2024-11-07 IAWG Meeting Notes DRAFT

Owned by Amanda, created
Last updated: Nov 20, 2024
3 min read

Meeting Status Metadata

Quorum

not quorate

Notes-Status

Ready for review

Approved-Link

TBD

The meeting status metadata table is used for summary reports - copy the status macros from the table in these instructions:

Quorum: quorate not quorate

Notes-Status: drafting Ready for review approved

Approved-Link: Insert a link to the Meeting Notes page holding the approval decision for this notes page

Agenda

  1. Administration:

  1. IAWG Actions/Reminders/Updates:

    • Meeting cadence - weekly.

    • Upcoming Cancellations: 

      • November 14

      • November 28

      • Potential for more cancellations in December.

  2. ISO 17065 Discussion Items

    • Carol: findings from David-those have been closed out and returned to UKAS.  He’s pushing for the dates of the next review.  

  3. Group Discussion:  

    • Proposed syncable authenticator criteria from Richard/Jimmy (Found in Meeting Materials on IAWG Wiki).

  4. AOB

 

 Attendees

  • Voting: Jimmy Jung, Michael Magrath, Andrew Hughes, Yehoshua Silberstein, Richard Wilsher, Vladimir Stojkovski

    1. Regrets: Mark King 

  • Non-voting:

  • Staff: Amanda Gay, Kay Chopard, Carol Buttle

  • Guests:

Quorum determination

Meeting is quorate when 50% + 1 of voting participants attend

There are <<7>> voters as of <<2024-11-07>>

 

Approval of Prior Minutes

Motion to approve meeting minutes listed below:

Moved by:

Seconded by:

Link to draft minutes and outcome

Discussion

Link to draft minutes and outcome

Discussion

 

 Discussion topics

Time

Item

Presenter

Notes

Time

Item

Presenter

Notes

 

  • Proposed syncable authenticator criteria from Richard/Jimmy (Found in Meeting Materials on IAWG Wiki).

Group

  • Last meeting recap:   

    • Group consensus that the unobservable/unassessable criteria do pose some risk and there should be something in place

    • Clear direction/statement/risk based approach is needed  to handle these things posed  rev. 4/rev 3 Supplement.

  • Mike M: reports NIST got over 2K comments to work through.

  • Carol: notes continued inconsistencies in language that could be problematic.  Agrees on a risk-based approach but clarity from NIST regarding an acceptable level of risk would be needed for assessment purposes.

  • Andrew H: Considers the risk related to the unobservable criteria  to be between the CSP and federal agencies, what can we ask the CSP to have in place to identify/accept that risk? Include something in the agreement/terms of service?

  • Richard: Proposes a notice referencing the affected criteria and the unobservable nature/unassessability of such criteria and how the applicability of that criteria will be recorded.  It would be easier to change/modify notices and criteria as things move forward with NIST guidance.

    • Carol: Notices can be a really useful functional tool in clarifying what’s in/out of scope.

    • Kantara may need a more formalized/detailed approach to notices with references included in TSL, SoCA, etc.

    • Notice could include recommendation(s) to CSPs for how to proceed.

    • Goal would be a single source, easily accessible document.

  • Group consensus on notice/SoCA approach for handling syncable authenticators.

  • Richard’s note in chat:

    • Notice 2024-01:  Accommodation of Passkeys

    • Use of Passkeys presents difficulties when Kantara assessments are confronted with criteria for which the CSP is unable to provide evidence of conformity because the referenced functions are beyond their control or even awareness because the related functions are within the Passkey implementation fabric.  Consequently KI’s Assessors are therefore unable to determine meaningful findings with regard to such criteria.

    • Furthermore, industry is faced with widespread adoption of Passkeys and their very ubiquity establishes them as an established practice that they cannot be ignored.

    • Accordingly, CSPs which deploy Passkeys shall mark the criteria listed below as having the following applicability:

    • “In scope – Not applicable

    • Refer to KI Notice 2024-01”

  • Also needed: List of affected criteria

  • Notice is the path to take.  

  • ACTIONS: 

    • @Richard W: Consolidate list of affected criteria and propose notice language 

    • @Andrew/Staff: Review/Develop a Kantara process for managing/publishing notices.  

      1. Initial thoughts: Add to TSL page?  Some motion within IAWG to do this.

  • Additional work:

    • Richard: still sees errors on TSL (definitions); Carol will be working on soon.

    • Some nonmaterial things still need publication and further breakdown of acceptable combinations of evidence. Andrew/Carol to discuss.

 

 

 

 

 

 

 

 

 Open Action items

Richard W: Consolidate list of affected criteria and propose notice language 
Andrew/Staff: Review/Develop a Kantara process for managing/publishing notices. 

Action items may be created inline on any page. This block shows all open action items from all meeting notes.

 Decisions