2023-03-16 Minutes
Attendees:
Voting Participants: Denny Prvu [RBC], Mark Hapner, Richard Wilsher [Zygma], Mark King, Martin Smith, Maria Vachino [Calvert Consulting], Jimmy Jung [Slandala], Michael Magrath [Kuma]
Other Participants: Eric Thompson [Experian], Mike Horkey [NextGenID], Bryan Rosensteel [Ping], Justin Hyde [LexisNexis Risk], Lisa Balzereit [USPS], Mohab Murrar [NextGenID]
Staff: Kay Chopard, Lynzie Adams
Proposed Agenda
Discussion:
Revision 4 comment review - Draft Comments, Responses to NIST Questions to be reviewed
Any Other Business
Meeting Notes
Discussion:
Revision 4
Reviewed the current list of submitted comments. Comments can be accessed here: SP800-63-4-suite-ipd-comments - IAWG 2023-04-13.xlsx
Richard led the group through the review of comments line by line from where we left off last week. Those who submitted comments explained the rationale and engaged in discussion were warranted. Comments that had a similar theme or point were discussed and compiled for conciseness. As comments were accepted they are denoted in green as ones that will be included in the final Kantara comment package.
After discussions stemming from last week’s review, there were updates made to simplify the Proofing Type taxonomy (below) and definitions. This also impacts Table 1. IAL Requirements Summary (line 1234).
Discussion revolved around supervised remote, IAL3, and controlled environment. Michael shared from FIPS 210 “Controlled environment is any area or space an authorized holder deems to have adequate physical or procedural controls (e.g., barriers or managed access controls) to protect CUI from unauthorized access or disclosure.” Lynzie reminded the voting members of the group to speak up if they do not believe any particular comment should be included in the official Kantara submission. The group agreed to keep the comments discussed.
There was a discussion around the FAQs comment submitted and it was determined to remove that. FAQs are vital but they do need to be accessible and easier to find than they were in rev.3. Maria checked and they’ve already made the supplemental resources more accessible.
Line 442 references “multiple channels for engagement”. Michael, Maria and Richard all had different opinions on what the term means - highlighting that it lacks clarity. It was discussed and the comment was updated to suggest the term “multiple means of access for the applicant” and accepted.
Discussion around types of identity evidence. I-9 documents was suggested but refuted by Maria as being meant for in-person and somewhat out-of-date. It was agreed though that there should be a list of documents and a live website/wiki would be much better. The comment was edited to this suggestion.
There was discussion around the need for fair evidence at all - that it’s more of a barrier than helpful. The group agreed it’s difficult to meet and Maria suggested it be removed from IAL2. Potentially available for IAL1 - maybe some use cases, but not IAL2. Jimmy agrees on the security side but not the equity side. Eric and Mark King provided supporting examples for removing the fair evidence at IAL2.
Another discussion around credible source vs. authoritative source occurred. There is some confusion in the fact that there are different definitions for the two terms - but there aren’t any criteria specifically addressed at the difference in the two.
As time ran out, Lynzie suggested everyone review comments prior to next week’s meeting so that we could flag any comments that are alarming to IAWG members. She added a column for people to make additional comments. We will resume this discussion next week.
Any Other Business:
IAWG leadership keeps an action item list.
All IAWG participants should be aware that the spreadsheet exists and that it lists everything we think the IAWG is working on or planning to work on. Please feel free to review it and correct it if needed - it is not our intent to overlook something!