2022-08-04 Minutes
Attendees:
Voting Participants: Andrew Hughes, Martin Smith, Mark Hapner, James Jung, Michael Magrath, Maria Vachino
Non-voting participants: Chris Olsen
Guests: Matt King
Staff: Kay Chopard
Proposed Agenda
Administration:
Discussion:
SAC Update
63b SoCA proposal
Assurance Program - continued discussion from previous weeks
Any Other Business
Meeting Notes
Administrative Items:
IAWG Chair Andrew Hughes called the meeting to order. Roll was called. Meeting was quorate.
Andrew suggested dropping the 63b agenda item until Richard Wilsher can join a call to explain the proposal. All agreed.
Minutes approval: Mark Hapner moved to approve the draft minutes from the July 21 IAWG meeting. Martin Smith seconded the motion. Motion carried with no objections..
General Updates: n/a
Assurance Updates
The meeting with NIST and financial institutions discussed in the previous meeting is still in the works. A date is TBD but hopefully later this month.
Maria and Kay will both be at FedID during the first week of September in Atlanta. The extent of Kantara’s presence is still undecided until Kay hears more from JJ Harkema about logistics of the week. Kay and Maria are joining Jeremey Grant and Zack Martin for a round table throughout the week. Andrew requested an email with more details be shared with IAWG as others may likely be attending.
Discussion:
SAC Update
The SAC updates have passed Leadership Council and are now moving to an all-member ballot. Kay received the all-member ballot within the past hour but nobody else on the call had seen the email. Lynzie will work with Kantara IT staff to determine the issue with the membership email list and get it resolved. Andrew asked that everyone keep an eye out for the all-member ballot email as there is a requirement that at least 15% of members vote and it can sometimes be hard to get votes for obscure actions such as new SAC revisions. All Kantara members in IAWG should vote! The eballot can be found here.
Assurance Program
Remaining open issue - What, if anything, do we rename a component service to make it less confusing in the market?
Andrew summarized our current offerings and definitions:
-full service where all criteria are in scope
-partial service where all applicable CO_SAC criteria are in scope, BUT not all service specific criteria are in scope
Martin asked for confirmation that it is possible for a full service to have some non-applicable criteria (i.e. service does not offer in-person proofing). Andrew confirmed this is possible.
Andrew defined a component service as offering only 63A or only 63B, whereas Jimmy says that is not the interpretation he understood. He believes component is intended to mean that the service requires some other contracted service to be fully functional.
Martin asked if we are counting on the assessors to examine the non-applicable criteria to ensure they are the conditional criteria only. Jimmy confirmed yes, that is the assessor’s responsibility. It is the assessor's obligation to determine if something that a provider identified as not applicable is in fact not applicable. Even in annual conformity reviews, assessors are looking to see if that non-applicability is still valid.
Andrew – whose reality should the trust mark represent? Who is the audience? Martin believes there are two customers – a RP and an ISP to complete their offering. Different demographics.
Andrew provided the following options via chat:
The services offered by the CSP meet the standard, and only those offered services. (csp/business chooses what they offer and TM says the things they’ve CHOSEN to offer are trustworthy – slightly different than what we are calling the trust mark [800-63a/b/c TM])
The services, as described by NIST, are offered in their entirety by the CSP and the meet the standard. (NIST defines the service)
Jimmy confirmed the first option is more common in the market. Further, Jimmy stands by the idea that if someone knows they are only buying a component of the certification – if the trust mark says you aren’t getting it all – then the person is responsible for making sure they are getting exactly what they think they are giving. Unless we change our SAC to highlight mandatory criteria, the CSP has a right to offer what they want to offer as a ‘less than full’ service.
Martin stated that it’s up to the market to determine how to put the pieces together to make a full service. Andrew asked if we support the first option, are we actually offering NIST 800-63 compliance? Or is the CSP just offering proofing services that are good? Martin restated that they offer services that comply with parts of 800-63.
Jimmy shared that the value of the component option is that someone who is trying to build a NIST-compliant system but can’t handle a certain section can shop for a component who already handles those criteria - and can provide it with a TM. By requiring a mandatory minimum, you are taking away the ability for an offering that meets NIST standards to be out on the market. Martin agrees as long as the CSP is honest and upfront that they do not offer a complete service.
Andrew added these definitions into the chat:
“Full" service conforms to every mandatory NIST requirement. Some optional offerings may not be included in the service (i.e. trusted referees, supervised remote proofing, etc).
“Component" services conform to a defined subset of NIST requirements - this subset is selected by the Component CSP and vetted by the assessor. Everything that is offered by the component CSP conforms to the requirements of 800-63 rev. 3.
Two or more “Component" services can enter into contracts to joint become a “Full" service.
A multiple-provider "Full" service is not a "Full" CSP in Kantara's trustmark scheme unless the combined entity goes through an additional assessment and licenses the trustmark for "full” CSP
Martin asked if two components apply as a full service? Andrew said no. Jimmy confirmed. They would not be assessed as a full service.
Jimmy offered examples of how a component TM is viable and desired in the market.
A company meets the 8 very specific criteria for supervised remote proofing and receives a Component IAL2 TM. Currently, the easiest path forward in building a service that includes supervised remote proofing would be to buy from them rather than creating your own.
At least one system could claim to be a full service but the reality is they have not done anything in the way of a full-service offering. They’re waiting for someone to say they want to do a NIST/Kantara validated approach before they would apply for a full-service.
Andrew summed up the conversation to conclude that
We have gotten rid of the term partial.
We will stick with full and component with specified definitions provided on the TSL and other documents as described above.
Jimmy asked if there is full 63a and full 63b – or if it still needs to be both. This still needs pondered.
Any Other Business
Jimmy brought up Martin’s email about federation. Andrew has not heard anything other than they are beefing it up – not sure if it’s a full document. Maria did not have any additional insight either. Andrew will reach out to Matt Topper for further insight.
Kay brought up the CARIN alliance’s reliance on Kantara for definitions and what they are looking for. They are really struggling with definitions. Andrew noted that the pilot is for people looking at IAL2 and nothing to do with credential management so it feeds into this conversation.
IAWG leadership keeps an action item list. All IAWG participants should be aware that the spreadsheet exists and it lists everything we think the IAWG is working on or planning to work on. Please feel free to review it and correct it if needed - it is not our intent to overlook something!