2023-05-25 Minutes
Attendees:
Voting Participants: Andrew Hughes [Ping], Denny Prvu [RBC], Mark King, Richard Wilsher [Zygma], Jimmy Jung [Slandala], Mark Hapner, Martin Smith
Staff: Lynzie Adams
Proposed Agenda
Administration:
Roll call, determination of quorum
Minutes approval -
May 18 DRAFT Minutes (non-quorate meeting)
Kantara updates
Assurance updates
Discussion:
Updates: DRAFT - NIST IAM Roadmap: Principles, Objectives, & Activities - Extended to June 16 & CARIN Credential Policy.
KIAF 1050 - Glossary and Overview - updates done by IAWG in 2021 were never approved. We've reviewed but haven't had a quorum to vote; plan for the future of the document.
IAF Criteria Updates - areas for discussion and action on current service assessment criteria
Any Other Business
Meeting Notes
Discussion:
IAWG Chair Andrew Hughes called the meeting to order. Roll was called. Meeting was quorate.
Minutes Approval
Jimmy Jung moved to approve the draft minutes from the May 4th and May 18th IAWG meetings. Denny Prvu seconded the motion. Motion carried with no objections.
Kantara Updates
Lynzie provided an update on Kantara’s presence at Identiverse. No IAWG meeting on June 1 due to Identiverse.
Denny highlighted a recent interview with Maria Vachino discussing the crucial importance of biometrics, equity, and trusted certification in identity. Interview can be viewed here.
Assurance Updates
Andrew noted that the Standards Council of Canada (SCC) is piloting a conformity assessment program against a digital credentials standard. Kay has reached out to SCC to see how we can participate in the pilot and see how we can get our assessor’s introduced.
IAM Roadmap
The deadline was extended to June 16. This gives us an extra meeting to finalize our comments.
Denny is collecting comments and working on compiling our draft. Will share in upcoming meeting. If you want to submit additional comments, do so soon!
CARIN Credential Policy
The policy is now shared on the wiki - you can find it here.
Lynzie updated the group on her call with CARIN the previous week. There continues to be several unanswered questions on what the expectation is for Kantara. Ryan (CARIN) and Kyle (DirectTrust) offered to meet with a group of us if desired. Kyle did update the group that DirectTrust will have the ‘entire package’ out the door in January. The positive to that is that even with our IAWG/LC approvals, open comment period, and all-member ballot, we have until late September before we need to have something finalized of this group.
Andrew had a different interaction with them and what he gathered is this policy is essentially is an amalgam of PKI and non-PKI identification systems. Richard pointed out that Kantara requirements for CRP are expressed in the CO_SAC are derived from RFC 3647. Kay and Andrew agreed. Kay further explained she has recently met with HHS and GSA and their expectations for vendors to have Kantara Approvals. They are treating Direct Trust PKI certifications and Kantara Approvals as two separate things - as they are. She’s concerned if agencies make a blanket purchase agreement and we create something different, we might make this more difficult for vendors to get on GSA schedules and other lists. Richard suggested ensuring they add a specific class of approval on that purchase order agreement (800-63-3). Kay noted that they are pushing for IAL/AAL, but can get them to spell out the class of approval.
Jimmy believes our (non-PKI) part in this is potentially very small – the IAL part is 2-3 pages of section 3.2.3.1 - likely similar for AAL. Andrew thinks we need to determine how different the CARIN policy is from the NIST guidelines. He believes CARIN is trying to produce a ready-supply of vendors into the TEFCA space. Martin asked if healthcare is going to require IAL3 - we aren’t sure at this point but are currently okay at IAL2. There’s not huge interest in the pipeline at the moment for IAL3 approvals. Jimmy reiterated that Kantara should have a conversation with CARIN to see what (if anything) was promised and what we want to have promised to that group.
Andrew summarized that the ultimate outcome - and working backwards - is that EHR vendors and federated providers are able to find a sufficient supply of CARIN oriented/approved/certified id proofing and authentication providers in the marketplace. To get to that point, we need CARIN to say what it is they endorse (the credential policy that was written, likely) and Kantara needs to decide
do we want to serve the market targeted by the CARIN alliance directly?
or just part of our general service offering? And is that different than what we do today?
Further, Richard said we need to consider if there is anything beyond what our criteria presently has. And can it be accommodated by adding a profile?
Andrew prefers just having a webpage for CARIN people to help them through the process - our current process with a rationale that they are pursuing this for CARIN/TEFCA.
Jimmy scrolled through the table of contents to identify the sections that are PKI based and what is what we do - Sections 3 & 4, some of Section 5. If CARIN is asking Kantara to provide something to complies with this entire policy - that’s a lot of work - and it’s PKI policy which is beyond us. We don’t assess any of Section 6.
Mark King asked if minors were considered. It was on the CARIN agenda last week, but the group didn’t get that far, so it’s unknown what their plan is.
After the lengthy discussion - Andrew noted he does not want to make a Trust Mark for the credential policy as it is now. It’s a PKI certificate policy and most of it is out of scope for us. Richard mentioned offering a class of approval that accommodates variations we wouldn’t want others jumping in to - that are healthcare/CARIN specific.
Due to time, we could not move further on the agenda.
Any Other Business