TFS Sync – 10 February 2016

Draft Meeting Notes

Attendees

Ken Dagg, KI

Leif Johansson, ARB Chair

Brian Lipsky, Kimble and Associates

Paul Caskey, Incommon

Kevin Morooney, Incommon

Ruth Puente, KI

David Dewey, GSA

Jonathan Prisby, GSA

Lee Aber, ID.me

Stephen Skordinski, Electrosoft

Adam Madlin, Symantec

Brian Dilley, Verizon

Scott Shorter

Nandini Diamond, FICAM

Paul Grassi, NIST

Colin Wallis

Russ Weizer, Verizon

Agenda

1. Roll Call and Welcome.

2. FICAM Workshop in WDC (January 14th)

3. IAWG Update

-Kantara Mapping Reports.

-KIAF-1401 SAC Spreadsheet.

-Privacy criteria.

4. Open space

5. Next steps

Key discussion items

It was stressed that the purpose of the Sync is to get the stakeholders together in the TF process and an opportunity to talk to each other. The discussion is based on the Chatham House rules, anyone who comes to the meeting is free to use information from the discussion, but is not allowed to reveal who made any comment.

FICAM Workshop in DC – January 2016

- Industry comment: the notion of re-stating requirements in form of control objectives, it helps improve the way to innovate.
- The meeting notes are in the Google doc., which was circulated to the attendees and some KI WGs. KI will circulated the document in pdf version and the link to the Sync wiki with the meeting notes.
- Regarding the formation of the FICAM charter, it was highlighted that the development would need the involvement and contribution of all the stakeholders.
- KI stressed that just want to create the venue and help to get the work done.
- FICAM commented that the charter would inform how the interaction of the different TFP shall be with FICAM as the facilitator.
- The FICAM workshops will be organized quarterly and the next workshop will include RPs.
- FICAM is analyzing the UK and Canada processes.
- Regarding the comparison of FICAM and the UK, KI has published a document which is available at: https://kantarainitiative.org/road-to-multilateral-recognition/

IAWG Update

It was informed that 2 new mapping reports were released:
IAF 5415 provides a mapping between IAF -1400 SAC and ISO/IEC 29115 (ITU-T X.1254).
IAF 5463 provides a mapping between IAF-1400 SAC and NIST 800-63-2. The mapping is based on a re-expression and re-structuring of ’63-2, so as to make each discrete requirement uniquely referenceable.
The Mapping Reports are available at: https://kantara.atlassian.net/wiki/display/LC/Identity+Assurance+Framework
-KIAF-1401 SAC Spreadsheet is being developed to pursue transition of the SAC to objective oriented and facilitate cross federation mapping.
-Privacy criteria will be discussed in the upcoming IAWG calls. Attendees were invited to participate in the discussion.

The TFS Stakeholder Sync will be set Monthly.

Incommon Update:

Incommon has 5 certified CSPs, one LoA2 and the others LoA1.
The Assurance Advisory Committee is moving from assurance focus to trust focus practices. Incommon is a TFP but also a federation provider so they have the infrastructure as well.
Organizations that participate in the Assurance Program are looking to broaden the agenda from specific FICAM Program to also including other communities such as being able to assert multifactor in a very light weight way.
They are exploring an interesting use case, there are universities that have the RP in the cloud and want the cloud provider to be able to, upon or by policy dictated by the University, trigger MSA based on a transaction policy, so the campus requests the RP to request back MSA authentication.
As part of the practices upgrade, they are working on 5 practice statements for IdPs, SPs and RPs, which Incommon will share shortly with the TFS group.
There is a real market for basic identity verification but strong authentication on the top of it. Multifactor, trusted devices and trusted networks, notion of stronger authentication.
Certified work, is a Trust Framework focused on participants willing to participate in incident response for federated identity. It is an international effort that was headed by EU research. The concern in Identity Assurance is the need to be a corresponding communication mechanism when an Identity Assurance is compromised. In Higher Education there is a disconnection between those that run the Id management system and those responsible for the security. There is an interesting discussion about messaging mechanism that could be run by the federation as a way of handling the security issues, a component of security that affects the Identity Assurance.

It was recommended the following IETF discussion mailing list: https://www.ietf.org/mailman/listinfo/id-event

Browser not supported