: suggest scheduling and cancel if it does not appear.

Angela Rey has a general comment - concerned that we are focusing so much activity on 800-63 and not looking at other issues impacting area of identity assurance.  

Ken prompts for details.  AR specializes in financial management and identity assurance is a big issue and is talked about a big deal. Lack of standards and definitions and standardized data about the manner in which identity is established and exchanged across the agencies. Coming to learn more about the issue, seems to be too much focus on the one document.  

RGW offers a historical view. 800-63 is a fundamental document, drives FICAM. Assessment criteria are derived from 800-63, in a more generic form so that other jurisdictions can map their things to Kantara.  SP 800-63 is and continues to be a significant part of how Kantara and anyone in the US identity management space does business.

KD: the IAWG is the steward of the service assessment criteria and identity assurance framework by which assessors and CSPs are approved.  There are other issues in identity assurance area that need to be discussed. As our primary role is to be the steward of the SAC, and since the focus on 800-63 is due to the importance of that document.

Joni adds that there is a current program operating, and the current group fulfils the requirement of maintaining that program. Historically and currently, we have another group which is open to members and leadership and provides liaison to ISO and other international standards. Some documents are not available for public review, but they are available to the liaison subcommittee. To follow on to Ken's point, it would be great from our perspective to receive input from Angela about what the issues in the financial industry identity assurance world. The identity assurance program and IAWG are focused on building efficiencies and mutual recognition, could be a path for mutual recognition with financial regulatory schemes. Would welcome input on where those intersections occur and how Kantara could build on that perspective.

Scott mentions that comment on 800-63 may be an opportunity to build on Angela's comments about what may need doing with 800-63.

Ken mentions focused groups in health care and other spaces may be relevant.

ALn_CO_OPN#010 removal suggestion

RGW notes that the criterion is about technical security, and is covered adequately by OP SAC in more detail.  Scott pointed out AL3_CO_ISM#120 best practice security management matches the CO_OPN#010 SAC.

Ken asks if there's an impact on already approved CSPs.

RGW moves that the SAC be removed from the forthcoming version of the CSP.  Scott seconds the motions.

Ken asks for comments/questions. Silence. Call for objections.  No objections.

Ken inquires if the change can be approved at this point or if the email list should change the list.  Joni responds that any substantive change to the SAC or other document would require a call for comments, IPR review and all member ballot.  Depends on where this change is within the lifecycle of the document.

 

With no objections, and no need to get further approval, Ken asks for the change to be applied.

SAC maintenance and approval process

RGW points out that he has a working version of the SAC, collecting the changes that are identified. No changes have been so urgent we've needed to push them through.

Ken inquires how many changes have been collected at this moment.

RGW responds that there are a couple dozen, many are very small e.g. typos. No impact to the assurability of a service, but they are refinements. 

Joni explained the process for approval as a vote by the IAWG, an IPR review, call for comments and an all member ballot.

Ken notes that we're close to 1 year since an update. With no urgent need to come to an update, would it make sense to see the RFI and make comment on the RFI before deciding whether to comment or not?

RGW thinks the RFI will have no impact on a standard for 18 months minimum.

RGW will send the SAC to the list for discussion 

Joni describes the timeline: when IAWG approves a draft, 45d comment period occurs. Comment disposition occurs for 0-3 weeks. Review by the leadership council, all member ballot. 2.5 months-4 months.

RGW notes the FIPS 140-2 correction should be included in the revision when it is published.

Comment from the group on Richard's proposal?  Hearing none Ken says to go ahead.

AOB

None

Richard calls to adjourn.

Carry-forward Items

 

Attachments

 

 

Next Meeting