Attendees: Richard Wilsher, Ken Dagg, Martin Smith, SATO Hiroyuki, Mark Hapner, Ruth Puente.
Apologies given in advance: Andrew Hughes, Nathan Faut and Björn Sjöholm
Key discussion items
- Ken thanked ID.me for sponsoring the work to develop 63C SAC. He said that the sub-group work would take about 8 weeks until the end of April. Afterwards the 63C SAC draft will be subject to Kantara's approval processes, which would take 2 months. Thus, the plan is to get the document approved at the beginning of July 2020.
- Richard walked the participants through 63C_SAC draft v0.1.0 KIAF-1450 SP 800-63C Service Assessment Criteria v0.1.0.xlsx
- Martin asked the meaning of the column heading called "Fed IdP". Richard clarified that "Fed IdP" means Federal IdP (US Federal Agencies).
- In relation to Federation Authority, FA, Richard remarked that according to the discussion he had with NIST colleagues, FA is the entity responsible for a) defining the requirements which should be common to all participants within the Federation; b) determining that participants in the Federation meet the requirements. Furthermore, there is a criterion that stipulates that the FA must produce a Federation Agreement, which defines what the participants in the Federation should do and which should include policy, terms and conditions, among other items. He added that this requirements is not on the NIST guidelines. SATO supported the idea that the FA is a single party that set the rules and that the governance of the Federation should be specified and defined.
- Richard said that a possible requirement for the Federation participants could be that the entities must be Kantara approved, but it it would be up to the Federation to determine this.
- It was pointed out that the NIST standard is written for US Federal Agencies.
- Criteria 63C#0010; 63C#0020;63C#0030 (Rows 4,5,6) were accepted without changes.
- In criterion 63C#0040 about proxy transaction, it was agreed to add "only present assertions" after SHALL for greater clarity. It was said that Proxy is the same as broker but NIST avoided the latter as it may have other implications.
- Ken suggested that "PII" on item 2 of 63C#0100 is too restrictive, and would say "any Subject information".
- It was agreed that item 2 of 63C#0100 is not necessary as the CSP or RP will be subject to this criteria they have to do it anyway, whether the FA asks it or not. Moreover, FA is enforcing the rule of the item 1.
- Ken encouraged to continue the discussion on the governance of the Federation in the next meeting.
- Richard invited all participants to add comments and suggestions under column "T" and add the commenter initials under column "S".
- Ruth pointed out that the materials and relevant information are sent to the sub-group mailing list email@example.com
- Next Meeting: March 11th.
- Richard to send the revised version to the Sub-group mailing list.
- Participants to send comments on the revised draft before the next meeting on March 11th.