Voting participants: Ken Dagg; Scott Shorter; Richard Wilsher; Mark Hapner; José López
Non-voting participants: Roger Quint, Stuart Young, Martin Smith.
Staff: Colin Wallis, Ruth Puente
Quorum: 4 of 7. There was quorum.
a. Roll Call
b. Agenda Confirmation
c. Action Item Review: action item list
d. Minutes Approval: 2019-01-24 DRAFT Minutes and 2019-01-17 DRAFT Minutes
f. LC reports and updates
e. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
c. KBV at IAL2
3. Any Other Business
- Colin commented that Experian has been approved under 63-3 Trust Mark at IAL2 and shared the link to the Press Release https://kantarainitiative.org/kantara-initiative-approves-experians-crosscore-platform-for-conformance-with-nist-800-63-3-ial2/
- Colin commented that there are potential partnerships which would imply running new schemes.
Discussion on the revised Overview document - IAF 1000
- Richard provided substantive comments to the document, so a new draft would be provided soon.
- Ken went through the various sections, starting with the Abstract. He stressed some definitions of the terms, Relying Party (org that is running the online services), End User (client of online services) and Credential Service Provider (that the RP would rely on for authentication of the end user).
- Richard highlighted that we need to describe the Kantara´s IAF and suggested to look the terminology within the KI IAF scope. He suggested including the Glossary in the Overview, and using terms that have been defined. He added that there are some cases where the End user directly contact the KI CSP, and the RP may get involved later once the End user have a credential. Also, he suggested avoiding a definition for End user.
- Martin asked if the IoT would be included or it would refer to humans only. Richard responded that there are no criteria that allow to recognize non-human entities. Colin commented that someone has reached out Kantara for IoT Assurance, so if there is a business proposition, this would be included within the IAF scope. Scott said that it would be helpful to clarify in the Overview that we are not doing this for the devices benefit yet.
- It was said that it would be better to use "client" instead of "end user". Ken accepted the suggestion.
DHS CISA Emergency Directive ED 19-01 on the topic of securing DNS infrastructure.
- Scott commented that there have been recent reports on more active attacks on the Domain Name System, including the federal government. The Directive tells the agencies that they have 10 days to accomplish specific actions (audit DNS records, implement MFA, change passwords, make sure that only authorized certificates have been issued) to mitigate the problem.
- Colin encouraged to be sensitive with the market needs.
- Ken suggested reaching out DHS about this Emergency Directive. Colin responded that Kantara will take advantage of the good relationship with DHS S&T team on the KIPI Program, so the plan would be to request the contacts of CISA.
KBV at IAL2
Scott wonders what´s the approach of other TFPs to this issue.
- It was concluded that we need clarification from NIST.
- Richard asked if IAWG would be able to shape the criteria and make it implementable, in the absence of NIST comments? (set reasonable expectation). Ken suggested to follow up on this during the next meeting, as IAWG needs to discuss and get clarification on how to do this and how to record it.
- Colin to get contacts of DHS CISA.
- Continue the discussion on the way forward in the absence of NIST clarifications.