2023-04-27 Minutes
Attendees:
Voting Participants: Denny Prvu [RBC], Mark Hapner, Martin Smith, Michael Magrath [KUMA]
Other Participants: Bryan Rosensteel [Ping Identity]
Staff: Kay Chopard, Lynzie Adams
Proposed Agenda
Administration:
Roll call, determination of quorum
Minutes approval -
Kantara updates
Assurance updates
Discussion:
IAWG Comment Opportunity: DRAFT - NIST IAM Roadmap: Principles, Objectives, & Activities - Due June 1. Mark King circulated his initial observations to the list on Apr 22.
CARIN Credential Policy - primary focus around technical sections (§3-6)
Any Other Business
Meeting Notes
This meeting did not have a quorum, therefore we were unable to pass the minutes. There was some discussion recorded below.
Michael Magrath announced he was leaving Kuma, effective May 4. He is interested in staying active in Kantara and the IAWG but will be moving to a non-voting member while he gets situated in his new position and will resume attending meetings at a later date.
Denny thanked the group for the work put into the NIST contribution.
Discussion:
Kantara Updates
Shay has left Kantara and taken a position with the Utah state legislation. She was supporting the LC, KIBoD and UK program so we are currently trying to fill that role. If you need anything in particular, reach out to staff@kantarainitiative.org or Kay/I individually.
Assurance Updates
Exostar was recently Approved for IAL2/AAL2. They become our third organization that has achieved 800-63 approval while maintaining their Classic approval as well. USPS has also recently become a registered applicant. Lynzie provided a brief update on Kay’s work with GTRI to help scale up our assurance program to more machine-readable format.
Denny highlighted the upcoming conferences - EIC in Berlin the week of May 8th. Kantara has a four hour session on Tuesday, May 9 that he encouraged people to attend. Identiverse is in Vegas in late May. Kantara has a session there as well on Tuesday, May 30.
IAM Roadmap
There was discussion around the NIST roadmap out for public comment. Mark King and Martin Smith already circulated some thoughts on the IAWG listserv. Discussions were primarily around Zero Trust and dynamic authorization workload. The group looked forward to further discussions with a potentially larger group.
Lynzie is going to email IAWG with the link to the roadmap and an outline of dates to complete comments:
April 27 - May 18 IAWG members review document, draft, and submit comments to IAWG either via email or added to the Google Doc.
May 25 - IAWG will review submitted comments for approval during regularly scheduled meeting
May 25 - June 1 IAWG leadership will finalize any edits, draft a cover letter, and submit to NIST by the deadline
CARIN Credential Policy
Lynzie provided an overview of how we got to this point with CARIN. We need to develop an overlay of the ‘extra’ criteria in this policy that is beyond our current criteria. The policy covers 63A/B, but it also includes requirements from NIST SP 800-53rev5 at the moderate baseline and it contains controls that you won’t find in either NIST SP 800-53 or 63 because there are no NIST publications that consider the controls. (i.e., there are no precise NIST requirements for when credentials should expire, but the CARIN Credential Policy specifies expiration dates for different types of authenticators.)
Richard Wilsher showed interest following the agenda email earlier this week, but questioned if there would be funding for the work as it’s a large load for IAWG, especially in any expedited manner.
Martin asked if there was a line of business that justifies this work. Kay said it’s already driven in a number of companies. There was discussion around who else might be in this game beyond us and DirectTrust. It seems nobody else at this time but there is concern that if DirectTrust gets this out the door before us, we may lose business to them.
Any Other Business
IAWG will meet next week and revisit this topics since we did not have a quorum today. IAWG is cancelled on May 11 and June 1 due to EIC and Identiverse, respectively.