2023-01-05 Minutes
Attendees:
Voting Participants: Andrew Hughes, Martin Smith, Michael Magrath, Mark King, Richard Wilsher, Mark Hapner, Jimmy Jung, Maria Vachino
Participants: Lorrayne Auld, Chris Lee, Marc Aronson, Eric Thompson
Staff: Kay Chopard, Lynzie Adams
Proposed Agenda
Administration:
Roll call, determination of quorum
Minutes approval - 2022-12-15 Minutes
General Updates
Assurance Updates
Discussion:
800-63 Revision 4 Draft Release - next steps & information
Complete Charter Review
Any Other Business
Meeting Notes
Administrative Items:
IAWG Chair Andrew Hughes called the meeting to order. Roll was called. Meeting was quorate.
Minutes Approval
Michael Magrath moved to approve the draft minutes from the December 15 IAWG meeting. Jimmy Jung seconded the motion. Motion carried with no objections.
General Updates
January 6 is the deadline for Identiverse proposals (May in Las Vegas). Kantara is submitting several proposals, including a few where NIST may be included in the panel.
The joint industry meeting being held at the Veneable offices in Washington, DC is scheduled for January 24 from 10am - 3pm. For more details on registration, please reach out to Lynzie directly (lynzie@kantarainitiative.org). On January 25, Better Identity Coalition, the Fido Alliance, and the ID Theft Resource Center are holding their annual policy forum. There is also a registration for this - for both public and online participation.
NIST staff will be joining IAWG on February 2. They are asking for an agenda in advance so please be compiling questions we’ll want to send to them. We will collect questions through the January 26 IAWG meeting. Anything for that NIST meeting can be sent to IAWG leadership directly. A revised calendar invitation has been sent to extend our call an additional hour (1-3pm ET).
The 2023 KIBoD has been elected. Officers will be elected at the first meeting later this month. Congrats to Andrew Hughes, Eric Thompson, Maria Vachino and Michael Magrath - all active IAWG participants on the KIBoD!
Maria asked about the potential of moving the IAWG meeting time. Andrew wants to see how people feel about moving the meeting up one hour - meeting at 12pm ET.
Assurance Updates
Revision 4 was released on December 16. Follow communications from IAWG for the array of upcoming webinars, meetings, deadlines, etc.
Maria stressed the importance of getting CSP input in our comments on revision 4. Lynzie has been pushing this while having membership renewal conversations with the CSPs. A handful have shown great interest, but have not completed GPAs or attended a call.
Lorrayne shared a that DHS S&T is holding a new remote identity validation tech demo challenge for 63A. It might be worth seeing what comes out of this to see if a partnership is worth pursuing.
Michael asked the group about why passports are considered strong evidence rather than superior evidence. Eric has a similar question and it was explained to him that if you use the chip - it’s superior - but if you are scanning or using the images, then it is strong. Lorrayne agreed that the cryptographic chip is what makes a passport considered superior. Jimmy wants to include in the comments that they need to give a concrete list of identity evidence and its strength. Lynzie mentioned that the ARB mentioned taking the IAWG with a list that could be used internally at Kantara as well. Either option would help the Kantara process. MITRE has done work in area already.
Discussion:
Revision 4
The revision 4 wiki space has been updated with some important dates and links. Please keep an eye on it.
Next week NIST has a webinar during our regularly scheduled time - Digital Identity Guidelines - Kicking Off Revision 4! being held from 1 - 4pm ET. You can register for the webinar here. Though likely an overview, it will still be good to see how NIST is perceiving the document to help us provide the best feedback.
In preparation for the Jan 24 and Feb 2 meetings, keep in mind the questions you might want to ask in a more public forum or otherwise. All of these dates mostly relate to our need to compile feedback on the draft.
Andrew outlined how IAWG plays a role in these new standards including ARB, NIST, other agencies, and our assurance program development. With these roles, we need to divide and conquer this work. He suggested everyone do a deep dive into an area that aligns with their expertise. Denny will serve as the lead on the comments.
Andrew asked for some initial impressions from anyone who has started reading. Michael Magrath mentioned the IA level 1 - not seeming like there’s much separating level 1 and level 2. The identity evidence collection is actually the same between the proposed IAL1 and IAL2. This could play a factor in healthcare. Lorrayne mentioned that the ‘choose-your-own-adventure’ on the risk decision tree is also removed from the draft. This could lead to confusion in terms of with level to pick. It’s risk-based still but with equity decisions as well. Eric feels rev 3 was very prescriptive - but this one is much more open to the agency. It's a combination of risk and mission in essence. They’ve struggled with the prescriptive approach as being unachievable by agencies. Michael also mentioned that with the format of the draft, with the questions at the top of each section, he feels like it’s possible we get another draft before we get a finalized set of standards. Richard, Maria, and Lorrayne all agreed that the format with the questions is different from prior versions and could mean we’ll see multiple versions of drafts. Lorrayne thinks it might be that the implementation guide is updated to address the questions opposed to the standards.
Lynzie shared the comment template from NIST. It can be found in the revision 4 wiki page. Richard suggested formatting the spreadsheet into the four sections to help divide it - and then one section to respond to the questions.
Charter Review
There was not time in this meeting to discuss the 2023 IAWG charter. This will need revisited. Andrew summarized that at some point we need to decide what are the roles of the IAWG in terms of the assurance program.
Any Other Business:
Andrew asked that if anyone has any issues with the frequency of meetings of this group - whether they are too often or not enough - please reach out to him directly with the concern.
The next scheduled meeting will be January 19, 2023. The January 12 meeting is being cancelled to allow people an opportunity to attend the NIST workshop being held at the same time. Information to register is above.
IAWG leadership keeps an action item list.
All IAWG participants should be aware that the spreadsheet exists and that it lists everything we think the IAWG is working on or planning to work on. Please feel free to review it and correct it if needed - it is not our intent to overlook something!