2023-02-23 Minutes
Attendees:
Voting Participants: Denny Prvu, Michael Magrath, Mark Hapner, Jimmy Jung, Richard Wilsher, Maria Vachino, Mark King
Other Participants: Bryan Rosensteel, Lorrayne Auld, Max Fathauer
Staff: Kay Chopard, Lynzie Adams
Proposed Agenda
Administration:
Roll call, determination of quorum
Minutes approval - 2023-02-02 Minutes
General Updates
Assurance Updates
Discussion:
SAC Updates - 1440 reference issue
Revision 4 - comments are due in 1 month!
Any Other Business
Meeting Notes
Administrative Items:
IAWG Vice-Chair Denny Prvu called the meeting to order. Roll was called. Meeting was quorate.
Minutes Approval
Mark Hapner moved to approve the draft minutes from the February 2 IAWG meeting. Michael Magrath seconded the motion. Motion carried with no objections. The NIST call notes are also posted, though they did not need to be approved.
General Updates
IDEMIA is the newest organization on our TSL - Approved at IAL2!
Kay updated the group on Kantara’s proposals to speak at conferences. Two at Identiverse were accepted - one on mobile driver’s licenses (federal agency panel) and one on DEI (KIBoD member with a NIST rep and a UK rep) - and a workshop prior to the conference. Kay is also speaking at EIC in Berlin in May including a 3-hr session. If you are attending any of these conferences and would like to speak on behalf of Kantara - please reach out to Kay!
Kay meets monthly with NIST staff. The agenda differs depending on what is relevant at the time for either Kantara or NIST. If there is ever anything IAWG members would like to be raised, Kay would be happy to do so. She also meets bi-weekly with GSA and offers a similar sentiment. If there is anything they should know or IAWG wants addressed - please send it to Kay.
Kay shared an updated on the CARIN Alliance and the work we are doing with them.
Assurance Updates
March 24 is the due date for all NIST comments on 800-63-4. Same date applies to PIV drafts 800-157-1 and 800-217. Please submit all comments that you would like included WITH the Kantara submission to comments_iawg@kantarainitiative.org by end of day March 9. Specific topics and questions requested by NIST can be found here.
IAWG Timeline:
March 9 - All comments must be submitted to the IAWG (comments_iawg@kantarainitiative.org) by end of day
March 16 - IAWG will share the draft Kantara Comments at the IAWG meeting for review and request any edits, changes, etc be submitted prior to the next meeting
March 23 - Final draft of Kantara Comments will be shared at the IAWG meeting. The comments will be submitted to NIST after the meeting concludes.
Feel free to use the NIST spreadsheet or it's even simpler to input comments into a similarly formatted Google Doc (link here). The Google Doc is separated into tabs for each section (base, 63A, 63B, and 63C) and we'll compile those into the official document after the March 9 deadline.
Discussion:
SAC Updates - 1440 reference issue
The ARB recently discovered when reviewing a submission that criteria #1330 was referencing the incorrect criteria. Currently, it refers to MF OTP Verifiers. When you read the corresponding NIST language, it is obvious that it is to reference SF Cryptographic Software Verifiers. The language of the criteria needs updated from: “Criteria 63B#1040 to '1070 SHALL be fulfilled.” to “Criteria 63B#1210 to '1240 SHALL be fulfilled.” Richard was able to determine that the error occurred between revisions 3 and 4 of the IAF-1440 when some renumbering occurred and the cross-referencing was not updated. Richard shared that this is why Kantara has always displayed the NIST language in the first four columns.
The group discussed whether this was a material change (requiring public comment period) or not. Mark King feels it is correcting an mis-reference and not a material change. Richard agrees with Mark’s statement - it’s an update of a cross-reference and not a change to the criteria. Denny asked how the edit/update is shared with the community. Lynzie will send an email with the new version of the IAF-1440 and an overview of what changed to those who are currently assessed under AAL and all assessors. Additionally, she’d update the materials that are distributed when a new CSP initially reaches out.
Richard moved to update the IAF-1440 as a non-material change. Mark King seconded the motion. Motion carried with no objections.
Lynzie will move forward with the updates and share with the groups mentioned above.
Update: LC approved the motion that the updates were non-material at their March 2023 meeting. Minutes linked here.
Revision 4
We have not received comments from anyone yet. Denny has been cumulating notes that he will format into comments but we are looking for more input for the Kantara submission. More information about the IAWG timeline and submission information is described under Assurance Updates above.
