2023-06-29 Minutes
Attendees:
Voting Participants: Andrew Hughes [Ping], Denny Prvu [RBC], Mark King, Jimmy Jung [Slandala], Mark Hapner, Martin Smith
Other Participants: Mike Magrath [Easy Dynamics]
Staff: Lynzie Adams, Kay Chopard
Proposed Agenda
Administration:
Roll call, determination of quorum
Minutes approval
Discussion:
800-63-3 Criteria Issues to Resolve - numerous concerns have been brought up over several months and need to be discussed and likely updated.
Any Other Business
Meeting Notes
Discussion:
IAWG Chair Andrew Hughes called the meeting to order. Roll was called. Meeting was not quorate at first, but other voting members joined and we reached quorum.
We were going to revisit the move in meeting time - from 1pm to 12pm ET - due to low attendance in recent weeks. However, almost every voting members (minus 1) showed up to the call and attendance was not an issue. We will continue to monitor attendance and consider a vote on moving the call back to the 1pm time slot.
Minutes Approval
Jimmy Jung moved to approve the draft minutes from the June 22nd IAWG meeting. Martin Smith seconded the motion. Motion carried with no objections.
800-63-3 Criteria Issues
The group continued to work through issues raised from ARB, assessors, etc that must be resolved. Notes are in the document as well.
Two instances of swapped criteria (63A#0650 a/b, 63B#0320 a/b)were raised by a CSP and Mike Magrath, respectively. Both have been corrected to align the NIST and Kantara text.
63A#0670 - Lynzie explained the issue with the NIST 63A criteria, brought to her attention by the NIST rep on the ARB. The discussion was to determine if we change it, what do we change it to. It was suggested it would change to ‘no stipulation - not applicable to identity proofing’ like others in this section. Andrew asked what we would potentially lose on the proofing side if we made that update. Jimmy confirmed that d) transmit the data over an authenticated protected channel would be the important ‘thing’ we might be losing, but it is addressed by #0150a. It was agreed to make all of #0670 no stipulation, and then add guidance for the update and reference #0150a. The group concurred this was a good path forward.
T5-1 Table - The tables are a struggle for CSPs and assessors alike and have long been in need of an update to help CSPs better respond to the criteria. The NIST 800-63 implementation resources could readily be use to supplement T5-1. Jimmy suggested just referencing that guide that Kantara accepts these pieces of evidence as these levels of strength. Andrew agrees - we need to say what evidence we accept and what strength we accept it at. Mike brought up that Kantara should consider accept STRONG+ in an upcoming revision (currently STRONG+ is accepted as STRONG). Lynzie suggested the T5-1 table could remain if a CSP wanted to submit an evidence type that was not already on the ‘approved list’ (i.e., implementation resource guide list). Andrew questioned whether the ‘approved list' should be included in the spreadsheet, or a separate document. Jimmy suggested a T5-1a table that has the implementation resource table readily available for CSPs to select from if they are not submitting a new piece of evidence - potentially shorter than the NIST table. Andrew further questioned if we were going to give a list or if we were going to ‘show our work’ and respond to each of the criteria. Jimmy feels showing the work is a bit overkill - drivers license is strong. No justification needed. Andrew worries if we want to add new pieces of evidence - we’d need to show our justification. So we’d have some with justification, some without. Mike believes anything we can do to streamline the process is vital to the program. Martin concurred that as a former fed, anything that makes an agency claim they are compliant is a good thing and this is a move in the right direction.
Any Other Business
No meeting on July 6. We will meet again, with CSPs, on July 13.