2022-07-07 Minutes

Attendees:

Voting Participants: Andrew Hughes, Martin Smith, Mark Hapner, Maria Vachino, James Jung, Michael Magrath
Staff: Lynzie Adams, Kay Chopard

Proposed Agenda

1. Administration:

   • Roll call, determination of quorum

   • Minutes approval - https://kantara.atlassian.net/wiki/spaces/IAWG/pages/16842784

   • General Updates

   • Assurance Updates

2.  Discussion: 

   • CS1 - ISO31000 Publication

   • SAC Approval Status Update

   • Assurance Program - Trust Mark Mock-Ups, finalizing language, definitions, etc.

3. Any Other Business

Meeting Notes 

Administrative Items:

IAWG Chair Andrew Hughes called the meeting to order.  Roll was called. Meeting was quorate. 

Minutes approval:    Michael Magrath motioned to approve the draft minutes from the June 30 IAWG meeting. Mark Hapner seconded the motion. The minutes were approved unanimously. 

Agenda: Richard Wilsher asked to add “Application of ISO 31000 for Assessment Identity-Related Risk” to the agenda for brief discussion. It was added.

General Updates: n/a

Assurance Updates: NIST request for comment on zero-trust architecture open if interested. It can be found here.

Discussion:

ISO 31000 Publication

Richard shared “Application of ISO 31000 for Assessment of Identity-Related Risk” as potentially something Kantara might be interested in reviewing. There is an ISO work group within Kantara that looks at this type of document - you must be a member of Kantara to be in this work group. If interested, send an email to staff@kantarainitiative.org asking to be added. There is a specific agreement that must be signed stating you will not redistribute material. Andrew will look into getting the group going again. Maria and Michael both showed interest in joining the liaison group. Lynzie and Andrew will work on getting that group active again.

SAC Approval Status Update

Lynzie provided an update of the SAC updates from the spring. Open comment ended on June 6. There were no comments submitted. The next step is for LC to approve the CO_SAC updates and move it to an all-member ballot. The next LC meeting is on July 20. Lynzie will email the group to get it on their radar as an agenda item for that meeting. The all-member ballot will be open for 2 weeks. At the conclusion of that ballot, all the updates will be published. The goal is for the new versions to be available the week of August 8.

Assurance Program

Lynzie reviewed the Trust Mark drafts. The term ‘approved for’ will be removed as it is inferred by the checkmark. We will keep ‘full service’ as it is a valuable designator as requested by ID.me.

We are shifting from our current definition of full service. Now a full service can be just IAL or AAL but still must conform to all criteria. If the service conforms to all of 63A – that is a full service. Richard does not believe a service that conforms to all criteria should be called a component service. Martin agreed.

Maria believes it is still confusing. She suggests going back to partial. She believes the label “component” signals to consumers that it is a component service (that meets all criteria) within the larger set of the identity guidelines. There seemed to be some support for the use of partial over component. The group needs to agree on a term. Lynzie will integrate into next round of mock-ups for further discussion.

We must look at “in scope – applicable” versus “in scope – not applicable” in terms of the type of approval (full vs. componet/partial). If we need to draw a line between the two – we can, but it needs to be defined. Can a service be full if a number of criteria are marked as “in scope - not applicable”?

Martin wants to ensure we continue looking at it from a customer’s POV – including people with different levels of understanding of what we are offering. Richard reminded everyone that the vendor needs to engage with the CSP to get the details of the service, this trust mark can only provide so much information.

Richard generalized the discussion thus far: Full service – consumer can rely upon a complete service being provided without further functionality being required. Anything less than full, X, then the consumer has to perform additional steps to have a complete service capability. Andrew has trouble with that generalization.

We need clarifying language in our documentation that can tell consumers how to translate what they offer. (i.e., Go read the SoCA, make sure your needs are covered, etc.) We’ll also need to update the TSL to adhere to any changes that we make - including separating out Classic. (i.e., Classic tab, Full Service tab, Service Component/ Partial Service tab, assessor tab, registered applicant tab)

Andrew asked the assessor’s if federal agencies would buy component/partial service. Jimmy and Richard confirmed that federal agencies will and do buy products with criteria out of scope. It seems like we are getting to the point where we need to define ‘not in scope’ and ‘in scope – not applicable’. Richard thinks it’s a fine line; Jimmy feels its non-existent – just semantics. Not in scope should only be used for LoAs not being applied for. Which would change out full/component definitions again. This needs further discussion.

Richard thinks the problem is trying to give too much information in this little trust mark. Why does it need to say anything? Companies should do their due diligence to see what is offered, what fits into their offerings, etc. We ran out of time and this discussion will continue at our next meeting.

Any Other Business