2023-05-18 Minutes

Attendees:

Voting Participants: Denny Prvu [RBC], Mark King, Richard Wilsher [Zygma], Jimmy Jung [Slandala], Mark Hapner
Other Participants: Lisa Balzereit [USPS], Mike Magrath [Easy Dynamics], Lorrayne Auld, Nathan Faut, Chris Olsen
Staff: Lynzie Adams

Proposed Agenda

  1.  Administration:

    • Roll call, determination of quorum

    • Minutes approval - 

    • Kantara updates

    • Assurance updates

  2.  Discussion:  

    • IAWG Comment Opportunity: DRAFT - NIST IAM Roadmap: Principles, Objectives, & Activities - Due June 1. Due to IAWG May 18. Current comments here.

    • CARIN Credential Policy - update

    • KIAF 1050 - Glossary and Overview - updates done by IAWG in 2021 were never approved. Review & vote on set of updates; discuss plan for future document. 

  3. Any Other Business

Meeting Notes 

Discussion:

IAWG Vice-Chair Denny Prvu called the meeting to order.  Roll was called. Meeting was not quorate - Richard Wilsher joined late and Mark Hapner dropped early, preventing quorum.

Minutes Approval   

n/a due to quorum. 

Kantara Updates

Kantara presented at EIC in Berlin last week. Denny provided a brief update about the presentation. The Open Wallet Foundation approached Kantara about working with our group to make some governance and some documentation around how to use open wallets for identity verification. There was a lot of interest around 800-63-3 identity proofing, deep fakes were on a lot of people’s minds. Raised awareness and interesting topics. Andrew proposed a discussion group on the topic to the LC.

Mark King asked about the status of Kantara Europe - it was originally set up to work on EU project. Does it still exist? Do we work through them? Are they coordinated with what we are doing? Lynzie was able to provide al little insight from discussion with the KIBoD in 2022 and know the relationship no longer exists but doesn’t have details. When Kay or Andrew join an upcoming call, they might be able to share more on the status of Kantara EU.

Assurance Updates

JakobsenID was awarded RTO approval as an IAL2/AAL2 service. The ARB is working steadily on updates to the Service Approval Handbook while simultaneously considering this groups recommendations sent to them in the fall. They’ve accepted getting rid of the term partial. They are accepting of the new definitions of full service and agree with the component service definition, but would like to see it more specified with the full service language (i.e. manages and controls). The simple guide is live on the website. But the biggest point of discussion right now is the recommendation to rid of Ready-to-Operate. Back in November it was suggested that it was rarely used and complicated things. The ARB agrees with the complications it can introduce, but the market demand for a pre-flight/ RTO assessment is growing rapidly. They’ve suggested that Kantara needs to make a business decision on the best way to move forward with these types of assessments. Mark King echoed that ridding of that type of assessment is an over simplification of the process. He noted, and it was noted by ARB, that the process of a Stage 1/ Stage 2 assessment might be an avenue to explore. The need to revamp is also in response to the growing program and the reasonable workload that the ARB can handle. Moving these types of assessments outside the scope of ARB would be beneficial to their workload. Any ideas from this group would be welcomed!

Denny brought up that people at EIC were asking how to get on our Trust Status List. They must go through the Assurance Program. Mark King noted that from the European perspective that there is an agreement under the IAF that these things are to be recognized internationally. Not sure of the exact details, but if you were approved by the relevant US authorities, that is good enough in other countries as well. Mentioned it might be worth looking into the interoperability. This was discussed in IAWG about two years ago. He shared a link to find more information: IAF

CARIN Credential Policy

Lynzie shared there isn’t much of an update on this. She has a call with them at 4pm that she’s hoping to get more information by asking what the expectation is. There are some internal discussions happening but it’s not moving us forward in the project. Denny suggested getting a ‘nice-to-have’ for deliverables. Knowing what they wanted would help us get the task started. Mike Magrath pointed out that when rev.4 releases, that will take precedent over CARIN for the IAWG. Supports why it needs to be done outside of IAWG. Mike thinks they are looking for a customized version of the KIAF 1430 & 1440, which could potentially be an expectation for a CARIN-specific class of approval. Mike further asked, if a vendor has a Kantara Trust Mark, a (recent) 800-53 assessment, or FEDRamp - why that wouldn’t just be accepted by CARIN - the combination of those. Mike feels like the main question here is from a TEFCA/HHS standpoint, is a Kantara Trust Mark as-is approved by HHS for TEFCA? CARIN alliance is an alliance, but it’s not a regulatory body. That’s a question for Adam McBride. How necessary is a special CARIN alliance trust mark for TEFCA? Or is the existing 63-3 Trust Mark accepted by TEFCA? CARIN is just pushing their own thing. If CLEAR has a 63-3 Trust Mark, do they have to do something else? TEFCA calls out IAL2, not CARIN IAL2. We have IAL2. That’s the discussion that needs to be had with Adam. Further, Richard is curious on the size of the market and is it worth the effort. Mike and Lynzie confirmed it is a big market - the US healthcare system now requires IAL2 to access & exchange electronic health records. Richard said it could potentially be some type of profile, rather than a discreet class of approval. Jimmy pointed out that if you want to be IAL something, we have that covered. If you want something else, what is that expectation (IAL2 + CARIN?).

IAM Roadmap

Lynzie emailed IAWG with the link to the roadmap and an outline of dates to complete comments. She reviewed that timeline in the meeting:

  • April 27 - May 18 IAWG members review document, draft, and submit comments to IAWG either via email or added to the Google Doc

  • May 25 - IAWG will review submitted comments for approval during regularly scheduled meeting. 

  • May 25 - June 1 IAWG leadership will finalize any edits, draft a cover letter, and submit to NIST by the deadline.

Individual comments have been submitted and Denny is working on compiling. Will share in upcoming meeting. If you want to submit additional comments, do so soon! Andrew heard the deadline would be extended, though that has not happened as of this meeting.

KIAF 1050 - Glossary and Overview

Without quorum a vote could not take place. Lynzie did review the updates she made with an ‘updates in this revision’ section. Richard will review to see if anything else was updated. It was confirmed that v1 was published Jan 10, 2019. Was version 1 a relational-order glossary though? This current version will be v3.

Denny asked about a document retention policy. It doesn’t seem there is anything official - but Richard Wilsher and Richard Trevor both have great historical records that Lynzie relies on heavily. Richard suggested we should create an information security policy. He could put his history in a dropbox (2k documents) for Kantara access in the future. Lynzie will look to see if we have anything in the documents and if not create something.

Any Other Business

Mark Hapner addressed the publicity about social engineering of stealing iPhones and identity through iPhones - which would likely apply to Android as well. Involves people in bars or other busy public places having their pin viewed and then later the phone is stolen. Even with Face ID, one can try and get the phone handed over while surreptitiously restarting the phone that requires the pin. Sophisticated enough to go in and take over the AppleID, which changes the recovery codes for the phone. Victims cannot get their identity back from Apple. If you’ve lost the recovery code, you cannot get the AppleID back. It hasn’t penetrated much, but things like WebAuthn require the phone to store the credential. The phone is already the store for a whole host of credentials. Is there discussion about this from an authentication perspective? Are there other authentication strategies that rely on what people felt were secure credentials (i.e., phones as the repository for credentials). Denny said it was addressed highly at EIC. Norwegian countries rely heavily on their phones so they’re very involved in this but it doesn’t seem to have moved to NA yet. It’s an ongoing threat that will move this way.

The next few weeks will be focused on the IAF criteria. The longer list will be shared in advance of the next meeting, including the discussion raised by Richard in an email thread this week.

Next meeting May 25.