2022-08-11 Minutes

Attendees:

Voting Participants: Andrew Hughes, Martin Smith, Mark King, James Jung, Michael Magrath, Maria Vachino, Richard Wilsher
Non-voting participants: Eric Thompson
Staff: Lynzie Adams

Proposed Agenda

  1. Administration:

  2.  Discussion: 

    • SAC Update

    • 63b SoCA proposal

    • Assurance Program - continued discussion from previous weeks

  3. Any Other Business

Meeting Notes 

Administrative Items:

IAWG Chair Andrew Hughes called the meeting to order.  Roll was called. Meeting was quorate. 

Minutes approval:    Andrew asked that everyone review the August 4 minutes carefully as they listed a lot of what we will present to ARB/KIBoD as our recommendations for updates to the Assurance Program. If there is anything in those minutes you are uncomfortable with - please speak up via email or at the next meeting!

Jimmy Jung moved to approve the draft minutes from the August 4 IAWG meeting. Martin Smith seconded the motion. Motion carried with no objections.. 

General Updates: Michael shared that the roundtable put on by Jeremy Grant at FedID next month is open to all Kantara members. Promotional materials will be created and distributed to Kantara members when details are confirmed.

Assurance Updates: n/a

Discussion:

SAC Update

A reminder email went out today for the all-member ballot to approve the material CO_SAC changes IAWG approved in April. This is the final step before they are published. The eballot closes Thursday, August 18. There is a requirement that at least 15% of members vote. All Kantara members in IAWG should vote! The eballot can be found here.

63b SoCA Proposal

Richard walked the group through proposed changes to 63B#0650, #0660, and #0670. As the criteria is presently written, #0670 refers to a salt value - but that relates only to the circumstance above in #0660 (shall be salted and hashed with a value that has at least 32 bits). He proposes that we incorporate #0670 into #0660 - making the it an additional requirement when the secret has fewer than 112 bits of entropy. #0670 becomes no stipulation.

Martin asked if this was substantive. Richard confirmed it does remove an obligation but it is arbitrarily imposed. Neither Michael or Jimmy were aware of an instance where #0670 was invoked because the CSP felt it necessary. Richard proposed if no CSP has responded to #0670 to this point, it could be considered non-material. Jimmy concurred. He believes we are simply clarifying something that was mis-expressed. Andrew also does not believe it is material.

Lynzie will review the current CSP SoCAs to see #0670’s applicability and report back to the group. If this remains non-material, it can be published with the larger release after the all-member ballot closes and passes. We will make motions at the next meeting once the analysis is completed and shared with the group.

Assurance Program

Andrew recapped the discussion on multiple component services being unable to band together to be a full service. The services must go through the process together to be considered full service. He believes this is a change in practice. Mark King brought up that it does not seem to fit very well into the federated model that some believe the UK might adopt. Andrew agreed. It’s relevant to the US market as well - but not to NIST. NIST does not recognize the separation of companies delivering services in rev. 3. As Kantara evolves, they should consider offering trust marks of what the market wants in addition to what NIST wants.

Richard brought up Classic approval and the associated terminology. He does not believe we should have same terms with different meetings - or completely different terms for Classic. Andrew’s opinion is that Classic is not associated with the rev 3 updates and should just remain labeled as ‘Classic’ until we determine if it still has a place in the assurance program. Eric reiterated the need to keep Classic as there is a market and need for it specifically. There are agencies wanting to show they are following NIST guidance even if they are not ready for IAL2. He emphasized the need to be deliberate if any changes are going to be made. Experian and others have ongoing contracts that use Classic. Andrew suggested that we not touch Classic at this point. Lynzie is going to update the Trust Status List to have Classic as its own tab. This should better align with the Trust Marks that will be provided to these CSPs going forward. Additionally, Andrew requested Kantara IT add alt text to the company logo names.

Andrew believes that the IAWG did define a component in Classic - and that language was carried forward into rev 3. He believes if we read back, we’ll be able to find it. Richard thinks it might be in the Word Document originally defining the criteria. It will need located.

It was decided to not make changes to 63c in these updates. Federated full service and federated full service technical will be the only two trust marks available for 63c (same as current).

Michael asked for confirmation on where ‘Technical’ stands. The plan is to remove it but for now it will remain. The work needs to be done before it can be fully removed/integrated into the technical criteria. The goal is not to burden the assessors of the CSPs - but to streamline the process.

Any Other Business

IAWG leadership keeps an action item list.
All IAWG participants should be aware that the spreadsheet exists and it lists everything we think the IAWG is working on or planning to work on. Please feel free to review it and correct it if needed - it is not our intent to overlook something!