/
Published-06-17-17-2020-05-20 Meeting Minutes

Published-06-17-17-2020-05-20 Meeting Minutes

Owned by Denny Prvu
Jan 17, 2023

Attendees: James Jung; Sato Hiroyuki;  Richard Wilsher; Martin Smith; Colin Wallis; Ruth Puente


Draft reviewed during the meeting: KIAF-1450 SP 800-63C Service Assessment Criteria v0.11.0.xlsx


  • Richard explained that sub-items c) and d) in 63C#0350 were added because they were privacy risk assessment related, which appears in a separate item later in the NIST document. It covers later 63C#0660 and 63C#0690. Richard stressed he thinks it is not helpful for the group to question whether this is something somebody could achieve or would want to achieve; it is simply a case of saying that people have to do that risk assessment before working out what to do.
  • Martin commented he had some doubts about the parts that were left for him to check, he said that it is not necessary something to go through now, but in a future opportunity. Richard responded he will make a note on this.
  • 63C#0700: Richard commented that Back-Channel is in brackets because it includes a contextual comment. Back-Channel Presentation is the heading of 7.1. Richard added to the criterion “The CSP SHALL not create Back-Channel assertion references…”. In 63C#0710, he also added “The CSP SHALL create and transmit Back-Channel assertion references…”. 63C#0700 and 63C#0710 were agreed.
  • In 63C#0720, Richard also modified the Criterion as “The CSP SHALL create Back-Channel assertion…”. It was agreed.
  • Martin suggested to eliminate “practices” in the criterion in 63C#0730. Richard agreed. The criterion was modified as “The RP SHALL employ measures appropriate to the FAL which protect it from injection of manufactured or captures assertion references”. Martin and Richard said it is still an open item, Richard will make a note. Colin commented there are standards for privacy risk assessment, he added that ISO has several standards on it, it is a pretty widely used and well used thing. It is standardized. Martin asked if it is appropriate to put anywhere either in the criteria or perhaps in guidance, a requirement that the privacy risk assessment is done according to standard. Richard commented he would love to, however he thinks it is probably a step too far, given that this is largely aimed at Federal Agencies, it is unusual to find a Federal Agency which really gives much concern to international standardization in practice. Martin agreed.
  • 63C#0740: Richard explained about all in here that it was made a note “See #0420”. Richard thinks that the reference to #0420 is wrong, it is #0410, it was corrected. Richard said that rather than cross this on the fly, he will take an action to get his head around this. Hopefully it could be done by email (rows 165-169). Richard added he will generate something in the criterion, also he will consider referring back to #0410 to show where it puts into the assertion so it can be related to what can be taken out and validated. He is troubled with the word ‘including’, he would not include the concept in the assertion because you are making a requirement which implies other stuff, but you cannot prove it.
  • In relation to 63C#0750, Richard commented that it also has to do with Back-Channel. But he is still unclear why it is Back-Channel, this is reflecting (this requirement) that authenticated protected channel will be used. Colin added that according to his experience, Back-Channels are always mutually authenticated. Martin asked if it means encrypted, Richard answered it implies encrypted. 63C#0750 and 63C#0760 were agreed.
  • 63C#0770: Richard said he does not know what happened in here (the criterion is empty). He will solve it before finishing, for now he will move on.
  • In row 173 (7.2) it says ‘See #0730’. It was agreed.
  • In 63C#0730, a note was added ‘Guidance - applies to both Front & Back Channels’.
  • Rows 174-178 were agreed since #0740 is done.
  • In rows 179-181 Richard said it is the same for Front Channel as they are for Back-Channel, same requirement. Colin commented that it is not being provided any new criteria, it is just referring back. Therefore, 179-181 were agreed.
  • About 63C#0830, Richard expressed he is concerned with the expression ‘where feasible’. Perhaps it is easy for somebody to say “it was not feasible”, but if it is not included it is also a problem. The criterion was modified as “The RP SHALL, where feasible, request attribute references rather than full attributes”. Richard pointed out that another possible way of adding weight to this, would be to put in a completely Kantara driven requirement, which is to require that where these instances are to be employed would be stated through the Federation Agreement, which is a completely new requirement. Consequently, the criterion was modified again as “The RP SHALL, where feasible, request attribute references rather than full attributes, in accordance with the Federation Agreement”. Richard added a new row (76) where it says ‘request attribute references rather than full attributes’ to cross reference with 63C#0830. Now in the 63C#0830 criterion, it also says ‘See 63C#0325 ‘x’). Richard said to Colin that when it comes to do assessments in here, it will be necessary to require a Federation Agreement. Colin agreed on this. 63C#0830 was agreed.
  • About 63C#0840, Richard explained that it says ‘when requested’ because they ‘do not have to’. Colin said it seems fine to him. It was agreed.
  • Martin proposed to continue with the remaining points in the next meeting to have more people joining.
  • Ruth asked Richard if he had seen the email that Dr. Sato sent before the meeting about dynamic registration (it was a suggestion for this criteria). Richard said yes. Considering this, an item c) was added in 63C#0290 “Comply with the approved specification protocol”.

Progress on xAL3 drafts and next steps

  • Richard mentioned that he did a first draft at IAL3, and he is above third of the way through AAL3 criteria. In addition, the FAL3 criteria is included in the FAL2 draft and is extensively agreed.
  • Ruth stressed that currently the active participants in IAWG are the same of the sub-groups. So, it would be basically the same volunteers. 
  • Ruth asked Richard regarding next steps of FAL2, what does he estimate about completion of that criteria to submit for IAWG approval. Richard thinks it can be finished next week. Ruth said she will coordinate with Ken to make a call for volunteers this week.