IAWG-082013

Provided by Myisha Frazier-McElveen, Chair of the IAWG

1. What is the hot topic in your WG or DG this week/month?

The IAWG has been mainly focused on two primary activities: The IAF alignment with NIST SP 800-63-2 and Modular IAF.  Each of these efforts, seeks to align the IAF with requirements of stakeholders to meet real world implementation needs.  Alignment with NIST SP 800-63-2 is an effort that is underway to ensure that the IAF remains compliant with the most recent public Federal Government requirements around Electronic Authentication so as to meet the needs of the customers leveraging the FICAM program.  The Modular IAF work effort focuses on identifying the various components that make up the typical Credential Service Provider role and determining the certification / approval processes associated with each.  Driven by requirements of industry to obtain approval for a component of a full service, this work will potential allow for Identity Providers to be approved independently of Credential Service Providers.  This method of approval can facilitate the ability of individual components to pair up as necessary for full certifications or to ensure that the partial services can be certified against the IAF requirements. 


2. What events are members of your group planning to attend in the next quarter where talking about Kantara might make an impact?

Cathy Tilton contributed that Daon will be attending the Biomentric Consortium Conference in Tampa (September 17th - 19th) - http://events.jspargo.com/biometrics13/public/enter.aspx

I believe it was Matt who mentioned the IAPP Conference in Bellvue, Washington (Sept 30 - October 2) - https://www.privacyassociation.org/events_and_programs/iapp_privacy_academy_2013

 

3. What deliverables is your group focusing on next out of your group's charter?

The most pressing upcoming deliverables that the group is working on include the alignment of the IAF with SP 800-63 (to include a streamlined glossary) and the modular IAF. 


4. What do you really want to get people excited about to encourage participation in your area?

We're looking for resources to help lead and participate in two particular work streams that have been identified as needs by the IAWG.

1) Requirements around Content Management for the IAF

2) Relying Party Guidelines - call for participation

In most Trust Federations (e.g., the Federated Identity and Access Control (FICAM)there is an underlying assumption that Relying Parties will be eager consumers of IdP and credential services - 'outsourcing' these functions offers clear benefits like increased security via IdP focus on best practices, decreased operations/infrastructure expense, and improved customer experience and lower barriers to entry.  Furthermore it is expected that IDPs are eager to provide services to RPs without any cause for concern in doing so.

However, in the real world, onboarding RPs express concerns and issues such as account recovery, data protection of PII in an RP's hands, lost password/IdP processes, terms conditions & agreements, uncertain dependencies on external providers, 'new' technologies.

These concerns increases the likelihood that Relying Parties will choose the easiest path (install a canned password authentication database tool and worry about all the other stuff later). This in turn, because of a lack of market, causes hesitancy on the part of IdPs to participate in the federated model. 

Why is it so hard to convince the RP?  Are the CSP/IDP/ Federation operators / Trust Framework Providers talking in code that the RPs do not understand?  What would provide a level of comfort for the IdPs that their end users are being handled with the appropriate level of security and privacy by the Relying Party. 

Join this discussion and help to:

- define the problem space that we think exists

- do some preliminary discovery with existing CSP/IDP/RP to hear about what's broken and what works

- develop a set of Use Case outlines to inform further working groups

 

The approach Kantara will take is: 

- form an Ad Hoc group to start the discussion and make the case; 

- present a recommendation to Leadership Council (LC) for (no action needed / Existing Work Group Effort / Discussion group formation / Working group formation / sub-group formation); 

- Act on LC guidance to further the work

 

Â