2023-09-28 Minutes
Proposed Agenda
Administration:
Roll call, determination of quorum
Minutes approval
Kantara Updates
Assurance Updates
Discussion:
Charter and Structure Discussion
Any Other Business
Minutes:
Administration:
Roll call, determination of quorum. The meeting was not quorate.
Voting-Andrew Hughes, Mark Hapner (dropped 12:29), Maria Vachino, Zaid, Richard Wilsher
Non Voting-Nathan Faut, Yehoshua Silberstein
Invited Guests
Staff - Amanda, Kay
Minutes approval
Kantara Updates
Next week is Identity Week America-Kay will be there, the conference should continue despite the potential government shutdown.
Deepfakes-Andrew notes that many folks will be at Identity Week. The group is still seeking joiners, despite the current level of expertise (knowledge domain) in group at present. The group is drawing in biometrics vendors and setting up a mind-map to start at the top level of the domain and assign topic areas to leaders. Overall goal is to synthesize materials in roughly 2 months.
Assurance Updates
Kay reports new companies are regularly inquiring and government agency work continues. There is currently a new government agency seeking to go through the assurance program.
Maria notes that after speaking to David Temoshok that the release schedule for rev4 looks like March 2024.. They will be noting the sections that have changed, and only welcoming comments on those sections. This is the second public draft and Maria notes interest in discussing how to handle the new types of requirements as it looks to pose a challenge (potentially need 2 separate certifications).
Discussion:
Charter and Structure Discussion-The charter currently gives IAWG responsibility for the Service Assessment Criteria. This was the work being done in the last year and did not branch out into new spaces.
There is too much work for the group, as it can only really focus on one topic at one time.
Additional possible work:
Potential exists that 800-63 rev.4 is not fit for purpose (i.e. this is not a trust mark that we wish to operate)
Cites Australia’s current struggles with trying to run a certification program and if Kantara were to work with them, 2 sets of criteria would be needed (likely couldn’t base one on the other), but but it quadruples the amount of work.
NZ certifications: Identification assurance v. identity assurance
The additional work is not only about volume, but substance/subject matter as well (remote proofing, more digitally focused proofing).
If we are moving to ISO 17065–a scheme owner is needed,, and IAWG is a strong candidate for that, but all the looking around/forward thinking doesn’t fit with the scheme owner role.
Andrew posed the idea of what would happen if we were the scheme owner of NIST oriented scheme and then spun out a subgroup or second group to look at comments on other schemes or other potential work/directions (digital identity in EU, etc.). The goal would be to be ready for whatever comes next. If it didn’t work, the plan would be to revert back to IAWG as it currently exists.
Maria voiced agreement.
Andrew also notes that the Assurance Program may be strengthened by having an scheme-owner.
Richard notes that first a “scheme-owner” would need to be defined.
Downsides/points to consider:
Richard cites the need of CSP participation because if they don’t want the solution IAWG proposes, there’s no market for it.
Potential fragmentation
Need to define the structure of schemes (For example-we have identity assurance framework, would there be multiple schemes beneath it that deal with different technologies? Or is there one scheme with different criteria to deal with different technologies?
Significant overlap of criteria in two different schemes
Potentially operating with the same finite amount of people whether IAWG functions as 1 group or 2 groups.
Andrew agrees that designing it first is necessary and recommends to start by writing up the roles and responsibilities of being a scheme owner and see what that covers.
Question from Andrew: What happens when we need a scheme that is not identity related?
Yehoshua–what’s the goal? Developing a framework so there’s a hierarchy of schemes, so schemes can be similar, or schemes can be different?
Andrew confirms that while Kantara is the operator of the assessment program based on a scheme, the scheme is somewhat independent of the organization. It grew organically, so formalizing what the conformity assessment scheme is would be beneficial. The existing IAWG would potentially narrow the scope to be the scheme owner, based on the clarification of roles and responsibilities. Other identity related activities (broader identity proofing, verification, authentication, federation) would fall under another entity’s umbrella (whether this is a sub-group or a separate group is up for discussion). The goal would be to have some bandwidth to look forward.
Kay notes that we are seen as a leader in identity and that people turn to Kantara because they think this organization should be able to support other schemes for varying industries/purposes (For example-banking industry), however we don’t have the bandwidth to do so.
800-63 is not fit for purpose for the banking/financial industry, but there is a belief that banks would like some sort of certification program. They have regulations to follow (these are not set out as requirements criteria) but 800-63 is not the right thing for customer identification needs.
Richard notes that for Kantara to serve these entities, they would need to come together so Kantara knows how to respond.
Andrew and Yehoshua offered comments on the value of developing a community or an association around the members (issues include defining the constituency and some organizations only being interested in the trustmark, not membership). The thought is that a subgroup/second group would have more bandwidth to address this and push Kantara into the position of the industry voice.
Kay reports that CARIN Alliance also has things to bring to IAWG, but there isn’t bandwidth to handle. She also notes the importance of having a space for people to bring new initiatives into the Kantara circle.
It is requested that the next conversation contain more concrete details/ideas and contacts before formal action is taken.
Any Other Business