2022-06-30 Minutes

Attendees:

Voting Participants: Andrew Hughes, Martin Smith, Mark King, Mark Hapner, Maria Vachino, James Jung, Michael Magrath
IAWG Members: Eric Thompson
Guests: Matt King

Proposed Agenda

  1. Administration:

  2.  Discussion: 

    • Assurance Program - finalize discussions

    • Process for addressing assessor/field reports on new methods not covered in 63-3

  3. Any Other Business

Meeting Notes 

Administrative Items:

IAWG Chair Andrew Hughes called the meeting to order.  Roll was called. Meeting was quorate. 

Minutes approval:    Mark Hapner motioned to approve the draft minutes from the June 16 IAWG meeting. Martin Smith seconded the motion. The minutes were approved unanimously. 

General Updates:

Identiverse happened last week. The Kantara overview session went well and was well attended.

Mark King attended a Zoom session where Kay was part of the British All-Parliamentary Group on identity. He also mentioned a new paper out - Paving a Digital Road to Hell. Interesting read with insightful observations.

Discussion:

Assurance Program - Classes of Approval/Service Descriptors Continued

Lynzie has not received the Trust Mark drafts yet. Will share when ready. Plan to be a simplification with the exact approvals listed.

IAWG leadership and KIBoD representatives have scheduled a planning meeting to begin discussion on holding the Relying Party Feedback meeting for input into NIST standards. Leadership will report back to IAWG with next steps after the July 8 planning meeting.

Richard Wilsher raised some questions via email after the previous assurance program discussions. He addressed our plan to drop the word “full” and replace it with each of the functional services. Blake Hall, ID.me, suggested keeping the word full in the descriptor to make it explicit. He believes it is particularly important for the public TSL to display this as viewers do not have the complete context of the approval like the IAWG does. Andrew believes this should be an okay modification.

The next email topic of federation authority will take additional reading/research. Federation authority refers to what a federation would need to do - it is not the same as NIST 800-63-3C. C is about security of transitions - not authorities. Will revisit this.

There was a brief discussion on relying parties and the need to have them get officially ‘approved’ as a relying party through Kantara. Richard feels it’s unnecessary and Andrew can see his point. Mark King pointed out that it is a U.S. specific need as Europe has already established requirements.

A recap on the technical class of approval reiterated some uncertainty on its future. The assurance program will continue to alert people of this. The biggest overhaul will be in rev. 4 but we will need to have an interim period in advance of 63-4. Rev. 3 will be valid for one year after publication of rev. 4, but people can get approved for 63-3 during that year – meaning we’ll need something in place to close that gap.  Jimmy argued that there are concerns we should care about but ensure we don’t cast the net too wide. He also argued that ISO27001/FedRAMP/SOC2 would not fully cover the CO_SAC so equivalences wouldn’t fully address the issues.

IAWG intentions for technical class of approvel – 1) phase out technical, 2) embed specific CO_SAC criteria into current SAC sets, 3) allow equivalences where applicable, 4) do this in conjunction with 63-4 updates. There will be a time period where that criteria is not available so will need a statement on what we will require/request during that time period. Eric reminded the group that the CO_SAC should remain version agnostic and for that reason there is value in keeping it separate from the 63-3 SACs.

Beyond Richard’s questions, IAWG needs to address how long we keep schemes available. Martin believes it will take us a large portion of that one year to publish our updated 63-4 criteria – so we might as well retire 63-3 approvals once our 63-4 is effective. Eric provided a use case of where Classic approval is desired beyond ECPS as an argument for continuing to offer Classic. There is still an active market out there that want Classic. Jimmy concurred. Andrew asked to do a market use survey to the current CSP companies, and others broadly, to see if there still is a market for Classic. Michael suggested cutting ties with Classic at the implementation of 63-4 (2024 Q1) and publicizing that date in advance so people know it is coming. This is an open issue.

Process for addressing assessor/field reports on new methods not covered in 63-3

If a CSP/service applicant does things in a way not listed in the NIST guidelines but they believe meets the outcomes required – can they get a pass? Currently, no, because NIST does not list it that way. Andrew would like to see if IAWG and/or Kantara has a way to process these types for requests since there is a lag between NIST guidelines and the development in the industry.  We’ve been referred a case from PROVE Identity about using SIM cards as strong evidence.

Eric sees a challenge in approaching this since there is not a baseline – only stated control requirements to compare against in 63-3. How can you prove equivalency?

Andrew asked if we should deal with it or just stick with NIST standards? Are we exposing ourselves/ our customers/ their customers to unacceptable risks if we don’t allow new methods? Eric feels the only approach is figuring out what measurements are associated with the outcomes to then be able to show equivalency and display both sets of data side by side. Shy of that, it’s just argument for argument’s sake without that baseline. Through a standard framework of measurement – the possibility is there – but shy of that, there isn’t.

Martin suggested the person proposing the alternate be the party responsible to assert the comparison data. Maria agrees the problem is the lack of data and there isn’t a good mechanism to get the data. There is an appetite for being able to have compensating controls evaluated independently by an organization. Andrew asked if we have a sense of what that data is and where it might come from? Could we do a research project to figure out the baseline? Maria believes the idea would be that all agencies implementing NIST 63 standards should be required to collect data on the controls they’re using, fraud they’re seeing, reasons for the fraud and report up to have the data compiled there. Academic programs can only do so much for understanding what types of fraud can get through this type of system. Due to time, this will be held over to a future meeting.

Any Other Business