2023-08-24 Minutes
Attendees:
Voting Participants: Andrew Hughes [Ping], Jimmy Jung [Slandala], Richard Wilsher [Zygma], Mark King, Mark Hapner, Chris LaBarbera [Verizon], Denny Prvu [RBC]
Non-voting Participants: Mike Magrath [Easy Dynamics], Yehoshua Silberstein [Notarize], Tim Anderson [ID.me], Tim Reiniger
Staff: Amanda Gay, Kay Chopard
Proposed Agenda
Administration:
Roll call, determination of quorum
Minutes approval
Kantara updates
Assurance updates
Discussion: 800-63-3 Criteria Issues to Resolve
T5-1 notification
supervised remote proofing proposal
OPD#0010
S3A
Any Other Business
Meeting Notes
Administration:
IAWG Chair Andrew Hughes called the meeting to order. Roll was called. Meeting was quorate.
Minutes Approval
Jimmy Jung moved to approve the draft minutes from the August 10th IAWG meeting. Mark Hapner seconded the motion. Motion carried with no objections.
Kantara Updates
Kay shared upcoming conferences she’ll be attending - FedID, Identity Week, and others in London and potentially Singapore.
Assurance Updates
Kay reported it’s still a full pipeline in the U.S. - but much slower in the U.K. She’s hoping that changes and hopes to hire on a Program Manager over there that can run the program similarly to how Lynzie runs the U.S. program. There have been lots of conversations with several agencies - including GSA - about our program and the need to have a Kantara Trust Mark to be on their schedule.
Discussion:
T5-1 notification
Andrew shared the drafted notification and provided background information for anyone not aware. Richard moved to accept the notification as-is and published. Andrew seconded the motion. Motion carries with no objections. Notice will be sent out to relevant parties next week.
Supervised Remote Proofing Proposal
A small group discussed the criteria and developed the following proposal for #0490-#0580 . Jimmy walked the group through the proposal - the discussion was around how strictly do we want to follow 63-3 and are some of these things good ideas regardless of what identity level they are directed towards. #0490-#0510 are staying in as more general requirements. #0520-#0550 were removed as the group agreed there was some risk for an IAL2 person to take those criteria on. Same goes for #0570 - too difficult at IAL2. The group suggests leaving the training (#0560) and communications (#0580) criteria applicable at IAL2 because they are covered in other places within the SAC at IAL2 (referenced in the guidance).
Andrew believes after reviewing the proposal that it does reflect the previous conversations the larger group has had regarding these criteria. Yehoshua questioned leaving #0490-#0510 applicable to IAL2. His concern is if a provider is using a proofing supervisor who is not responsible for evaluating the biometrics - it’s an automated system - then the supervisor would not be trained in this and a provider could not fulfill these criteria. Jimmy believes the requirement needs to be there - if you are using biometrics, then you need to deal with 63B (#0620-#0680).
Jimmy suggested a criteria edit that could address the concern of moving the focus from the supervisor to the performance - “If the CSP provides Supervised (Remote or In-person) proofing it SHALL ensure that the technologies and procedures fulfill the biometric performance requirements expressed in 63A#0620 to 63A#0680 inclusive.”
Richard pointed to the source text - 5.3.3.1 part 1 refers to the operator but part 2 does not. So perhaps the reference to the proofing supervisor in #0500 and #0510 is a little bit too much. Tim asked why we use the term biometric in #0500. Biometric is the result of running the computation on the selfie image, etc. You don’t need the biometric to do the remote physical comparison. Richard cited the source text on 5.3.3.1. Yehoshua mentioned it’s a bit contradictory and circular. The group reviewed and discussed Table 5-3 in the source text. After the discussion, Richard suggested striking the reference to 63A#0620 to 63A#0680.
Jimmy then suggested another criteria edit - “If the CSP provides Supervised (Remote or In-person) proofing it SHALL document and apply technologies and procedures such that they SHALL ensure that biometric samples are taken from the Applicant themselves and not from another person.” Richard argues this should be adopted in #0500 and #0510 to remove the reference to the proofing supervisor. The update will be incorporated into the overall changes to the 63A updates.
Richard suggested striking the line “Physical comparison performed remotely SHALL adhere to all requirements as specified in 63B, Section 5.2.3.” for STRONG evidence. Andrew & Yehoshua were agreeable. The updates will be made into the over updates of 63A.
OPD#0010
Andrew raised the concern. Richard noted there is no source text to the criteria - that it begins with the subparts of the criteria. Richard reviewed the original Word version of the OP_SAC and determined there was never a header for it. He suggested inserting one. Andrew believes the revocation stuff should be in the credential policy - it just needs stated. Suggested header: “The CSP must in its CrP…”.
Richard noted that a reference back to OPA#0020 f) would also work. Richard will propose guidance to be included in the update.
S3A
Andrew shared the reasoning for the updates to the S3A, including the need for more detailed information being provided to the ARB. Richard believes the level of detail in the S3A was never intended to be aligned with all criteria in the SAC. Jimmy agreed. The assessor gets some scoping out of the S3A, but not what they need to complete the assessment. But, this is all the ARB gets beside the SAC to explain what the system does. And that’s why it needs to be comprehensive - at least at a data flow level. Without that, the ARB doesn’t always know what they are looking at. The other option, is the ARB just trusts the assessor and asks the questions needed. Richard prefers that option but acknowledges there needs to be a degree of detail in the S3A for the ARB to understand the full process.
Richard asked if the S3A is the CSPs responsibility - or is the assessor responsible for reviewing and suggesting edits. Richard doesn’t see that it’s the assessors role to validate the S3A. Andrew posed the question - is there enough guidance given for a CSP to provide the level of detail the ARB expects? The discussion will be picked back up at the next call due to time - responsibilities and expectations related to the S3A.
Any Other Business
Andrew shared that Ping Identity doubled in size - Ping’s owner purchased ForgeRock and they will be rolled into Ping. Hopefully this will allow Andrew to bring more people into the Kantara space with this acquisition.