Published-06-17-17-2020-03-18 Meeting Minutes
Attendees: Ken Dagg; SATO Hiroyuki; James Jung; Richard Wilsher; Mark Hapner; Nathan Faut; Martin Smith; Ruth Puente
Key discussion items
- Richard went through this draft during the meeting: KIAF-1450 SP 800-63C Service Assessment Criteria v0.04.0.xlsx
- Richard mentioned that criteria that apply to Federation Authority was completed, now it is necessary to go back to IdPs and RPs.
- It was agreed to add additional requirements to the Federation Agreement: Testing and the frequency of re-assessment to ensure ongoing conformance requirements. Richard clarified that these additional requirements are not part of the source text. Martin asked if the Board would have problem with that. Ken said that the Board would in essence, look for a recommendation from IAWG and unless there is a very significant business reason not to go with that recommendation, they would go with that recommendation, they are not the technical experts. Richard added that this is the reason why CSPs and RPs are being encouraged to work in the sub-group.
- Martin commented that it is assumed that if the assessment criteria changes (if Kantara makes the changes), it should probably trigger re-assessment as well. Ken answered that it should be checked in the next review, during annual conformance review or triennial review, no more than 12 months, as per the SAH and TMLA. Ken clarified that if the changes to the SAC are no material they don't need an All Member Ballot.
Requirement on Row 50. #0330 says "Federation authorities SHALL individually vet each participant in the federation to determine whether they adhere to their expected security, identity, and privacy standards":
- Richard said that if it is needed to recommend a maximum period between these periodic re-assessments, that could be three years. Nevertheless, every year Kantara would have to say, are you meeting up your three-year obligation? This aspect must be defined by the Fed Authority.
- Richard remarked that NIST text does not say when the vetting should be performed.
- Martin added that sometimes it is granted a conditional approval subject to specific remedial actions.
- Richard suggested that we need to think on 3 aspects: 1) Should this requirement be made such that they have to be vetted and sufficiently meet the requirements prior to participation?. 2) Frequency of assessment: 1 off or periodically (no greater than 6 months). 3) To what extent does one allow less than 100% conformant to be found subject to corrective actions within an acceptable time period?
- Ken suggested to add a note/guidance that Federation Agreement might consider defining: period of re-assessment (before joining the Fed or at any time during participation); what level of sufficiency of conformance is to be achieved. It was agreed with adding a note reflecting that. Therefore, Richard added the note on column R.
- Nathan asked if the source text allows self-assessment. Richard said not, it actually excludes the possibility of self-assessment by Federation participants. When you consider this text here, a federation could vet each participant. It does not allow self-assessment; it would be inconsistent with Kantara.
- Ken's suggestion for additional requirements to the Fed Agreement “As Necessary” for Testing, and “SHALL be done” for frequency of re-assessment” was accepted by the group.
Richard proposed to continue with Martin’s comments and to address SATO comments and said that everything in green is what has been already resolved.
Martin comments:
- Comment on Row 74 - agreed.
- Comment on Row 91 - agreed to add to criteria 0460 "limit or extend" a subject session duration at the RP.
- Comment on Rows 94-98 about implementation on HOK - Richard asked if they should be ignored or reviewed. He added that is the only reference to FAL3. In absence of comments they are going to remain and will be reviewed later.
SATO’s comments:
Comment 1. "We must be aware of who will be certified (or assessed) by using 63C SAC. Unlike 63A or 63B, an IdP need cooperation with (or enforcement by) its participating federation. Therefore, a pair (IdP, federation) would be a target for assessment, considering the current operations of federations mentioned below".
- Richard pointed that that in a Fed, someone will be setting the rules, and there might at least 3 or more participants, otherwise it will be bilateral relationship. Therefore, it's unlikely to manage the assessments of the all the participants together. Service Provider would need to be individually assessed; under FAL2 assessment the assessment will include "show me the fed agreement and how you meet it". He also pointed out that there are no means to assess RAs exclusively at the moment, but a similar process could be created. Martin added that we may have multiple assessment sets per kind of entity. Richard remarked that we can desire to have an RP assessed as KI is not in a position to mandate that unless we own a federation. We cannot impose a requirement to have an RP assessed, only if the Federation Agreement requires it. Richard added that the criteria say: “Each participant” so it's fully inclusive (assessment of RP, IdP and Fed Authority).
- Ken stressed that Federation Authority is responsible for the federation and its operation, and it is also the one that will respond if something goes wrong.
- Fed Authority should ensure the assessment was done and not necessarily performed it.
Comment 2. "Furthermore, in commercial IdP (OP), it is very common that a single IdP collects multiple RPs, and build a federation. Here, the bunch of individual contracts between the IdP and RP would be the "policy" of this implicit federation”.
- It was commented that if a CSP plays in multiple Federation, do they have to get an assessment for each Federation? How common are the requirements and do we give folks approval when they have met 80% of the requirements? Ken responded that again it comes down to how common are the requirements, and if they got 80% of the requirements, you only need to be assessed for the 20%.
- Richard clarified that CSPs are individually assessed and each of them have to show how they meet it. In fact, the criteria say “each participant”.
- It was agreed to continue with question/comment #2. of Dr. SATO next week.
- Richard concluded that so far, the group has gone through what a Federation might look like and how it must function/operate, and pointed out that it's an immature area.