2024-07-25 IAWG Meeting Notes

Meeting Status Metadata

Quorum

quorate

Notes-Status

approved

Approved-Link

https://kantara.atlassian.net/wiki/spaces/IAWG/pages/615055364

The meeting status metadata table is used for summary reports - copy the status macros from the table in these instructions:

Quorum: quorate not quorate

Notes-Status: drafting Ready for review approved

Approved-Link: Insert a link to the Meeting Notes page holding the approval decision for this notes page

Agenda

  • Roll call, determination of quorum. Meeting was quorate

  • Minutes approval 

  • Kantara Updates

    • Desk Audit was successful for Kantara UK, working through final remediations, waiting for a head office visit to be scheduled.

  • Assurance Updates

  1. IAWG Actions/Reminders/Updates:

    • Proposed Meeting Cadence for June/Extended Summer*

      • August 8 (Passkey Presentations), August 22

      • *If rev.4 is released, this cadence will be updated 

  2. ISO 17065 Discussion Items

  3. Group Discussion:  

    • Potential Criteria Updates

      • Discussion: re: 63B#1340, 63A#0130 b) (Jimmy Jung’s email on May 28th),  and  63B#0120. Led by Jimmy.

    • ARB comment on potential bug in 63A#0510 criteria (Lynzie)

      • Talks about biometric performance requirements which is more about measuring algorithmic performance and not human performance. If using a human, this cannot be done.

      • #0510 references 63B authentication criteria and authentication doesn’t recognize human verification of the biometric against some portrait or reference biometric. The 63B criteria is only applicable to automated biometric systems.

  4. Any Other Business

 

 Attendees

  • Voting: Andrew Hughes, Jimmy Jung, Mark King, Yehoshua Silberstein, Vladimir Stojkovski

  • Nonvoting: Roger Quint

  • Guests: Josh Rooke-Ley

  • Staff: Amanda Gay, James Keenan, David Nutbrown, Kay Chopard, Lynzie Adams

Quorum determination

Meeting is quorate when 50% + 1 of voting participants attend

There are <<9>> voters as of <<2024-07-25>>

 

Approval of Prior Minutes

Motion to approve meeting minutes listed below:

Moved by: Jimmy Jung

Seconded by: Andrew Hughes

Link to draft minutes and outcome

Discussion

Link to draft minutes and outcome

Discussion

No discussion, approved.

 Discussion topics

Time

Item

Presenter

Notes

Time

Item

Presenter

Notes

 

  • Potential Criteria Updates

    • Discussion: re: 63B#1340, 63A#0130 b) (Jimmy Jung’s email on May 28th),  and  63B#0120. Led by Jimmy.

Jimmy/Andrew

 

  • 63A#0130: Kantara has gone beyond what 800-63 requires by requiring a record of the unique reference numbers.

    1. Perspective from a client - is it worth the risk (owning PII) to keep these records?

    2. Question to the group:  Do we want to keep this expansion of what was given in 800-63?

    3. Mark: There are methods for showing that you’ve done the check (can match in the future/a hash of the thing itself, not the information).  Can compare later with keeping it all.

    4. James: Notes the need to confirm “correct, lawful basis for collection” in the contract.

    5. Jimmy: Is it OK to say we looked at it (not keep it) and that’s good enough?

    6. Jimmy’s recap: (2nd column)-original 800-63 requirement-you need a log and to identity the steps taken to identify an applicant and types of evidence presented in proofing process.  Far right column - Kantara’s criteria wants to know what kind of identity proofing was performed (supervised/unsupervised, etc) and we want a unique reference which is mostly like a unique reference number from that evidence.

    7. AHughes question:  Has any consumer ever asked a CSP to prove their  license was shown?

    8. Yehoshua: rev 4, line 1256 will state that the CSP has to save the identity evidence.  The CSP will have an account and included will be the validated identity evidence.  

    9. No change needed, since this will be required in rev. 4.

  • 63B#0510: Why are authentication attempts limited to 100? What comes after this? Can it time out and try again? ARB dismissed question.

    1. Yehoshua: These are guidelines, not standards.

    2. User will be locked out, need remedial efforts to try again. Once success happens, the counter is reset

    3. Is there any guidance on what action to take?  Jimmy to continue to look.

    4. No change needed, aside from additional guidance on Kantara’s materials.

 

  • ARB comment on potential bug in 63A#0510 criteria (Lynzie)

    • Talks about biometric performance requirements which is more about measuring algorithmic performance and not human performance. If using a human, this cannot be done.

    • #0510 references 63B authentication criteria and authentication doesn’t recognize human verification of the biometric against some portrait or reference biometric. The 63B criteria is only applicable to automated biometric systems.

Andrew

  • Hughes: This is a long standing bug in 63A and there is no way to achieve what they reference (biometrics–without confirming it is applicable).

  • Jimmy: Change the wording to something like “supervised proofing, remote or in person, where biometric techniques are used”?  Should address applicable requirements in 620 to 680.

  • Yehoshua:  This is part of the circle as to whether the person involved is a trusted referee or not, and what a trusted referee means, etc.  Kantara doesn’t accept a trusted referee making independent decisions.  Additional inconsistency in Table 5.3 (verifying evidence with 2 choices-physical or biometric), then when you do biometric you need to satisfy 63B 5.2.3 (biometrics)

  • Jimmy/Yehoshua/AHughes: concur there is some confusion.  

  • Clarification of the criteria to say “you don’t have to meet biometric requirements if you are not doing biometrics”

  • Yehoshua: Doesn’t rev. 4 require biometrics for IAL2? So this would simply be a temporary fix.

  • ACTION:  @Andrew Hughes Andrew/Group to follow up on this potential bug

 

 

 

 

 Open Action items

Andrew/Group to follow up on this potential bug

Action items may be created inline on any page. This block shows all open action items from all meeting notes.

 Decisions