/
2025-04-03 IAWG Meeting Notes

2025-04-03 IAWG Meeting Notes

Meeting Status Metadata

Quorum

quorate

Notes-Status

approved

Approved-Link

2025-04-10 IAWG Meeting Notes

The meeting status metadata table is used for summary reports - copy the status macros from the table in these instructions:

Quorum: quorate not quorate

Notes-Status: drafting Ready for review approved

Approved-Link: Insert a link to the Meeting Notes page holding the approval decision for this notes page

Agenda

  1. Administration:

  • Roll call, determination of quorum. 

  • Minutes approval - DEFERRED

  • Kantara Updates

  1. IAWG Actions/Reminders/Updates:

  2. Items for discussion

    1. Discuss clarifying the definition of "verifiers" in 63B#0120 to ensure FIPS 140 requirements are correctly applied to cryptographic modules, not entire organizations, and to resolve inconsistencies with 63B#0090

    2. Review proposal to revise Notice KI#2024-01 – Accommodation of Passkeys to include the following additional criteria - 63B#0780, #0790, #0800, #1630, #1640, and #1710.

    https://cdn.kantarainitiative.org/wp-content/uploads/2025/02/Notice-KI-2024-01-Accommodation-of-Passkeys.pdf

    1. Review proposed 'comparable alternative' criteria.

  3. AOB

 

 Attendees

Voting Participants 

Donald, India

GSA

 Present

Hughes, Andrew

FaceTec

Present

Jung, Jimmy

Slandala 

Present

Magrath, Michael

Easy Dynamics

Present

Silberstein, Yehoshua

Proof

Present

Stojkovski, Vladimir

CLEAR

 

Wilsher, Richard

Zygma Inc. 

Present

 

Nonvoting:

Brown, Cynetheia

 

Present

Brown, Wendy

 

Present

Bachenheimer, Dan

 

Present

Staff:

Buttle, Carol

Kantara

Present

Chopard, Kay

Kantara

Regrets

Guests:

Quorum determination

Meeting is quorate when 50% + 1 of voting participants attend

There are 7 voters as of 2025-04-03

 

Approval of Prior Minutes

DEFERRED

 Discussion topics

Item

Notes

Item

Notes

Discuss clarifying the definition of "verifiers" in 63B#0120 to ensure FIPS 140 requirements are correctly applied to cryptographic modules, not entire organizations, and to resolve inconsistencies with 63B#0090

  • “63B#0120 is taken word for word from 800-63B and requires “verifiers to meet FIPS 140 Level 1 or higher.”    However, “verifiers” generally refers to an organization, typically the CSP.  FIPS 140 is Security Requirements for devices, specifically cryptography.  It seems most likely that the intention was to require cryptographic authenticators that meet FIPS 140.   Should clarity or guidance be added to this criteria?“

  • Jimmy presents the case and options to resolve

  • Suggestion - there might be an error in language in the NIST text - to replace the word “verifiers” into “authenticators”?

  • Consensus: go with Option 4

Kantara staff to update guidance column on 63B#0120 to read: “As described in 63B#0090, this is intended to exempt user-provided (“bring-your-own) authenticators from having to meet the FIPS 140 requirements, particularly on the government-to-public use case.“ ]

  • Resolved.

https://kantara.atlassian.net/wiki/spaces/undefined/database/1097334791?entryId=b2b4ac66-aceb-46d9-a51f-09580adc698e

Review proposal to revise Notice KI#2024-01 – Accommodation of Passkeys to include the following additional criteria - 63B#0780, #0790, #0800, #1630, #1640, and #1710.

https://cdn.kantarainitiative.org/wp-content/uploads/2025/02/Notice-KI-2024-01-Accommodation-of-Passkeys.pdf

  • Richard presents the case

    • 63B#0780 #0790 #0800 - not observable by the CSP. Q: are we considering passkeys to be OOB verifiers? A: The observation is correct - this is not in the scope of synchable passkeys which we are considering to be sofware cryptographic authenticators.

  • Jimmy thinks the #410 series (shared secrets) similarly does not apply to passkeys - these are referenced by #1290 which we are taking out in the notice. Should take #410 - #460 out of the notice. Richard points out that a CSP could be using multiple authenticator types - so criteria should not be removed from scope absolutely - they may apply to other non-passkey authenticators.

    • There is a general challenge with this - sometimes one criterion applies to two different aspects of the CSP system. So there might be two different responses to one criterion and this needs to be conveyed to the reader.

  • ACTION: Group to generate a list of additional criteria that should/should not be included in the notice, and how to resolve them.

  • Continue at next meeting

https://kantara.atlassian.net/wiki/spaces/undefined/database/1097334791?entryId=f2c38a03-decb-4c19-b9d5-70af457b90ae

Review proposed 'comparable alternative' criteria.

CARRY FORWARD

Email background:

https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantarainitiative.org/thread/XL57A4OVKRNLQMVRXL6X5KSXWN6LQJ3N/

  •  

 

 

 Open Action items

Action items may be created inline on any page. This block shows all open action items from all meeting notes.

 Decisions