2022-09-15 Minutes
Attendees:
Voting Participants: Andrew Hughes, Martin Smith, James Jung, Maria Vachino, Richard Wilsher, Mark Hapner, Denny Prvu, Mark King
Non-voting participants: Eric Thompson
Staff: Lynzie Adams, Kay Chopard
Proposed Agenda
Administration:
Discussion:
63-4 Project - updates & plan
Assurance Program - continued discussion from previous weeks - statement of work is available for edits/comments
Any Other Business
Meeting Notes
Administrative Items:
IAWG Chair Andrew Hughes called the meeting to order. Roll was called. Meeting was quorate.
Minutes approval:
Mark Hapner moved to approve the draft minutes from the September 1 IAWG meeting. Jimmy Jung seconded the motion. Motion carried with no objections.
General Updates:
Kay recapped FedID last week in Atlanta. David Temoshok and Ryan Galluzzo shared a PPT that can be viewed on our 63-4 page. November 16 is tentatively scheduled for a meeting supported by Kantara, FIDO, and Better Identity Coalition around 63-4. This date will move if the release date of 63-4 is pushed back again. There is also a potential that NIST will meet with this group as we learn more about the release date.
Kay also summarized the changes at GSA. Phil Lam has been reassigned and we have different contacts now. We’ve been speaking with Ken Myers recently and he’s interested and supportive of Kantara.
ConnectID is now called Identity Week America in DC on October 4 and 5. Kay has been offered at least 10 free tickets so if you are interested, please reach out to Kay.
General meeting is TBD but keep any eye out for that date. Work groups are going into charter review and nominations/elections for chairs going into the end of the year.
Assurance Updates:
Covered above in the FedID update.
Discussion:
Mark Hapner mentioned the S.1625 - Securing and Enabling Commerce Using Remote and Electronic Notarization Act of 2021 (text with notes from Jimmy) was soon to be approved. Part of that includes allowing notaries nationwide to perform remote online notarizations. This might be something we would be interested in looking at. Mark King asked if there was requirement for location testing or checking - presumably it could be done from anywhere in the world. Andrew asked for interest in reviewing the statute and briefing the group on it - will be added to action items list. Mark will look into it. Jimmy provided some input as well (linked above).
63-4 Project - updates & plan
The page has been created and a spreadsheet was added for people to input areas of concern from 63-3. Please read and review this page and feel free to add anything either through the Google spreadsheet or editing directly in Confluence if you have the access. Richard asked for an explanation of what the purpose of the project is. Maria believes this list will help us look for and respond to known areas of concern in Rev 3. Once the release happens, we’ll need to consider new problems in Rev 4 in addition to the Rev 3 known problems. So assuring we have the known problems listed now will help us in our response. Richard summed it up as a list of what we want to see fixed. Andrew suggests to read and contribute as you see fit and have time for. Andrew asked Lynzie to communicate to our Assurance Program participants that our discussions will be transitioning to 63-4 in IAWG if they’d like to join. Lynzie addressed this in the new SAC set email with the group.
Richard questioned if NIST actually structures the publication where the criteria is easily identified rather than integrated into larger paragraphs, would Kantara still need to produce their own version of the criteria. Andrew believes things should be directly reference-able but we know there are gaps between what NIST covers and what people want. What do we do about that? Should Kantara create criteria for services and functions that NIST doesn’t cover but are out in the market? Is it time to evolve Kantara? Maria believes we need to be careful. When feds are doing acquisitions they want to ensure that when they see a Kantara Trust Mark - they know they are getting what is required for conformance. The needs of public and private sector are different and would need to be clear. Maria believes creating criteria would also be problematic - we’d need to see what standards are out there.
Assurance Program
Richard reiterated that the previous discussion on possible expansion of Kantara’s offered criteria sets further confirms the reason why the Trust Marks should be simple and with a QR code that links to full details.
Richard brought up his offer to head a subcommittee to give a concrete proposal for the group to review and confirm. Andrew suggested Jimmy also join the group for an assessor’s perspective. Lynzie, Eric, and will also participate in the group.
Andrew’s diagram was shared again. It was agreed that the diagram is helpful and should be formatted and available on our website. It will be looked into to recreate in a similar fashion with using puzzle pieces to represent the pieces. Eric thinks this view is helpful. Maria agrees that this can help show what we mean by component if it is displayed on the classes of approval page and other prominent places on the website.
Jimmy asked what people want to use - partial or component.
Component - Jimmy, Lynzie, Eric, Richard, Maria
Partial - none
We’ll take this topic off the agenda for a few weeks while the small group works on it and returns with a concrete proposal for the group to review.
Any Other Business
IAWG leadership keeps an action item list.
All IAWG participants should be aware that the spreadsheet exists and it lists everything we think the IAWG is working on or planning to work on. Please feel free to review it and correct it if needed - it is not our intent to overlook something!