2023-10-26 Minutes
Meeting Minutes 10.26.2023
Administration:
Roll call-The meeting was quorate.
Voting-Andrew Hughes, Mark Hapner, Mark King, Jimmy Jung, Mike McGrath, Zaid AlBukhari, Richard Wilsher
Non-voting-Martin Smith
Staff-Amanda Gay
Guests-Peter Davis, Lisa Balzereit, Marcelle Ngounou
Minutes approval
Jimmy Jung moves to approve all minutes, Mark Hapner seconds. Motion to approve all minutes carries.
Kantara Updates
Board nominations are opening soon, Andrew encourages anyone interested in getting more involved to submit their name.
AGM-notices going out soon, save the date! (December 5th, 10AM ET)
Assurance Updates-None provided.
Discussion:
CO_SAC Updates: Richard’s updated analysis (an additional note on CO#0050), linked here
We would still be requiring this point, but it makes more sense to locate it in #0090. Jimmy supports this point.
Motion to relocate approved.
Follow up discussion to Richard’s email on September 26th, 2023 regarding 63B #1900:
Sub-clause D was eliminated on an earlier IAWG call.
After further consideration, Richard now recommends a minor tweak to the main clause and the retainment of sub-clause D, as the clause actually requires the CSP to respond to a legal instrument requiring that they revoke, so it should be retained. Changes as noted below (purple text signifying minor differences in main clause):
The CSP SHALL revoke promptly the binding of authenticators to the Subject's online identity and, unless prohibited by any legal instrument, and give notice of such to the Subject, when any one of the following occurs:
the Subject's online identity ceases to exist; OR
the Subject requests revocation; OR
the CSP determines that the Subject no longer meets its eligibility requirements; OR
the CSP is obligated to do so in response to a legal instrument.
It was noted that if you have revoked, it may not be possible to notify for legitimate/practical reasons. This makes it more of a customer service requirement than a technical requirement, therefore making it mandatory is not practical.
Conversation regarding adding a “may” or a “should” to “give notice” portion. Jimmy points out Kantara does not use these terms, even though NIST does. Kantara criteria is typically written as yes/no.
Mark King proposes removal. Richard’s response is that it is in the OP_SAC, and that the CSP should be able to justify it as impractical, otherwise they should do it. It’s also likely that it hasn’t caused CSPs issues, as this has been in the documentation. There are other legitimate reasons (the subject passes, they ask for revocation, name change) and legal obligations exist. A process is needed to securely handle revocation.
Motion to retaining language modification in purple approved.
Charter and restructuring
Recap-Work Groups are required to review/update every year. In IAWG, this was postponed last year due to public comments for NIST rev. 4. A new ISO structure (ISO 17065) is coming and Andrew thinks it may be valuable to have a formal scheme owner (right now, in practice it is IAWG). Now is the time to look at the charter and make adjustments. Andrew also proposes the idea that it may be necessary to have an additional group structure (either a sub-group or a separate group) that deals with non-NIST issues. At present, IAWG’s capacity is limited with the NIST revisions and the current practice of aligning criteria to those revisions (800-63 rev. 3). This was done to clarify Kantara’s positioning and goals within the market in response to confusion from rev2. This leaves IAWG having to follow NIST in terms of criteria and having no easy way to address non-NIST issues, thus placing non-NIST items on a longer timeline within Kantara.
Discussion topics that emerged from conversation:
Should there be a scheme-owner? If yes, is there a portion of the IAWG that should officially be that scheme-owner?
Initial thoughts-there is a core function within IAWG that is a de facto scheme owner for the US program.
It may be time to have an additional group structure (sub-group, discussion group, or work group) that deals with non-NIST.
Example: Consumption of digital formats as evidence of identity, 800-63 rev. 3 infers you can do this, and 800-63 rev, 4 is more explicit. Our criteria has to deal with present services, but we know new conformance criteria is coming.
No space (“soft mandate”) to find other areas with other requirements because criteria is tied to NIST.
Example: If remote proofing needs to have biometric liveness, these things aren’t covered in 800-63 rev.3. There should be capacity somewhere in Kantara to go investigate to decide if these things be covered and if published requirements are needed.
Travel and banking/financial services are also examples of industries lacking baseline assessment criteria, because they are all slightly different.
Peter Davis also asks if this is within Kantara’s scope, or if it is more of a liaison role connecting to the appropriate industries. They see the need to develop criteria with these industries.
Martin asks if there is a market for this. Mark King also offers that in other industries/orgs (OAX), a set of baseline criteria/standards is helpful to determining similarities/differences and generating questions (the why?) within that group.
Any Other Business