2022-08-25 Minutes

Attendees:

Voting Participants: Andrew Hughes, Martin Smith, James Jung, Maria Vachino, Richard Wilsher, Mark Hapner, Denny Prvu
Non-voting participants: Eric Thompson, Anjali Duraiswamy
Staff: Lynzie Adams

Proposed Agenda

  1. Administration:

  2.  Discussion: 

    • Open ID - call for comments

    • SAC Update

    • 63b SoCA proposal

    • Assurance Program - continued discussion from previous weeks

  3. Any Other Business

Meeting Notes 

Administrative Items:

IAWG Chair Andrew Hughes called the meeting to order.  Roll was called. Meeting was quorate. 

Minutes approval:    Andrew reminded everyone to please carefully review this summer’s meeting minutes to review what has been discussed around the assurance program updates. Discussions around the assurance program started at the June 9 meeting.

Martin Smith moved to approve the draft minutes from the August 11 IAWG meeting. Maria Vachino seconded the motion. Motion carried with no objections. 

General Updates: n/a

Assurance Updates:

Maria suggested that as we continue to wait for the drop of the Revision 4 draft, this group could pre-compile a list of significant issues we know exist in Revision 3 and categorize them (i.e., needs more clarity, impossible to implement, etc). This would allow us to have a spreadsheet ready to go when the draft is published to use to see what has and has not been addressed. Martin mentioned a compilation that was started when we thought we might be able to make pre-draft suggestions.

Andrew asked for two volunteers to lead this project - a task that will likely continue through the end of the calendar year including the 60-day public review and comment period. Lynzie will send an email out to the IAWG to solicit volunteers. We’ll put it on next week’s agenda to see if anyone has shown interest. Maria and Denny are both willing to help lead the effort if needed. Lynzie can assist in an administrative function.

Discussion:

OpenID Connect

Now in its fourth review, Andrew feels it is time for IAWG to take a look and decide if there is anything we should comment on. Ideally, we would submit comments after our September 22 IAWG meeting to meet the September 26 deadline for early voting period.

Lynzie will send a separate email calling for volunteers interested in leading this project. It will consist more of collecting comments and compiling a response in the timeframe provided. At our September 1 meeting, we will have a brief discussion to determine whether we move forward with submitting comments or not. Denny mentioned his colleagues already have comments. Andrew shared that those comments can be routed through Kantara or submitted directly from their organization. That determination can be made internally.

63B SoCA Proposal

Lynzie and Richard reviewed the proposed changes to 63B#0650, #0660, and #0670 and the analysis of current CSPs that would be impacted by the change being made. The group agreed that these are non-material changes.

Motion:
Andrew moved that IAWG has determined that the modification to criteria 63B#0650, #0660, and #0670 related to hashing and salting of secrets is non-material and therefore can take the accelerated route to publish. Jimmy seconded the motion. Motion carried with no objections. 

Richard reviewed the proposed change to 63B#1820. In re-reading the NIST text, Kantara is asking CSPs to reestablish authentication under any circumstance when actually NIST recognizes this only when the claimed identity was established at IAL3. It needs clarified. This will not impact any current CSPs because nobody currently is approved at IAL3. There was a discussion whether it was a material change or not. Jimmy believes it is just a correction. It was agreed that it is not material.

Motion:
Andrew moved that we accept the proposed changes to criteria 63B#1820 (all parts) clarifying the requirements to reestablish proofing for IAL3 cases and accept this as a non-material change for the accelerated process. Jimmy seconded the motion. Motion carried with no objections. 

SAC Update

With these final updates being passed by IAWG and not needing to go through the full public comment period and all-member ballot, Lynzie intends to have all new SAC sets published by 8/31/2022. Kantara policy states new criteria are effective on the first day of the fourth month after publication, making these effective on December 1, though it is encouraged to adopt as soon as possible. An email will go out to all assessors and current CSPs letting them know updates were made and the new versions will need to be used in their next assessment cycle.

Assurance Program

Lynzie shared the proposed assurance program updates that was sent with the draft agenda. Comments from Jimmy had already been incorporated prior to the discussion. He highlighted the need be direct that these are Kantara requirements we assess against, not NIST. Those changes were made throughout the document. Additional edits were made to the document during the meeting.

The need to enhance public service descriptions was addressed. The conversation will be picked up next week due to time. The current version of the statement will be uploaded as a Google Doc for people to review, edit, comment prior to next week’s meeting.

Once we settle on language, this will be moved through the appropriate channels for adoption.

Any Other Business

Due to IAWG leadership travel, September 8 and 29 meetings are cancelled.

IAWG leadership keeps an action item list.
All IAWG participants should be aware that the spreadsheet exists and it lists everything we think the IAWG is working on or planning to work on. Please feel free to review it and correct it if needed - it is not our intent to overlook something!