2023-09-21 Minutes

 

  1. Administration:

    • IAWG Chair Andrew Hughes called the meeting to order.  Roll was called. Meeting was not quorate.

      • Roll call:

        1. Voting - Andrew Hughes, Jimmy Jung, Chris LaBarbera, Mark Hapner (early departure), Richard Wilsher, Denny Prvu (late arrival)

        2. Nonvoting - Chris Olsen, Tim Anderson, Yehoshua Silberstein (late arrival)

        3. Invited Guests - Lisa Balzereit, Peter Davis (late arrival)

        4. Staff - Amanda/Lynzie

    • Minutes approval.  

    • Kantara Updates

      • Everyone should keep an eye open for BoD elections in the coming months (it’s open to all organizational members).

      • Annual General Meeting (AGM) is also coming up in December.

      • Kay will also be at Identity Week America. Look for her fireside chat scheduled for Oct 3 at 2pm with Maria Vachino & David Temoshok where they’ll discuss revision 4.  Be sure to stop by the Kantara table!

    • Assurance Updates

      • There is a new approved service-Proof (rebranded from Notarize. Press release scheduled for today from Proof. 

  2.  Discussion:  

    •  CO_SAC updates as we continue the work toward removing Technical class of approval - Richard's first stab is linked. 

      • Richard added columns for tracking alignment with 63A/B, ISMS pass (a “free pass” from another certification/approval) and “What else?” with some preliminary indications on some criteria on his part to these various columns.  

        1. CO#0010-possible removal, as the CSP has already signed a TMLA prior to assessment.

        2. CO#0020-possible free pass if someone came in with a comparable ISMS based on Richard’s knowledge of 27001 

        3. CO#0030-difficult to ascertain as a financial audit isn’t done as part of assessment, possible removal of red strike-through text, but leave reference to liability.

        4. CO#0090-service definition follows RFC 3647.  Recommends looking at CRPS requirements in 63A and consolidate all into single requirement into the CO_SAC, resulting in a single set of requirements for having a credential policy that applies to the CO_SAC and 63xAL (assuming the CO_SAC is mandated, if not-take the requirements out of the CO_SAC and place into each of OP_SAC 63A/B (not C-as it is different because of the federation agreement).  Notes this is also applicable to OP_SAC.

        5. CO#0100-leave as is for now.  Rethink for 63A/B but will need to be there in some form.

        6. CO#0150-Need to ensure matching requirements for Kantara specific required policies and note implications of 63A/B, but potential free pass.  

        7. Other notes are very control focused and easy to extract, mostly potential ISMS free passes.

 

  • Action: Email to list-serv to request everyone to review Richard’s analysis and examine it in light of FEDRAMP and 27001.  Anyone with knowledge of other schemes are also requested to do an analysis of those schemes.  Goal is to generate a list of ISMS-like qualifications to start with as the basis for consideration.  Discussion on October 5th.

 

  1. Any Other Business

    • Future meetings:

      • 9/28 & 10/5 - Lynzie won’t be here. Agendas will be sent by Amanda.

      • 10/12 - Andrew requested this meeting be canceled. 

      • Next week’s meeting-Charter and Structure Discussion