2024-10-10 IAWG Meeting Notes DRAFT

Meeting Status Metadata

The meeting status metadata table is used for summary reports - copy the status macros from the table in these instructions:

Quorum: quorate not quorate

Notes-Status: drafting Ready for review approved

Approved-Link: Insert a link to the Meeting Notes page holding the approval decision for this notes page

Roll call, determination of quorum. The meeting was not quorate.
- Voting: Jimmy Jung, Yehoshua Silberstein, Mike Magrath, Vladimir Stojkovski, Richard Wilsher (Regrets-Mark King)
- NonVoting: Wendy Brown
- Staff: Amanda Gay, Carol Buttle, David Nutbrown
Minutes approval
Kantara Updates
- DEIA Survey Open to Responses
Assurance Updates

IAWG Actions/Reminders/Updates:
- Meeting cadence - weekly.
- NIST Comments-submitted.
ISO 17065 Discussion Items
Group Discussion:
- Proposed syncable authenticator criteria from Richard/Jimmy - Found in Meeting Materials on IAWG Wiki
AOB

Voting: Jimmy Jung, Yehoshua Silberstein, Mike Magrath, Vladimir Stojkovski, Richard Wilsher (Regrets-Mark King)

Nonvoting: Wendy Brown

Staff: Amanda Gay, Carol Buttle, David Nutbrown

Meeting is quorate when 50% + 1 of voting participants attend

There are <<nn>> voters as of <<YYYY-MM-DD>>

Motion to approve meeting minutes listed below:

Moved by:

Seconded by:

Link to draft minutes and outcome	Discussion

Link to draft minutes and outcome	Discussion

Time	Item	Presenter	Notes

Time

Item

Presenter

Notes

Proposed syncable authenticator criteria from Richard/Jimmy.
- Found in Meeting Materials on IAWG Wiki

Jimmy/Richard

Overview from Jimmy: Used the assessors finding column to find what is salient/pertinent. Highlights are things that are potentially changing but also things that were originally referenced correctly.
1. Discussions on wording is also found in Columns R and S.
2. Source material: The Syncable Authenticator Supplement and the current draft of 800-63 rev. 4
Discussion related to the challenges with syncable authenticators, particularly the inability to assess certain criteria due to lack of control over the technology.
1. 63B #1150 - for both single/multi factor authenticators originally said no cloning. Changed to cloning allowed with other criteria applicable.
2. 63B #1160 - delineates additional requirements for single factor, cryptographic device verifiers
  1. A corresponding change should be made for multi-factor devices (pulled from 63B #1400 - additional criteria to meet: 63B #1980-2060)
3. 63B #1290 - more guidance from Richard related to the additional requirements for the CSP for syncable authenticators, which the CSP has no control over.
  1. No way to assess, and criteria is requiring CSP to do things it can not do.
  2. The criteria should be marked as “not applicable”.
    1. Tentative consensus from group.
4. Yehoshua - is it better to keep that criteria from NIST and allow the CSP to “vouch” for certain systems/devices?
  1. Assessor standpoint - would potentially give the CSPs too much freedom/license for creativity

The importance of involving CSPs in the discussion was emphasized to avoid issues during public review, hence a suggestion was made to publish a notice from Kantara regarding proposed changes.
1. ACTION: Carol to discuss with Kay about publishing a notice of proposed changes from Kantara to certified organizations (AAL2) for comments.
  1. Comments can be received via the IAWG mailing list. Jimmy/Richard can collate into master spreadsheet.
Regular IAWG participants are also encouraged to provide feedback.
Jimmy and Richard to continue refining the criteria based on feedback.

@Carol Buttle to discuss with Kay about publishing a notice of proposed changes from Kantara to certified organizations (AAL2) for comments.

Comments can be received via the IAWG mailing list. Jimmy/Richard can collate into master spreadsheet.

Action items may be created inline on any page. This block shows all open action items from all meeting notes.