Published-06-17-17-2017-08-31 Minutes

Attendees

Ken Dagg

Richard Wilsher

Ken Crowl

Aakash Yadav

Mark Hapner

Don Campbell

Colin Wallis

Ruth Puente

Scott Shorter


KEY DISCUSSION ITEMS 


Presentation of RGW Documents



  • RGW said that he is focusing on 63A and breakdown the classic IAF 1400 into 1430 63A SAC document.
  • In the diagram he presented he intents to show what we are doing in the short and long term.
  • He added that we can define a NIST normative requirement or anything that is not under that category becomes a non-normative requirement.
  • As modus operandi, he proposed: For the moment anything that is not a SHALL is therefore not considered to be normative, and we should put emphasis in the SHALLs.
  • Scott stressed that we should work with the SHALLs, as they are critical now.


  • RGW explained the approach to the work on 63A IAL 2 and AAL2 requirements:

-Every normative requirement has a place in one or more IAL or AAL.

-Each NIST normative requirement must have one SAC criterion or more than one criteria related to it. Each criterion will be given a tag, so we will have a unique tag and discrete requirement.

-In the longer term, we may want to have a guidance and relate to that a profile interpretation or more strict requirement to meet.


  • RGW identified all the imperative requirements in 63A and proposed 1 or more KI criteria: 
    -He prefixed with a tag, they are all 63A and he used 4.2., as it is the clause in 63A in which NIST requirement is found, and he used an incremented decimal tag.
    -Between square brackets there is a single discrete requirement that is represented by a tag, and it relates to the preceding NIST text and the proposed KI criterion. In some cases, the original text is shaded in grey and replaced with alternative more precise text, in dark red italics. Where original text is used, with clarifying modification is in green. If the text is not grey shady he is saying that this is written well enough.
    -He showed the spreadsheet as an alternative presentation.


  • Mark liked what Richard was showing – the insertion of appropriate identifiers into the original document so that the requirements can be referred to. Not a lot of crap in the document. Need identifiers, like in the spreadsheet shows you can begin to turn them into the criteria.
  • Scott agreed, he liked the spreadsheet and the DocBook approach for different reasons.


Review methodology and Work Product format


  • Scott nominated spreadsheet for comment discussion process.
  • Ken thinks that the DocBook should be created and kept as a Kantara format. Concerned that we have to be able top generate word documents.
  • Aakash asked how comments are attributed. RGW showed him the spreadsheet columns, where the commenter adds his initials and number of comment and the comment column.
  • RWG clarified that he will be the editor and will collate the comments and provide a Disposition of Comments to the reviewers and then the group decides on the final texts.
  • Colin agreed with the approach to work forward with spreadsheets and then approach DocBook.
  • RGW said that DocBook tool has a lot of potential, but he had some problems with color-coding. He stressed that the primary goal is to establish criteria to get assessment going. DocBook is great tool, but questioned if it will impede the progression of developing those criteria.


SoC template


  • RGW commented that the spreadsheet he presented is like a SoC. So we do not need to worry on creating a SoC template as we have it here. The CSP says, “Here is where we are conformant”.  The assessor says “yes you are or not”. Scott agreed with RGW.
  • Scott said that SoC could be used to capture info about why the CSP meets the criteria, the group map to your assessment. The current template is IAF 1401.
  • Colin had a comment about Richard’s comment that a statement of conformity can be created. Concerned about the external perception. 
  • RGW clarified that the KAR is intended to fill that purpose; the SoC has the detail of the criteria against the CSP is being assessed.
  • RGW added that the FICAM potential new requirement for CSP to make public its Credential Practice Statement would be rejected by the CSPs, as they do not want that information in the pubic domain. We are waiting for FICAM to release their new documentation.


Timelines


  • Ken question – can’t see screen – how much of the A doc has been done. RGW – all of it for IAL2.  What will it take to get the B document?  When is A ready for review by members?        
  • 63A – this group will need 4 weeks or more to review 63A
  • 63B will trail by 2-3 weeks
  • Aiming for November 1st for something to go to the broad group membership (IAWG).


AOB

  • Colin – holiday next week, do we need a call? RGW and Scott agree they are available.


CSP vs RP

  • Mark – sent out statement question – semantic concern will be brief- 800-63-3 has requirements for CSPs, which are organizations that are enrolling applicants for some purpose. If I’m a CSP I use a mix of product from the identity industry.  Proofing from one vendor and another vendor for credentials.  If we are producing the criteria for CSPs, the end user being some federal agency or other end user.  Identity provider suppliers service, saying “I will handle a subset of your requirements for you”.  Might have to do with how CSP validates evidence like a DL during enrollment process, may not have anything to do with notification. CSP may take it on, RP may take it on.  Marks understanding is the assessment criteria is whether CSPs deliver on their assurance levels correctly, it is their problem to get identity vendor services to meet those criteria. As an identity service provider, I will look at a subset of the requirements and make a claim to a CSP that I’m providing the service that the subset is covered.  Kantara isn’t in the business of saying which subset a service must provide.
  • Don agreed that the loose definition of relying party is intentional.  Trying to address the needs of a broad based of RPs.
  • Mark – definition of CSP says it may be an independent third party or issue creds for its own use.  When you look at the requir4ements, the CSP has to provide notice, other requirements. Someone who has a use for the identities.
  • Ken Crowl mentioned that Experian has just gone through the validation process for their own parts.
  • Mark confirmed that we’re just doing CSP requirements for now, we will sort out later how they may get applied to subcomponent services.


Agreements


  • Use spreadsheet format to make the review cycles.
  • Integrate DocBook at the end of the process (convert the Excel spreadsheet into DocBook).


Action items

  • The group to review and comment on 63A AAL and IAL 2 documents (KIAF-1430 63A_SAC v0.05 pdf and excel versions) presented by Richard Wilsher before the next call on September 8th