Attendees:
Voting Participants: Ken Dagg, Martin Smith, Richard Wilsher, Mark Hapner, Mark King
Non-voting participants: Jimmy Jung, , Pradheep Sampath, , Roger Quint, Eric Thompson
Invited Guests: Jeremy Haynes, Blake Hall, Rohan Pinto, Pete Eskew
Staff: Kay Chopard, Ruth Puente
Agenda:
- Administration:
- Roll Call and quorum determination
- Agenda Confirmation
- Minute approval (DRAFT minutes of 2021-06-24)
- Staff reports and updates
- LC reports and updates
- Call for Tweet-worthy items to feed (@KantaraNews)
- Discussion
- Consideration of 'comparable alternatives' - See: https://groups.google.com/g/idassurance/c/GIGLjValdg4
- Australian Digital Identity Legislation Consultation Phase 2 - See: Public consultation on Australia’s Digital Identity legislation
- Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity. See: https://digital-strategy.ec.europa.eu/en/library/trusted-and-secure-european-e-id-regulation
- d. Component Service Consumer criteria.
Meeting notes:
Administrative items:
IAWG Chair Ken Dagg called the meeting to order at 1:05PM (US Eastern), and called the roll. It was noted that the meeting was quorate.
Minutes approval: Mark Hapner moved approval of the the draft Minutes of the IAWG meeting of June 24; Richard W seconded. The Minutes were approved unanimously, as written.
Staff reports and updates: .ED Kay Chopard. Focus is replacement for Ruth as PM for Assurance. First finalist candidates dropped. Back to LinkedIn, starting interviews. Looking for more junior PM rather than trying to replicate Ruth's experience out-of-the-box. Best case on-board is some time in August. Still open to getting more applicants referred by WG members.
LC reports and updates: Ken: LC had one meeting. Of interest, long-time Chair of UMA has stepped down due to business demands. mDL Privacy report is out for review–have a look.
Ken reminded WG participants that Kantara staff is ready to help them publicize their newsworthy activities and via the @KantaraNews Twitter handle. Or send to Ken or Kay.
Discussion:
Consideration of 'comparable alternatives' - See: https://groups.google.com/g/idassurance/c/GIGLjValdg4
Ken notes listserv discussion and then invites Richard to lead resumed discussion. Richard W: believe we should do something in this space; may not be just for Fed agencies. Suggests we need a capability to assess alternative controls, based on a thorough process based on evidence regarding risk, etc.
Eric: agree that there's a need and opportunity here, to provide some rigor around alternative controls. Key thing is needing to quantify risk being controlled. Need to remember that service providers want to let appropriate people in, not just keep inappropriate people out. Agencies / orgs don't have ability to do this themselves.
Mark H: Agree. Broader need than Govt agencies.
Kay C: Other Fed agencies I talk to feel they need technical, neutral help to make their decisions on IAM risk. Believe NIST (David) is very wary about Kantara involvement but believe this can be reconciled.
Richard W: Anil John was concerned about lack of communication between government and industry, but didn't have results.
RQ: If we do work in this area, will NIST welcome or oppose? Richard W. – we should respond to our customers and work on NIST.
Ken: Maybe approach to GSA would work–they owned FICAM. We need a Federal central-agency customer. Kay says still meeting with GSA--Phil. New PM will do that when they arrive. Might be slow for a bit.
RQ: Need some awareness and at least tolerance. at NIST and GSA.
ET: Is there an oppty for IAWG to help move this forward by putting out guidance related to quantifying proofing systems.
RW: Another point is , if we have a set of criteria, for assessors have customers not strictly locked in to (very conservative, tech-based) NIST stds.
Mark K: Is this just a US issue? Will check a bit with EU-developed materials.
JJ: Believe Fed agencies are thinking "I need IAL2", and would not buy something "comparable.."
RW: We have been asked by a Member CSP working with a real Fed agency that has a need, We should respond.
JJ: No sure every KI assessor is going to be able to make these judgments about risk and effectiveness. Might create a risk to Kantara's reputation.
MH: If K states we are doing this analysis of alternative controls' effectiveness on reasonable criteria, then believe risk to Kantara can be reduced.
JJ: Believe RW's suggested added IAF criteria seem a reasonable basis.
Ken: Notes that the NIST language seems directed at Agencies, not CSPs. Not sure how to put the onus on the Agency.
ET: What we must do is make sure an agency customer is aware of the requirements of accepting "comparables"
RW: We assess CSPs. Not RPs. We have criteria for federations that would impose requirements on their member RPs.
JJ: How would we express the results of an assessment based on use of a comparable alternative control?
ET: We would provide a memo clarifying that the service is/uses an alternative control.
Ken: good discussion. Summary: seems worth pursuing, incorporating RW's draft criteria.
RW, ET, KD, MH. – agree. Ken: asks RW to be ready to discuss initial draft criteria., But may not be available for a couple of meeting in August. Ken Next week is the 15th.
RW: Can have something for the 15th.
JJ: Does ARB need to get involved? What's the process where an alternative control is involved? RW: agrees there needs to be a process to communicate the decision.
RQ: yes we need to coordinate and communicate with NIST. RW: Yes, but we are not asking permission.
MK: Australia: individual submissions only Ken: yes. Deadline 7/14.
Ken: Pan-Can framework new doc out for comment by 28 July revisiting "vectors of thrust" concept. Doesn't seem to orelevant but wil send around.
CLose meeitng at 2:05.
Next meeting 15ht.
JJ:
.
Next Meeting: Next Thursday, July ?? at 1PM US Eastern