2023-06-22 Minutes
Attendees:
Voting Participants: Andrew Hughes [Ping], Denny Prvu [RBC], Mark King, Richard Wilsher [Zygma], Jimmy Jung [Slandala], Mark Hapner, Martin Smith
Other Participants: Jazzmin Dowtin [IDEMIA], Mike Magrath [Easy Dynamics]
Staff: Lynzie Adams, Kay Chopard
Proposed Agenda
Administration:
Roll call, determination of quorum
Minutes approval
Kantara updates
Assurance updates
Discussion:
800-63-3 Criteria Issues to Resolve - numerous concerns have been brought up over several months and need to be discussed and likely updated.
IAWG Submitted Comments: NIST IAM Roadmap Update
KIAF 1050 - Glossary and Overview - eballot open for voting members until 6/27
Any Other Business
Meeting Notes
Discussion:
IAWG Chair Andrew Hughes called the meeting to order. Roll was called. Meeting was quorate.
Minutes Approval
Andrew Hughes moved to approve the draft minutes from the May 25th IAWG meeting. Martin Smith seconded the motion. Motion carried with no objections.
Kantara Updates
Kay shared some updates on the recent conferences. Jimmy shared positive words from GSA about Kantara.
Kay shared that Kantara is working with GTRI about automating our Trust Status List and Service Assessment Criteria spreadsheets to make the process less laborious on vendors and other looking for service specifics. OSCAL was considered as well, but the work from GTRI has already started. Updates on timelines will be coming in the near future.
Assurance Updates
The ARB recently approved a new version of our Service Approval Handbook. It’s been sent out to all accredited assessors and CSPs. It’s available to download on the website. Lynzie is preparing a redline version for assessors, in addition to anyone else, to see where the updates occurred.
Since our last meeting we have four new Registered Applicants in the Assurance Program - Notarize, NextGenID, AU10TIX, and Clear. It’s been a huge first half of the year with 7 new applications! Martin asked if there was any insight on where, as a group, the applicants are coming from. It varies - some are being pushed by healthcare, one is pursuing our first IAL3, another is looking for US & UK approvals. Mike mentioned that Notarize is likely being responsive to by a law in New York State that was passed in the spring. There are others in the pipeline. The law is vague - and it’s not mandated - but there is reference to IAL2.
Andrew noted that we should highlight this to Karyn for broader industry awareness - potentially including Mike’s blog (New York Swung and Missed in Regulating Identity Proofing for Remote Online Notarization (RON) - Kuma) currently posted on Kuma’s website as a starting point. Anywhere we find a law/regulation that tells the market to get certified, we should be highlighting and in all of our materials. That is a motivation to come to the assurance program! Martin reiterated Kay’s GSA discussions - that procurement people are great folks to speak with on that front!
800-63-3 Criteria Issues
The group worked through issues raised from ARB, assessors, etc that must be resolved. Notes are in the document as well.
63A#0120 - discussed and resolved. Group decided to update to twelve months - aligns with our annual review cycle as well. CO_SAC #0170 will be updated to remain aligned. It was discussed if this would be material - but the assumption is that when the entirety of these updates are concluded, it’ll likely be a material update. We’ll hold on to the determination of materiality until all updates are made.
63A#0180 a) - discussed and resolved. The proposed text that separates Superior and Strong requirements that were initially misinterpreted were accepted. The update revises both a) and b).
63A#300 e) - discussed and resolved. after discussion around ‘address OF record,' the group decided to add guidance to the criteria rather than updating the criteria. The added guidance is “The intention here is that there are two communication channels, in particular validated addresses.” Assessors thought this was a good option.
63A#0490-0580 - discussed, but not resolved. Will invite CSPs to discuss and revisit on July 13. These criteria were flagged by ARB and an assessor as being misapplied to IAL2. The discussion was around IAL2 services that utilize supervised remote identity proofing but are being assessed against IAL3 criteria. The current criteria for supervised remote is much more stringent than what IAL2 must meet to do supervised remote. There is a gap in the criteria for those services who do these proofing sessions at IAL2 and they may have un-assessed parts of their service without some criteria. Andrew asked to share the topic with the CSPs and let them know something will likely change, so please attend the meeting to share your feedback if your services uses supervised remote proofing. Inconsistency of application - and needs resolved one way or another.
Due to time constraints we stopped here for today. Will pick up with 63A#670 next week and continue to work through the issues file.
NIST IAM Roadmap Comments
Due to IAWG being cancelled the previous two weeks, comments had to be submitted prior to additional conversation within the group. Lynzie and Denny worked to compile the submitted comments and submit on behalf of Kantara IAWG. The submitted comments can be read here.
KIAF1050 - Glossary and Overview
An eballot was sent to voting members to process the approval. The eballot closes on Tuesday June 27. Results here.
Any Other Business
Andrew is trying to start a start up a new discussion group to look at deep fakes, AI, and threats/risks to identity verification services specifically because many of Kantara’s constituents are ID proofing constituents. Ping’s CEO has pushed this as a hot topic - is there actually a new threat or is it just hype? Andrew will be circulating a charter proposal that will come to this group for comments, feedback, interest. Current thinking seems to be leaning toward synthetic humans as an attack factor for voice, video and text ID verification services. Specifically narrow. What are the actual threats? What are we seeing? As a buyer, what do you have know/ask? Martin likes the idea.