2024-04-25 IAWG Agenda & Meeting Notes DRAFT

QUORATE

Ready for review

TBD

No quorum in early part of meeting. Meeting approvals will be handled 2024.05.16

Kantara Updates

Kay Chopard

• 17065-first desk audit is in June.  The new auditors are doing a gap analysis for the US Program as well.  Things may be funneled to IAWG as needed, in terms of a program restructure and consistent vocabulary in relation to 17065. 

• @Amanda Add ISO 17065 Discussion Items to Future Agenda

Assurance Updates

Lynzie Adams

ARB’s work is ramping up, with questions arising.  These will be funneled to IAWG as needed.

IAWG Update: Kantara Liaison with ISO SC7/WG5

Andrew Hughes

• ISO 29003  Not published–hanging around, and now has to be updated, according to ISO rules.  A group will be assembled outside of this ISO group to write a contribution into the ISO process RE: identity proofing and verification in a way that is consumable for international standardization and its stakeholders.  So when it hits ISO work group, it can’t be derailed.  This will not be inside IAWG itself (IAWG will have rev 4 for future work) This will likely be a spin-off work/discussion group.  Hope to spin it up by the end of May in order to attract the trustmark companies that do ID proofing.  Will also invite national body experts from ISO committee

  1. Mark King questions–just people (natural persons), not legal entities

  2. Any definitions/challenges aligned with wordings used by OECD or others in the international sphere?

     1. Concept maps will be first piece of work for this new group and will partly address vocabulary

NIST Supplement: https://www.nist.gov/blogs/cybersecurity-insights/giving-nist-digital-identity-guidelines-boost-supplement-incorporating

Andrew Hughes

• First Supplement against 800-63 rev. 3.  This will be superceded by rev. 4.

• Kantara will have to modify 63B to accommodate this

• Andrew’s interpretation-NIST is bringing forward rev. 4 requirements so that they apply today in the rev. 3 world and thus establishing a precedent of supplements to 800-63 rev. 3.

• IAWG case with applicant and comparable controls (800-63 63#A0180): IAL2 can be achieved with 1 strong and 2 fair pieces of evidence.  Rev 4 says that IAL2 can be achieved with 1 strong and 1 fair pieces of evidence.  Is 1 strong/1fair acceptable in today’s environment or do we have to wait for rev 4 to be finalized?

• Should IAWG draft a proposed second supplement related to criteria 63#A0180?

1. Motion by Jimmy Jung - Andrew to draft correspondence/supplement to NIST RE: bringing rev 4 (1 strong/1 fair evidence requirement for IAL2) to today’s rev. 3 world. Andrew Hughes seconds. Motion Passes. Discuss write-up at next IAWG call.

@Andrew Hughes Draft correspondence/supplement to NIST RE: bringing rev 4 (1 strong/1 fair evidence requirement for IAL2) to today’s rev. 3 world.

Proposed S3A edits to enhance transparency (as proposed to ARB)

Jimmy Jung

• Jimmy put forward a suggestion that we tune the template for S3A with the intention of better communication (to ARB/IAWG)--improve transparency related to systems/workflows

• Looking for cleaner document–is there a need?

  1. Lynzie-ARB likes the idea of Jimmy’s proposal and the idea of IAWG tackling this in a smaller taskforce (with ARB having final review and final publication rights)

  2. 17065 should be embedded in the S3A adjustment

  3. Yehoshua: the S3A should be mapped to the working spreadsheets

     1. Jimmy-would want to hear from UK guys as well (@Amanda Connect UK Auditors with Jimmy)

Proposed 63A#0180 Revisions: 63A#0180 - proposed criteria adjustment (circulated by email 2024.04.06 by Richard Wilsher, attached for convenience)

Hold until 2024.05.16