2023-01-26 Minutes

Attendees:

Voting Participants: Denny Prvu, Martin Smith, Michael Magrath, Richard Wilsher, Andrew Hughes, Mark Hapner, Jimmy Jung
Other Participants: Mark Aaronson
Staff: Kay Chopard, Lynzie Adams

Proposed Agenda

1. Administration:

   • Roll call, determination of quorum

   • Minutes approval - https://kantara.atlassian.net/wiki/spaces/IAWG/pages/134610955

   • General Updates

   • Assurance Updates

2.  Discussion: 

   • 800-63 Revision 4 – debrief, updates, & action items

   • Decision on how to respond to NIST calls for comment – (800-157 rev.1 & 800-217)

3. Any Other Business

Meeting Notes 

Administrative Items:

IAWG Vice-Chair Denny Prvu called the meeting to order.  Roll was called. Meeting was quorate. 

Minutes Approval   

Mark Hapner moved to approve the draft minutes from the January 5 IAWG meeting. Michael Magrath seconded the motion. Motion carried with no objections. 

General Updates

Andrew and Kay debriefed the joint industry meeting from earlier in the week. They were both encouraged that NIST seems really interested in getting feedback from the field. Kay and Andrew also used this time to recruit heavily for Kantara.

Lynzie shared some IAWG specific updates:

• beginning February 16, the IAWG calls will move to 12:00 pm ET

• all questions/topics for the February 9 NIST meeting must be submitted by the end of the meeting on February 9. Lynzie will leave time on the agenda to collect comments from the group but please feel free to submit them early to her via email.

Assurance Updates

March 24 is the due date for all NIST comments on 800-63-4. Same date applies to PIV drafts 800-157-1 and 800-217. Please submit all comments that you would like included WITH the Kantara submission to comments_iawg@kantarainitiative.org. Specific questions from NIST can be found here.

Discussion:

Revision 4

The revision 4 wiki space has been updated with some important dates and links. Please keep an eye on it.

Denny will be posting a table for comments on that page. Feel free to update the table with comments and indicate who the comment is from for any follow-up questions. If you’d prefer to just dump comments free from, please use the email address comments_iawg@kantarainitiative.org and we can format them for you.

Martin asked what the implications were for us if NIST decided to cite FIDO in the publication. There was discussion around whether or not FIDO was specifically named. Upon completing a search through the four volumes, Michael could only find where FIDO was referenced in a question to respond to and that should not lead one to believe FIDO will be named in the final publication.

• Are emerging authentication models and techniques – such as FIDO passkey, verifiable credentials, and mobile driver’s licenses – sufficiently addressed and accommodated, as appropriate, by the guidelines? What are the potential associated security, privacy, and usability benefits and risks

Richard asked about how final this draft is considering its title ‘initial public draft’. It was shared in the January 12 webinar that NIST is considering putting out a subsequent draft on all or any individual volume of this release. It will be dependent on the comments received during the public review period. Andrew does not believe there will be a second draft, rather anything not addressed in revision 4 will be focused on in revision 5. Jimmy believes we should slam them with every comment we can think of - while we have the opportunity. The group, as a whole, seemed to agree with this move.

Topics that came up in discussion that might warrant further discussion with NIST:

• Very little discussion about equity and how that was achieved - and whether the standard is sufficient for it. The impression was that there wasn’t much interest or focus on it in the discussion at all. Issue with proofing - allow someone who was already proofed at the target assurance to act as a local credential for the applicant. That person does not need to be employed by the agency or CSP. (noted by Mark Hapner, Michael agreed; Richard also addressed equity). Andrew noted that some questions can/should be formulated from this to shape up their thinking on this topic and allows us to query the basis for some comments. What do you see the regulatory/legislative imperatives and how they intersect with 800-63?

• The focus on biometrics is primarily as a means of unlocking locally the authenticator - and when they start talking about biometrics captured by the service, the spec if weak - from an equity perspective. (noted by Mark Hapner, Michael agreed).

• The bar being too high for Level 1 when it comes to E&I - shutting out a significant part of the population. (noted by Michael).

• The difficulty to parse out the normative text from the actual standards that a CSP is required to do. Should we suggest how to edit? (noted by Richard). Andrew feels like there is an internal struggle between writing a narrative for guidance versus explicit standards to follow. They’re stuck between prescriptive and objective - it needs to go further into the objective tone.

• What is the perspective of the comments we are offering. Are we looking for clarity since IAWG has to ultimately turn this into criteria? Then we need to ask for that. I see this requirement - how would I test this? I don’t know what you mean? We need to go beyond the text and ensure IAWG is prepared to write the criteria once published. (Jimmy noted).

• As the levels have shifted as they have, did they leave enough room for non-government Kantara clients (who may or may not play in the government space) a place to work within these standards? (Jimmy noted). To extend this beyond the current NIST conversation, Andrew pitched that IAWG could write vertical profiles to 800-63 for those non-government CSPS (healthcare, etc). Makes it more clear for Kantara customers to know what they need to meet. Richard believes to pursue that, we need healthcare people involved in the writing of these profiles. Andrew agreed.

• There needs to be sufficient clarity when they talk about different proofing types (Richard noted). Missing a simple taxonomy of proofing types and using those taxonomical names consistently throughout the guidance. Be specific in the terminology and consistent use of it throughout. Andrew agrees there is a lot of jargon in the text as a whole that needs noted for them.

Decision on how to respond to NIST calls for comment – (PIV ~ 800-157 rev.1 & 800-217)

Andrew believes we should seriously look at them and come up with some type of response to these drafts. Andrew Regenscheid is a common author on these two drafts and the revision 4 draft. If anything, it’s an area where IAWG can point out areas that might be conflicting with one another and not harmonizing with revision 4. Richard feels differently. If 63B is leaned on by PIV then it might be a case to pay attention to these documents, but currently there is only so much time in the day. Andrew reiterated just to read them and if we have stuff to comment on, then a way to do so can be determined.

Any Other Business:

The next scheduled meeting will be February 2, 2023.

IAWG leadership keeps an action item list.
All IAWG participants should be aware that the spreadsheet exists and that it lists everything we think the IAWG is working on or planning to work on. Please feel free to review it and correct it if needed - it is not our intent to overlook something!