Voting participants: Ken Dagg; Scott Shorter; José López; Richard Wilsher
Non-voting participants: Roger Quint, Martin Smith, Pete Palmer, Stuart Young.
Staff: Ruth Puente
Quorum: 4 of 7. There was quorum.
- Roll Call
- Agenda Confirmation
- Action Item Review: action item list
- Minutes Approval 2018-12-20 Meeting Notes
- Staff reports and updates - Director´s Corner
- LC reports and updates
- Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
a. Unisys comments on 63A_SAC and impasse on KBV approval for IAL2. Please see attachment.
b. Update on Identity Proofing and Verification Use Cases Discussion Group
3. Any Other Business
2018-12-20 Meeting Notes were approved by motion.
Some announcements about inactive DGs and WGs in the next coming weeks.
Unisys comments on 63A_SAC and impasse on KBV approval for IAL2
Please see Unisys Report here: RQuint-Unisys Kantara Service Assessment Criteria - KBV impasse for IAL2.docx
NIST Special Publication 800-63A (NIST spec text): NIST.SP.800-63a.pdf
- Roger presented the issue he has found in the 63A criteria related to the use of KBV. He commented that the NIST 800-63A specifications points to Section 5.3.2 to address KBV for IAL2. The heading specifically says: “The following requirements apply to the identity verification steps for IAL2…” 2. Kantara SAC version 3 does not carry the requirements of Section 5.3.2 allocated for KBV compliance (those items are marked n/a).
Scott said that one of the NIST objectives was to define a level of assurance at which KBV was not sufficient, so that´s why KBV is not defined as strong, and you need at least one strong. So he believes it´s intentional.
Jose added that KBV is used when you try to resolve a unique identity.
RW commented that KBV applies to validation. He referenced section 5.3.1 Identity Verification Methods, which points to Table 5.3; the second sentence says: “The CSP SHALL adhere to the requirements in Section 5.3.2 if KBV is used to verify an identity”. So he believes there is an omission. He suggested reviewing section 5.3.1.
It was said that there is no mandate to use KBV so there is no KI specific criteria for it. We need to determine where and in what conditions KBV should be invoked. In Table 5.3 there is no reference to KVB in the strong row (only in fair).
- Table 5. 3 says “a physical comparison of the applicant to the strongest piece of identity evidence provided to support the claimed identity”. (The "strongest piece" is singular). At IAL2 we must have at least 1 superior or strong. Richard´s interpretation is that verification needs to be done against a single piece of the 3 pieces you may have collected.
- IAWG agreed to reach out NIST to get their feedback and understand their intention. After IAWG gets the clarifications, the issue would be raised again in a future IAWG meeting.
- Richard has sent a note as heads up to David Temoshok, NIST.
Update on Identity Proofing and Verification Use Cases Discussion Group
Link about IDVP use cases and how to join : https://kantarainitiative.org/groups/idpvusecases/
- They are discussing examples from National Programs, Healthcare and Financial industries, and also some "misuse cases".
- The DG is receiving contributions.
- Richard presented a set of 63A criteria that needs to be changed. He will propose new text to discuss in the next meeting.
Action items: Reach out to NIST to ask clarification on KBV issue and obtain guidance.
Next Meeting: Jan. 24th