2023-07-13 Minutes
Attendees:
Voting Participants: Andrew Hughes [Ping], Jimmy Jung [Slandala], Mark Hapner, Martin Smith, Richard Wilsher [Zygma]
Non-voting Participants: Mike Magrath [Easy Dynamics], Lorrayne Auld, Tim Anderson [ID.me], Yehoshua Silberstein [Notarize]
Guests: Sarath Laufer [AU10TIX], Elavar Olafsson [JakobsenID], Lewis Lott [USPS], Nicholas DeGaetani [ID.me], Peter David [Airside], Ryan Kirchoff [Airside], Scott Jones [CLEAR], Steven Behr [USPS], Zaid AlBukhari [NextGenID], Justin Hyde [LexisNexis Risk Solutions]
Staff: Lynzie Adams, Kay Chopard
Proposed Agenda
Administration:
Roll call, determination of quorum
Minutes approval
Discussion:
800-63-3 Criteria Issues to Resolve
63a#0490-0580 supervised remote identity proofing applicable to IAL2 and IAL 3 currently. Proposing updates.
63a#0670
T5-1 update
Any Other Business
Meeting Notes
Discussion:
IAWG Chair Andrew Hughes called the meeting to order. Roll was called. Meeting was quorate.
Minutes Approval
Jimmy Jung moved to approve the draft minutes from the June 29th IAWG meeting. Mark Hapner seconded the motion. Motion carried with no objections.
800-63-3 Criteria Issues
The group continued to work through issues raised from ARB, assessors, etc that must be resolved. Notes are in the document as well.
63A#0490 - #0580
Jimmy recapped why we are revisiting the applicability of these criteria at IAL2.
Tim [ID.me] worries about a gap of being able to demonstrate conformity and assurance for remote proofing. Yehoshua [Notarize] agreed, referencing pg 54 of the 63a Conformance Criteria that states: “The following requirements for supervised remote proofing apply specifically to IAL3. If the equipment/facilities used for supervised remote proofing are used for IAL2 identity proofing, the requirements in section 5.3.3.2 of SP 800-63A for supervised remote proofing do not apply. In this case, the requirements for conventional remote identity proofing are applicable.” It was questioned if this was a temporarily solution knowing that in revision 4 this will be addressed. Lynzie confirmed it is temporary, but with the timeframe, we need something in the interim.
Richard believes we would be amiss to not have established criteria for those CSPs that do perform supervised remote proofing in order for them to demonstrate assurance. Review the criteria and ask ourselves ‘Does this work at IAL2 or not, and if not, what can we do to change it to make it applicable?’ For instance, #0550 is not going to happen at IAL2. But we could add something about scanners/sensors on user-owned devices which is more applicable to IAL2. On the other hand, #0560 is reasonable at IAL2 and IAL3.
Peter [Airside] asked if we are entering a slippery slope of moving away from the direct intention of 63A. Andrew confirmed it would be conditional - if you are doing it, this is how you must do it. If you aren’t doing it, that’s fine too. In terms of deviation, Kantara has precedent that we cover the requirements at minimum. There may be additional requirements beyond 63-3 though. Referencing this topic, 63-3 doesn’t cover supervised remote proofing at IAL2 so we must develop that ourselves.
Andrew called for objections to the plan moving forward. Yehoshua voiced a quasi objection - to the extent they are watered down, they are captured in different criteria within the SoCA. The rest of the criteria does not preclude the use of supervision. There’s nothing less rigorous about supervision that should necessitate a new set of criteria. We will continue to discuss this in the upcoming meetings now that we have an agreed plan moving forward. As a reminder, all of these changes will go out for public comment prior to publication.
63A#0670
Lynzie explained the update to this criteria - that it is not actually applicable to identity proofing, but rather authentication. The group as a whole seemed agreeable to this update. Richard noted that we should update this simply to ‘withdrawn’ rather than ‘no stipulation - not applicable to identity proofing’. Lynzie will make that update.
Jimmy noted that we will need to look through the criteria for any references to these updates and make those updates accordingly. Lynzie will do an overview of the whole 63A SAC to see what also needs edited.
T5-1 Table
Lynzie shared the proposed updates to the T5-1 table. The proposal of referencing the Implementation Resource guide was received well by the group with some updates to the current language. This will remove the burden of addressing every line in table T5-1 - but it does not have any impact on T5-2 or T5-3. Those remain unchanged. Yehoshua asked if this will be effective immediately or if they’ll [Notarize] still need to complete the T5-1 table during their assessment process. After discussion, it was decided that though this will be incorporated into the overall updates to the SAC, we could release a notice that this update is effective immediately to help those CSPs currently in the process. Lynzie will raise it with the ARB and draft a notice that can be sent to everyone on the TSL once completed.
Lynzie recapped the issues we still need to address in this revision.
Any Other Business
Richard raised an issue with the Service Approval Handbook v4 update. He is concerned with the ARB’s request for assessors to do testing on non-Kantara approved services and feels as though the ARB overstepped their boundaries. He believes there needs to be established criteria for these third-party tests. Lynzie explained that the notice and update he is referring to is meant to ensure assessors are not ‘passing the buck’ on criteria fulfilled by non-Kantara Approved services and that the third-party was reviewed to ensure the criteria is conformant. The ARB will not accept the fact that it’s fulfilled by a third-party if that third-party’s ability to fulfill that criteria was not examined. Jimmy agreed that’s how he interpreted it as well. Richard feels that is way less alarming than the original text led him to believe.
Richard also raised a concern on the updates to the RTO assessment. The ARB felt strongly that RTO should be retained as there is a place in the industry for people that want pre-service solutions to be reviewed for conformance to 63-3. They believe our current process could be better - but removing it completely is not the right option. The update does require that at the conclusion of the 12-month RTO grant of approval, a full assessment of all criteria must occur. Richard feels there should be an IAWG discussion now which criteria could reasonably be omitted in a RTO assessment with the understanding that they’ll all be assessed the following year. Could help define the scope of what is important in a RTO assessment. The group will revisit this.
Andrew shared his intent to start a Kantara Discussion Group on deep fakes and their impact threat. The charter will be put up for approval by the Leadership Council next week. Shortly after, look for an email that will share more details on participation.
No meeting on July 20. We will meet again on July 27 to continue the work on updates to 63B and the updates to the supervised remote proofing criteria.