2022-09-01 Minutes
Attendees:
Voting Participants: Andrew Hughes, Martin Smith, James Jung, Maria Vachino, Richard Wilsher, Mark Hapner, Denny Prvu, Michael Magrath
Non-voting participants: Eric Thompson, Lorrayne Auld
Staff: Lynzie Adams, Kay Chopard
Proposed Agenda
Administration:
Roll call, determination of quorum
Minutes approval - 2022-08-25 Minutes
General Updates
Assurance Updates
Discussion:
Open ID Public Comment - determine if we will submit comments
63-3 Project - determine leads & next steps
Assurance Program - continued discussion from previous weeks - statement of work is available for edits/comments
Any Other Business
Meeting Notes
Administrative Items:
IAWG Chair Andrew Hughes called the meeting to order. Roll was called. Meeting was quorate.
Andrew asked Lorrayne to introduce herself to the group as a new member to IAWG.
Minutes approval: Andrew reminded everyone to please carefully review this summer’s meeting minutes to review what has been discussed around the assurance program updates. Discussions around the assurance program started at the June 9 meeting.
Mark Hapner moved to approve the draft minutes from the August 25 IAWG meeting. Denny Prvu seconded the motion. Motion carried with no objections.
General Updates:
Keep an eye open for upcoming KIBoD elections and the all-member meeting held later in the year. The all-member meeting is held virtually.
November 16: Kantara, FIDO, and Venable are holding a workshop on 800-63-4 with NIST in attendance. The goal is that the 63-4 draft will be released on or near that date. It will be held at Venable in DC. Watch for more information and a Save the Date from Kantara.
Assurance Updates:
Signals seem to be pointing toward an October release date of the 63-4 draft for public comment.
Lorrayne discussed the 63-3 templates funded by MITRE for 63a. With the requirement changes anticipated in rev. 4, the templates will need updated. She’d like to do that in partnership with Kantara and potentially host them on Kantara’s website. Andrew confirmed that Kantara would like to make the partnership happen on this project. Details will be discussed when Lorrayne and Kay meet in the coming days.
Discussion:
A few members reviewed. Denny does not believe it was Kantara-worthy of making a statement, but a ‘yes we read it’ with an accompanying statement is always good. Richard thought it could be more rigorous and has some questionable vocabulary - overall extensive yet clunky. He also feels saying nothing is appropriate under Kantara’s umbrella. Martin shared similar concerns.
The group is leaning toward not making a statement. If those feelings change in the coming weeks, please feel free to address this again and we can reconsider.
63-3 Project
This is preparation work for the 63-4 public comment period. The goal is to highlight areas of known concern in 63-3 that we feel need to be addressed in 63-4.
Lorrayne volunteered to lead this project with the support of Maria, Denny, and Mark Hapner. Richard reminded that everyone in IAWG will be involved but this group will lead the coordination and efforts of the project. Martin suggested a place for people to drop comments and provide the accumulation we started earlier in the year. Lynzie will create a wiki page for this effort and share widely.
Assurance Program
Richard Wilsher sent the IAWG list an email with some thoughts regarding the partial descriptor. The email and Andrew’s diagram in response can be read/viewed here.
Jimmy and Eric both voiced their concern over the branding and marketing of a ‘partial’ approval. CSPs would prefer to advertise a ‘component’ approval versus a ‘partial’. There can be a negative connotation with the word partial - Experian can see partial having a negative impact on the attractiveness of the solution to potential customers. Maria continues to worry about clarity to potential clients not understanding what they are getting. Eric pointed out that the SoCA is available that defines what the approval covers but acknowledges it is a long document that can be cumbersome. Potentially, clarifying/simplifying what the solution is and isn’t could be the answer. This could be addressed more explicitly in the public service description.
There continues to be some disagreement on whose responsibility it is to ensure potential customers know what they are getting. Some feel Kantara needs to be more direct and explicit. Others feel the SoCA covers everything and customers should review when considering a purchase.
The group will consider more neutral labels to describe partial/component and expand the public service description for more clarity. The diagram is a reasonable expectation and will be used to further the conversation.
Mike suggested a delineated platinum, gold, silver, bronze system with defined language that consumers and RPs would likely understand.
The email also suggested a QR code linking directly to the TSL. Andrew thinks it's a good idea but the CSP should be responsible for doing it and we should inform them of that. Richard thinks it is our TSL and our responsibility to police that it is being incorporated. Mark Hapner and Lynzie agree that Kantara should include the QR code and/or link. Andrew punted the implementation to the assurance program manager. Lynzie will speak with Armin about making the TSL able to link to particular pages. That is not currently an option.
Any Other Business
Due to IAWG leadership travel, September 8 and 29 meetings are cancelled.
IAWG leadership keeps an action item list.
All IAWG participants should be aware that the spreadsheet exists and it lists everything we think the IAWG is working on or planning to work on. Please feel free to review it and correct it if needed - it is not our intent to overlook something!