Richard is curious how NIST comments are perceived if they come from both the individual and Kantara. Will it be seen as Kantara backing up an individual or will they acknowledge if it comes from IAWG/Kantara that it represents the comments of a large group of people? Maria believes they tend to weight the responses from agencies and organizations, such as Kantara, more heavily than those of individual contributors. They weight the contributions of private sector companies somewhere in between individual and agencies. She believes anything we can agree on collectively should be included as it will carry a greater weight - but is not suggesting individuals should not send in their comments as well if desired. Additionally, the more specific the comment can be - with an alternative option - is the best type of comment and one that NIST is likely to consider. Comments need to be actionable.
Richard shared his frustration that NIST hides behind the term ‘guidelines’ rather than requirements. Though Bryan reminded the group that they are indeed requirements for federal agencies, not guidelines. They need to embrace that. FIPS 201-3 expressly calls out 800-63; supplementally 157-1 and 217 both do as well. They all say you must follow this document - making them requirements, not guidelines. Guideline diminishes the significance of what they are trying to achieve.
Richard express a desire to see clear separation between normative expressions and guidance in the documents - either with different fonts or margins - but something that makes it clear what must be done and what gives the why. It’s not an easy document to read. Lorrayne agreed it’s difficult to read and requires one to follow various threads to understand what is being conveyed - involving going back to the base volume for context. Additionally, she pointed out that the equity overlay appears to have softened some of the requirements which she feels may have been unintentional. MITRE has a big concern about that.
Richard shared a concern about the language NIST uses about the different proofing types - they need a standard taxonomy. It needs to be standardized - explicit terms that have a very particular meaning will provide great clarity. Richard shared this diagram as a starting point:
The proofing is either supervised or isn’t (unsupervised). If unsupervised - call it unsupervised as a simple statement of fact. The use of the word remote is misleading. Under supervised - in-person is clear as the person is physically present. You could have two other modes of supervised proofing - remote in the sense you don’t know where the individual is or what type of devise they are using or designated in the sense the individual is at a designated location and you know more about the technical capacity there (a kiosk). In that instance, you know exactly what is going on with more control as the CSP. Jimmy agrees that remote/ undesignated is needed - at least from Kantara’s client’s perspectives - but isn’t on NIST’s radar. Bryan’s concern with supervised remote/undesignated isn’t necessarily stating it’s remote, but that it’s not at a specific office. There is a distinct difference between having the documents in your possession as a trusted agent versus having document verification that is going to go over a camera/digital medium as the id proofing authority.
Denny shared a recent conversation with NIST where Ryan Galluzzo asked ‘how do you know if the equivalent of undesignated is also trusted?’ because you could have someone doing proofing but we don’t know what they are doing on the backed (following appropriate procedures). Richard feels designated is trusted. Remote/undesignated is not that. Not knowing the location and hardware is the differentiator between remote and designated. Regardless it is supervised. Jimmy feels it really comes down to how NIST focuses on it - which is currently who owns the hardware.
NIST needs to use specific proofing type names for clarity. Bryan agrees with this. Bryan is disappointed in the lack of alignment between NIST documents that are supposed to rely on one another. When people say they can’t do IAL3 remote - Bryan always refers to the fact that FIPS 201-3 allows it. If HSPD-12 says we can do remote identity proofing for PIV - then we should be able to do it from an 800-63 standpoint. From a FIPS-201 perspective, it’s allowed, even if it has not been successfully done. We should call out the need for parity between these documents. The group agrees there may be better terms than designated, remote, undesignated while keeping the context the same.
Beyond this, Richard questioned the reason that an expired driver’s license cannot be accepted. The expiration denies you the privilege of driving on the streets, not of your identity. So in the case of physical presence, could we accept an expired document? Would there be a benefit of that? Are there other ways that requirements for validation could be rolled back? Could it address equity concerns? Mark King feels it sounds reasonable. But the permissions can be aligned with the services on the backend to confirm the details/ revoke the credential that might go away with that expiration. Mark highlighted a recent change in the EU where 10 years maximum after a doc is issued is all that is accepted. It has caused trouble with passports from other countries. There are specific legal requirements that may say 10 year max that one might not be able to get around. Richard thinks whether the individual is in person or not would be a differentiator. Richard acknowledges accepted practice but questions if it is necessary.
Any Other Business:
IAWG leadership keeps an action item list.
All IAWG participants should be aware that the spreadsheet exists and that it lists everything we think the IAWG is working on or planning to work on. Please feel free to review it and correct it if needed - it is not our intent to overlook something!