NIST SP800-63-2 v KI IAF Mapping
- Former user (Deleted)
This page holds information and documents related to the mapping exercise between KI IAF-SAC v3.0 and NIST SP800-63-2.
Work underway May - October 2013
Attachments
File | Modified | |
---|---|---|
Microsoft Word Document Kantara IAF-1400 SAC-63-2 v0-3 to v0-4 cf.docx |
Oct 02, 2013 by Former user | |
Microsoft Word Document EZP-63-2 v0-4.docx |
Oct 02, 2013 by Former user | |
PDF File EZP-800-63 Rev1-2 2013-09-30.pdf |
Oct 02, 2013 by Former user | |
PDF File DevPath.pdf |
Oct 02, 2013 by Former user | |
Microsoft Word Document KI EZP-63-2 v0-2--XXX.docx Disposition of comments form |
Jul 04, 2013 by Former user | |
Microsoft Word Document KI SAC-63-2 v0-2--XXX.docx Disposition of comments form |
Jul 04, 2013 by Former user | |
Microsoft Word Document KI EZP-63-2 v0-3--RAF.docx Comments from R. Furr 2July2013 |
Jul 04, 2013 by Former user | |
Microsoft Word Document EZP-63-2 v0-2.docx Marked up EZP 800-63-2 to match up with marked up KI IAF-SAC |
Jun 18, 2013 by Former user | |
Microsoft Word Document Kantara IAF-1400 SAC-63-2 v0-2.docx Marked up KI IAF-SAC to match up with EZP 800-63-2 |
Jun 18, 2013 by Former user |
Comments from the Editor
Comments from the Editor to the WG-idassurance mailing list, September 30, 2013
Folks,
Since we last reviewed these docs NIST has published 63-2 and I have had some exchanges with Bill Burr, prior to his leaving NIST on 09-30 (which could account for why things are presently furloughed!).
The final version of -2 caused me to revisit quite a bit of the previous work, in the course of which I noted that a number of our queries had led to changes being worked in to the final public doc, although some questions remain unanswered, and I think in some other cases we’re just going to have to make it up as we go along.
So, here’s what you have attached.
Firstly ‘Dev Path’ – a schematic to try to make sense of this.
The dark red docs are those attached.
What I want you to focus on is the doc in the lower left corner, with the gold boundary. This is the mapped SAC at v0-4 with changes shown from v0-3, which you last saw. Ignore any refs back to 800-63-2, these are being moved into a separate doc, as Ken suggested.
For your further ref I include the latest state of the mapped version of 800-63, EZP 63-2 v0-4, and also a reference document showing the changes from 800-63 -1 to -2.
I’d appreciate any comments on the SAC at v0-4 (with changes) during this week’s call.
Once the mapping cross-reference is complete this doc and the EZP 63-2 will go forward for public review prior to becoming THE ref version of the SAC (then as v4-0).
Thanks,
Richard.
Richard G. WILSHER
Comments from the Editor to the WG-idassurance mailing list, June 7, 2013
From: Richard Wilsher
To: IAWG
I attach two documents which represent the mapping ‘state of play’ as discussed during yesterday’s IAWG call. We agreed that we would seek review and response in time for discussion during the call on 2013-06-20.
In order to allow me time to prepare a proposed disposition of comments I am requesting your responses by cob Monday 2013-06-17.
I will shortly send out a pro forma for your use when responding with your comments. I have chosen to provide Word copies, which may facilitate your extraction of text if need be, rather than PDF, since I believe that the re-structuring of the -63 text has provided sufficiently discrete clause references to make a ‘frozen’ version unnecessary.
I suggest you review first ‘EZP 800-63-2’ and use the SAC mark-up as a cross-reference to determine the correctness of the proposed mapping. Mappings from EZP to SAC are precise – the reverse mapping from the SAC doc is not, in some instances, quite as clear as to which explicit clauses are being mapped back to the EZP doc. I will resolve that at the time that I later create a stand-alone cross-reference document.
Finally, some qualifying comments / excuses which I offered when I first circulated this on Wednesday and discussed on Thursday’s call.
Key observations:
1) The sections against which the mapping has been conducted are shown clearly in EZP;
2) Some new SAC requirements have had to be created and these are clearly shown as mark-up plus any new SAC text has background shading;
3) There are parts of 63-2 where the requirement is unclear – I’ve tried to highlight these and would appreciate your feedback on how I’ve interpreted them. I have also appealed to Bill Burr (NIST) for interpretations or clarifications of NIST’s intent and expect to hear back from Bill around June 5th;
4) I have put into the SAC cross-references to 63-2 with the applicable criteria, but as recently discussed (see below) will collate those mappings into another document – for the moment I think they are most useful as placed;
5) In some areas I feel that 63-2 goes into more detail or is quite explicitly US-centric than the IAF needs in general, and therefore have indicated with the following text, “+US / EZP800-63-2 Profiling”, where I think that it is appropriate to step back and require that CSPs applying for Approval of their service state explicitly that they are seeking SP 800-63-2 compliance and wish this extent of specificity be included in their assessment. They would then be required to show how their specific conformity to the IAF (SAC) requirement was met by adopting a particular profile aligned to 63-2. During the IAWG call of 05-28 there was discussion about how this could be represented in the final deliverables and the consensus appeared to be that this be conveyed in a discrete document, effectively a US Federal Profile for the SAC. Any further thoughts?
6) An implication of the above is that we should add to the SAC a comment to the effect that alignment is in general terms within the SAC and may require profiling within the application to a service seeking conformity to 800-63-2;
7) I’m interested in receiving comments on the appropriateness of criteria in sections 5.[AL#].6.4;
8) You may feel that, by expanding the 63-2 requirements into sections which discretely address each AL I have created a larger volume of text than is necessary, especially since in many cases the equivalence determined is only a matter of changing the digit applicable to the AL. Always wanting to get my rebuttal in first, I think this is justified to be sure that the implied requirements of 63-2 are drawn out, and my experience in performing this work has been that this approach has proven valuable because it has identified some shortcomings within the SP which are not apparent without this dissection. I therefore argue that, despite the inefficiencies of the duplication of text, it is better that we do this.
Thank you for your efforts,
Regards,
Richard G. WILSHER