2023-08-31 Minutes
Meeting Notes
Administration:
IAWG Chair Andrew Hughes called the meeting to order. Roll was called.
Voting: Andrew Hughes, Mark Hapner, Richard Wilsher, Denny Prvu, Jimmy Jung, Chris LaBarbera, Zaid AlBukhari
Non-Voting: Mike Magrath, Yehoshua Silberstein, Martin Smith
Staff: Kay/Lynzie/Amanda.
Meeting was quorate.
Minutes Approval
Denny Prvu motioned, Mark Hapner seconded. Motion carries for approval.
Kantara Updates
Kay is giving opening keynote regarding diversity, equity, and inclusion at the FedID conference next week in Washington, DC.
Easy Dynamics is hosting a FedID Happy Hour - Mike shared the link if you’ll be in attendance: https://www.meetup.com/easy-dynamics-corporation/events/295464957/?utm_medium=referral&utm_campaign=share-btn_savedevents_share_modal&utm_source=link
Assurance Updates
No updates.
Discussion:
800-63-3 Criteria Issues to Resolve All files can be found on the linked wiki page, including the drafts to be voted on:
final topic: 63B#0570
IAWG had originally wanted NIST’s input, but no luck. Lynzie would prefer to decide within the work group to vote on the criteria and move on.
Q: “Is the text referring to one salt or two salts?”
Andrew H. states it can’t be talking about two salts, so unless there is an issue, he recommends making a guidance note that says there is one salt involved and the values need to be kept separate. Richard says adding guidance seems moot because the early criteria does not refer to a second salt, thus the guidance would be “do what the criteria says”. The decision is to do nothing.
Lynzie pointed out the original question was that the first “should” was ignored on purpose and the second “shall” was considered. The criteria corresponds to the last sentence, but does not take into consideration the first part of the paragraph. For Rev3, it is confirmed that this is staying the same.
For section 5.1.1.2, it is noted that there are many paragraphs with multiple normative statements, making it difficult to isolate the problem (Richard).
The final question is as follows: “Is it a hard requirement to store the salt and the hash separately?”. The answer is yes.
All of the summer materials are prepared and on the Wiki. The next steps are deciding what’s material and voting (1410, 1420, 1430, 1440). 1430 is likely to be material, but the others may require discussion. Andrew H. asks if we can state there are material changes and run them through public comment. Richard notes it is a risk, because someone will likely respond during those 45 days. Why invite the danger if it is not required? Richard recommends only doing it on 1430.
1410: 1410 is minimal, so it’s not material. Lynzie confirms the redlines are not shown when published, and Richard confirms. The change is shown in red, but you do not see the edits.
Richard says it’s likely not material as it’s gone from six to twelve (not the other way around).
There’s a chunk of NIST text, so a cautionary check probably shouldn’t be made. Andrew H stepped away, but no one said 1410 is material. Lynzie proposes that 1410 is good, and not material.
1420: 1420 had one edit, but it’s likely not material. Richard points out that they are redundant after the CO_SAC. The 1420 edit was referencing that the revocation procedures should go in the credential policy practice statement. Is this a material change? The group agrees it is not material, it is simply clarifying the location of existing items.
1430: Likely material. Jimmy notes that sometimes KI strays from 800-63, so it should be stated that 800-63 criteria are based on “shall” statements. Andrew H would prefer to use “mandatory”. Richard poses “normative”. Andrew H questions if “normative” means all requirements or just the mandatory. Lynzie repeats Mike’s point, that being that we don’t have criteria for things we should. Mike mentioned he made the suggestion for clarity, as clarity is beneficial. Andrew H poses: “The Kantara criteria are designed to determine whether the CSP fulfills the mandatory requirements stated in 800-63.” Jimmy pasted language in the chat from 800-63 about the definition of shall, and expresses discomfort with doing something “strictly”.
Richard offers text using “based on” in the chat: “Kantara’s criteria are based on 800-63 rev.3 mandatory normative requirements. This includes normative clauses which may be optionally chosen.”
After a robust discussion on normative v. mandatory v. shall, the group decided on the following for the user’s guide: “Kantara’s criteria are based on the mandatory requirements contained in 800-63 rev. 3. This includes mandatory clauses which may be optionally chosen.” This will also be copied into 63B.
Confirmed changes below:
▪ updated 'Users Guide';
▪ #0120 changed from six to twelve months;
▪ revised #0180 to include SUPERIOR evidence and guidance referring to STRONG+;
▪ added guidance to #0300 e);
▪ updated applicability of several supervised remote proofing criteria (#0490-0580);
▪ withdrew #0670 because it does not refer to biometrics in the identity proofing process;
▪ updated T5-1 table to accept evidence listed in the NIST SP 800-63-3 Implementation Resources Table A-3-2;
▪ updated T5-3#strg a) i) to remove referenced biometric criteria; and
▪ removed Tag x-ref tab.
Brief conversation regarding whether something is material in light of submitting for 45-day review period—Andrew H noted that it is related to the impact of the change (tightening language has more of an impact than relaxing language), and that some of these changes may not be material to the CSP, but they may be material to the framework as a whole. In general, per Andrew H.: an increased burden to the CSP is likely material, a decreased burden may not be, and a signal to the market that Kantara has a difference of opinion from 63B is likely material (we want people to look).
1430 Vote - Material v. non material: Andrew H, Richard, and Jimmy all voted material. Lynzie will move forward with the next steps by opening for a public comment period.
Denny asked if there was a definition/breakdown of non-material v. immaterial. Richard said if something didn’t have a criterion, it would be immaterial.
1440: There were not as many changes. Updated the user guide with sentences approved above (“Kantara’s criteria are based on the mandatory requirements contained in 800-63 rev. 3. This includes mandatory clauses which may be optionally chosen.”).
▪ #0550-struck “for each subscriber using a memorized secret authenticator”
▪ #0600-updated a reference point in the criterion
▪ #1680-changed “The CSP” to “Federal Agencies (after a lengthy chat)
▪ #1900-moved #1900(d) language to the main part of #1900, then struck #1900(d)
MOTION: The working group will now move to accept the changes to 1410, 1420, and 1440 as non-material and 1430 as material.
Richard moves to approve these changes as such. Denny seconded. Motion carries. The 1410, 1420 and 1440 will go to LC next for approval before being published. The 1430 will open for a 45-day public comment period, before going to LC and an all-member ballot prior to publication.
Update/next steps on IAWG recommendations (from November): ARB was finally able to respond to recommendations.
▪ Remove partial and change to component. Lynzie will begin scouring our documents to make this change and be sure paritial is removed in all instances.
▪ Definitions were all good. (Some previously approved organizations may need a review for reclassification, and assessor help may be requested.)
▪ Revision to the COSAC, next steps for the IAWG. This will likely be a small group project.
▪ The simple guide-posted on the website.
▪ Trust Marks-a QR code is not yet in place, but it is being discussed.
▪ Forms of Assessments – Kay/ARB want to keep “Ready to Operate”. They were open to revamping, but not ridding. This would be another conversation for IAWG, if they desire to address it.
Andrew H thinks reconciliation of CO_SAC is unavoidable. Jimmy asked if previously certified organizations would be affected, Lynzie states that those who are in as “technical” are grandfathered in until their three-year Approval grant is up. Jimmy thinks “Classes of Approval” could wait until rev. 4, while Lynzie includes that with the revision of the CO_SAC.
Adjourned to next week.