2023-03-02 Minutes
Attendees:
Voting Participants: Denny Prvu, Michael Magrath, Mark Hapner, Jimmy Jung, Richard Wilsher, Mark King, Andrew Hughes
Other Participants: Bryan Rosensteel, Justin Hyde, Max Fathauer
Staff: Kay Chopard, Lynzie Adams
Proposed Agenda
Administration:
Discussion:
Revision 4 - comments are due to IAWG on 3/9! Send to comments_iawg@kantarainitiative.org
Any Other Business
Meeting Notes
Administrative Items:
IAWG Chair Andrew Hughes called the meeting to order. Roll was called. Meeting was quorate.
Minutes Approval
Jimmy Jung moved to approve the draft minutes from the February 23 IAWG meeting. Michael Magrath seconded the motion. Motion carried with no objections. T
General Updates
The IAWG chairs met with assessors and the ARB last week. The meetings, which happen 3-4 times per year, are meant to identify any areas for improvement and act on that. ARB is looking for more rationale from assessors when appropriate - but didn’t define when appropriate is. General consensus seems to be that if the ARB is following up with a long list of questions, rationale is likely warranted. Sampling evidence or something to substantiate. A reasonable, clear baseline of what the assessor is auditing. Richard noted that the ARB wanted help with understanding how a finding is reached when there were inconsistencies - and where there were judgmental calls. They are requesting more understanding why an assessor went one way or the other when it’s not cut or dry. Overall, more understanding of why a finding came about - whether conformant or not. Now that IAWG is more aware of that issue, it may be easier to engage. With feedback from CSPs and assessors, we may be able to make some suggestions for more structure in certain areas. Lynzie added that an area for this group to focus on is making the T5 tables more user-friendly. Currently, the tables are confusing and open-ended - so potentially streamlining that into more of a standard format.
Kay provided updates on the upcoming conferences where Kantara will either be present or presenting.
Assurance Updates
Revisiting last meeting’s discussion on 63B#1330 and the misaligned reference - upon further review I found another instance (#1420) where the same misaligned reference is noted. I’ve since corrected it. This led Richard and I to carefully check other references and we found a number of instances where something similar had occurred. They will all be corrected in the upcoming release of v4.2 (other impacted criteria - #0390, #00820, #1290 #1380). Andrew believes LC needs to approve it prior to publication and distribution.
Discussion:
Revision 4
It was discussed that comments are coming in mostly around 63A. In regards to 63C, it appears people are spending more time focusing on the NIST 217 draft related to PIV.
Richard has formulated his views on the categorization of identity proofing levels and will include that in his comments for this group to review in a coming meeting. Andrew posed would it be a good idea to say to ‘NIST, we have determined a certain way to do something’ (i.e., proofing categorization, identity evidence). Richard thinks it should be anything used for I9 - it’s comprehensive and widely adopted. Jimmy believes if there is something we want to see in there - we must say it! He wants more specificity. But, saying we do it this way and we think you should too could cause issue. Suggestions are good though.
Lynzie noted that in Jimmy’s submission of comments, he listed some Kantara specific comments for our internal discussion while moving forward with revisions to the SACs. She encouraged others to do the same - identify anything we should keep in mind as we move forward through this process.
Jimmy raised the issue that after reviewing -4, it appears our interpretation of supervised remote from -3 could be incorrect. It seems clear it was never meant to apply to IAL2. If he can find the justification in -3, he’ll send an email to the group if we want to make that update. The supervised remote requirements we say are applicable to IAL2 and IAL3 - but -4 makes it seem they were never meant for IAL2. Going back to -3 now, it seems a bit clearer – though not clear. Andrew clarified that supervised remote requires that it is CSP hardware. Jimmy confirmed that is the sticking point. The Kantara interpretation is different than what Jimmy sees in the federal space. Jimmy will try to look into it further with justification for us to revisit.
Jimmy’s follow up email: Following up on my little rant about the applicability of 5.3.3.2 Requirements for Supervised Remote In-Person Proofing in SP 800-63-3, which are captured in Kantara criteria 63A#0520 - 63A#0580, and applied to IAL 2 and 3. I believe they should only be applied to IAL3.
Part of the confusion is the result of the term being used (superfluously, I think) in the IAL2 criteria in section 4.4.1.
In 4.4.1.6, 63-3 refers to three types of proofing: “in-person proofing (physical or supervised remote)” and “remote proofing (unsupervised).”
“Unsupervised”, I believe is well understood. “In-person” and “Supervised” BOTH mean with a CSP operator; with one case being physically co-located and the other being remote
(to clarify this confusion, in my comments to 63-4; I suggest sticking with the well understood term “unsupervised” and removing the redundant and sorely abused term “supervised,” and instead consistently using the phrase “with a CSP operator.” This also would get rid of the regrettably awkward phrase “in-person remote,” and replace the incredibly confusing phrase “Supervised Remote In-Person,” with “remote with a CSP operator.)
Section 4.5 requires identity proofing at IAL3 be performed in-person (to include supervised remote).
Section 5.3.3 specifically refers to the Supervised Remote In-Person requirements in the context of IAL3, saying In-person proofing at IAL3 can be satisfied with “A physical interaction with the applicant” or a “a remote interaction with the applicant, supervised by an operator, based on the specific requirements Section 5.3.3.2.”
Section 5.3.3.2 specifically refers to IAL3, “Supervised remote identity proofing and enrollment transactions SHALL meet the following requirements, in addition to the IAL3 validation and verification requirements specified in Section 4.6:”
(In truth, I don’t really know if they meant section 4.6, enrollment codes appear to apply to both IAL2 and IAL3 – or 4.5, the IAL3 section.)
(I would also note that by calling put IAL3 in both 5.3.3 and 5.3.3.2, it is very unclear if 5.3.3.1 is intended to apply just IAL3 or all in-person proofings, certainly inspecting the fingers before you capture prints seems reasonable at all levels.)
Informative Section 4.7 summarizes the presence requirements to say IAL2 is performed “In-person and unsupervised remote” and IAL3 is performed “In-person and supervised remote.” This suggests that IAL2 remote proofing can ONLY be performed unsupervised, which doesn’t quite seem logical and also contradicts the discussion of “in-person proofing (physical or supervised remote)” in the IAL2 sections
Since the Supervised Remote In-Person Proofing requirements are specifically and only referenced as part of IAL3; a position, I think 63-4 tries to make even clearer - I think Kantara criteria 63A#0520 - 63A#0580, should not be applied to IAL2
On the other hand, while this does impact some of our clients, they have worked around it, but it’s not quite graceful. Even if you agree with my thinking, it may still be worth discussing, if the juice is worth the squeeze of a KIAF-1430 update.
Richard raised the issue of a live operator - its messy in -3 and doesn’t get better for -4. Now there is an applicant reference in -4. We need a standard understanding of the role and the requirements.
Any Other Business:
IAWG leadership keeps an action item list.
All IAWG participants should be aware that the spreadsheet exists and that it lists everything we think the IAWG is working on or planning to work on. Please feel free to review it and correct it if needed - it is not our intent to overlook something!