2024-10-17 IAWG Meeting Notes DRAFT

Owned by Amanda, created
Last updated: Oct 30, 2024
2 min read

Meeting Status Metadata

Quorum

not quorate

Notes-Status

Ready for review

Approved-Link

TBD

The meeting status metadata table is used for summary reports - copy the status macros from the table in these instructions:

Quorum: quorate not quorate

Notes-Status: drafting Ready for review approved

Approved-Link: Insert a link to the Meeting Notes page holding the approval decision for this notes page

Agenda

DRAFT 10.17.2024

  1. Administration:

  1. IAWG Actions/Reminders/Updates:

  2. ISO 17065 Discussion Items

  3. Group Discussion:  

    • Proposed syncable authenticator criteria from Richard/Jimmy (Found in Meeting Materials on IAWG Wiki).

      • Review any comments/continued discussion

 

 Attendees

  • Voting: Andrew Hughes, Richard Wilsher, Jimmy Jung, Mark King

  • Non-Voting: Tim Anderson

  • Staff: James Keenan

Quorum determination

Meeting is quorate when 50% + 1 of voting participants attend

There are <<12>> voters as of <<2024-10-17>>

 

Approval of Prior Minutes

Motion to approve meeting minutes listed below:

Moved by:

Seconded by:

Link to draft minutes and outcome

Discussion

Link to draft minutes and outcome

Discussion

 

 Discussion topics

Time

Item

Presenter

Notes

Time

Item

Presenter

Notes

 

Proposed syncable authenticator criteria from Richard/Jimmy (Found in Meeting Materials on IAWG Wiki).

Richard/Jimmy/Andrew

  • 63B#1150: Wording was discussed and it was agreed to avoid enabling the cloning of Sfcs authenticated secret keys onto multiple devices.  Should it  be Sfcs, key authenticators, or final passkeys?

  • Fido Passkeys vs. Sfcs Key Authenticators: Richard Wilsher suggested being technology-specific and creating a profile for Fido passkeys v. Sfcs key authenticators (done in such a way to relate/overlay to the criteria if invoked by CSP,  eliminating a need to change the 63B criteria).  Jimmy + others debated the necessity of such specificity.  Concerns about the complexity and practicality of implementing it.  Andrew H points out that the supplement is tech-specific (FIDO).

  • ACTION: Richard Wilsher to draft a potential profile for Fido passkeys.

  • Agreement to changing to syncing from cloning (despite the terms not being exact equals) to prevent confusion.

  • 63B#1270: Multifactor - wording should be changed to match single factor.

  • 63B#1290: Remove exclusion text, keep parenthetical to point to guidance

  • Notice: Should have a reference associated with it (needs to be findable online)--notice should be published at the same the criteria go out

  • Risk Assessment: Tim Anderson suggested a risk-based acceptance approach for syncable authenticators, which was supported by others as a potential solution.

    1. Noted preference (as a CSP) for Kantara to include these authenticators in an assessment and be able to include them within scope of an approval as customers (that consume NIST credentials) look to see what Kantara has reviewed/approved.

    2. CSPs would make an affirmative statement of what is being provided and how risk is accepted and/or mitigated. 

 

 

 

 

 

 

 

 

 Open Action items

Action items may be created inline on any page. This block shows all open action items from all meeting notes.

 Decisions