2023-02-02 Minutes

Attendees:

Voting Participants: Denny Prvu, Martin Smith, Michael Magrath, Andrew Hughes, Mark Hapner, Jimmy Jung, Richard Wilsher
Other Participants: Mark Aaronson, Juan Rodriguez, Tim Chang, Scott Perry, Stuart Young
Staff: Kay Chopard, Lynzie Adams

Proposed Agenda

  1. Administration:

  2.  Discussion: 

    • Preparation for NIST call re: 800-63 rev. 4

  3. Any Other Business

Meeting Notes 

Administrative Items:

IAWG Chair Andrew Hughes called the meeting to order.  Roll was called. Meeting was quorate. 

Minutes Approval   

Mark Hapner moved to approve the draft minutes from the January 26 IAWG meeting. Jimmy Jung seconded the motion. Motion carried with no objections. 

General Updates

Kay shared that the new Board met for the first time and elected officers - including Andrew Hughes as Board President and Michael Magrath as Board Secretary. Other officers will be elected at the February meeting along with identifying priorities for the year. Additionally, Kay is in the process of submitting proposals to a variety of conferences around the globe.

Assurance Updates

March 24 is the due date for all NIST comments on 800-63-4. Same date applies to PIV drafts 800-157-1 and 800-217. Please submit all comments that you would like included WITH the Kantara submission to comments_iawg@kantarainitiative.org. Specific questions from NIST can be found here.

Discussion:

Mike Magrath raised the question if gun permits are permissible as FAIR evidence according to 63a. It was brought to him by a company but he was unable to find information in the implementation resources and permits vary greatly – some with photos while others do not.

Richard Wilsher noted that the onus is on the CSP to demonstrate that their choice of admissible evidence meets the requirements of Table 5-1. And the assessor’s job to determine that is a valid assertion. Michael feels the ARB can override an assessor. Jimmy feels we are bound to the implementation resources table. It’s difficult with the different states issue them and lay them out. It’s beyond just the photograph – it’s the binding and the evidence collecting along with data verification. Gun IDs with photo do get accepted for PIV cards (inconsistently) but that is not outlined in 63a guidance.

Michael suggested including this in the revision 4 comments. Andrew believes if the evidence matches the requirements, then we could write it down as guidance to the assessors (or whatever the conditions are). MITRE has also provided some examples. But the basis has to be the evidence compared to the requirements.  

Jimmy previously commented he wants Rev. 4 to identify the level of assurance that each of these IDs provide (Superior, Strong, etc) for the commonly shown evidence including everything on the I-9 list. A client of Slandala shared: SP 800-63A: Identity Resolution and Evidence Collection which leads Jimmy to avoid Table 5-1 by saying his client will give this lift to his proofers and they will collect evidence based on this list. But the list is not in Rev. 3 but is rather in the implementation guide so it’s still unknown how the ARB will respond. Richard sees some issue with relying on guidance rather than normative language but hopes it makes sense.

Andrew suggested next steps: Relative to Mike’s request, somebody needs to do a checklist of the requirements for Strong and whether the evidence fulfills it or doesn’t. And, then the same with Fair. Jimmy agrees and thinks the arguments could likely be made for Strong (with photo). Further, we need to include in our comments that if Kantara’s participants believe gun permits fit the requirements that they are included. Jimmy would like to see the implementation guide table inserted into the actual guidelines.  NIST has been hesitant in the past as an attempt to keep prescriptiveness out of the guidelines. Mike was tasked with completing the T5-1 table for gun permits (with and without photo).

Preparation for NIST Call

The group spent the remainder of the meeting preparing topics of discussion for the NIST call. The following document was drafted from these discussions and submitted to NIST.

Any Other Business:

The next scheduled meeting will be February 9, 2023. NIST is joining us for a 2-hour session focused on the questions generated in these minutes regarding Revision 4.

IAWG leadership keeps an action item list.
All IAWG participants should be aware that the spreadsheet exists and that it lists everything we think the IAWG is working on or planning to work on. Please feel free to review it and correct it if needed - it is not our intent to overlook something!

Related pages