Attendees: Martin Smith; Mark Hapner; Richard Wilsher; SATO Hiroyuki; Ken Dagg; Nathan Faut; Ruth Puente
Key discussion items:
- Richard went through the draft v.0.03.0 with Martin's comments: KIAF-1450 SP 800-63C Service Assessment Criteria v0.03.0.xlsx
- Ruth reminded the team that last meeting we stopped on 63C#0100, item 2 was agreed to be deleted as it had problems of interpretation.
- In relation to 63C#0260, Ken commented that it should stay in there for RPs and IdPs, as well as Federation Authorities. It cannot be assumed that all IdPs will be Kantara approved. Richard said it is a good perspective. It was decided to add a second item on this criterion related to Federation Authority, Richard added that probably it will also have to happen with the other criteria. It was asked if it is possible to put something there that references these other requirements simply saying that they will have to be covered in the Federation agreement, or they do all of them have to be covered somehow. Richard responded that it will be kept as an open question until getting to the criterion where it says that Federation Agreement should be created (not specific in 63C). Martin pointed out that in the case that an IdP that was already approved and reviewed for 63 conformance, might have to have a few things added that were unique to that federation, in order for Kantara to assess, to give the Federation Authority a complete product so they do not have to get to the assessment business themselves. It might include not only things driven by the 800-63-3 but also anything that their particular agreement added on top of that. Ken said this is something that is needed to be dealt with in July or after the 63C SAC is created, it could provide a new vehicle to market to new IdPs and not just a federation assessment but larger assessment.
- Ken agreed with the criterion from 63C#0310, however he suggested to be more assertive, that is that the Federation shall create, maintain, approve and publish a documented Federation Agreement. Richard added that first, they need to receive the information that they need to create a Federation Agreement before asking them to do something else. Richard made the changes suggested by Ken. It was asked what does publish mean, is it public? Richard agreed on this same concern. Richard said that the word publish means to the affected community, it is not explicitly mentioned. He also said that he will check this on ISO, to see how it is defined there. The phrase was modified as “make available to stakeholders”.
- Regarding the wording of 63C#320, Richard commented that could be used more assertive words. Moreover, Richard mentioned “The Federation Agreement SHALL, as a minimum, address the necessary:” and he argued that -address the necessary- are ‘weasel’ wording. Consequently, a new category was added saying “Any necessary terms and conditions to be observed;”.
- About “Federation authorities SHALL establish parameters regarding expected and acceptable IALs, AALs, and FALs in connection with the federated relationships they enable” (63C#0320), it was added a note “Create two criteria, one for mandatory elements of the FednArgmnt, one for ‘if necessary’”.
- Discussion on adding requirements addressing testing and the frequency of re-assessment to ensure ongoing conformance (63C#330): Ken asked if (considering points b,c and d from 63C#0320) is there a testing requirement. It was added that 63C#330, it says “Federation authorities SHALL individually vet each participant in the federation to determine whether they adhere to their expected security, identity, and privacy standards”, but it does not mention how often. It was also asked to Richard if there is somewhere a requirement to report security issues. Richard responded that none of the things in gray are not expected in 63C, therefore the question has to be ‘at what extent either is Kantara able to?, or should Kantara create new requirements that which add greater rigour to a party which intends to be operating as a Federation Authority?’. Richard added another note “Add testing and frequency of affirmation of conformance (aka ACR)”.
- In 63C#330 c), it was added “reporting material changes to service, breach reporting”.
- In 63C#330 “Federation authorities SHALL individually vet each participant in the federation to determine whether they adhere to their expected security, identity, and privacy standards”, Richard commented that he added three possible ways of doing it. The first is that “Each federation SHALL approve each Federation member/participant iaw the provisions of the Federation Agreement defined in response to 63C#320 h”. The second is “The Federation Authority SHALL ensure that each Federation member/ participant has been approved by the designated entity iaw the provisions of the Federation Agreement defined in response to 63C#0320 h)”. The third one is “The Federation Authority SHALL ensure that each Federation member/ participant holds Kantara Approval for the applicable scope of functions iaw the provisions of the Federation Agreement defined in response to 63C#0320 h)”. Ken commented that option 1 and 2 are redundant (2 as to 1). About 3, he said it goes back to the earlier discussion, as to whether Kantara approval is inclusive of everything that an IdP should have to get and FAL IdP approval. Option 3 was eliminated.
- Ken made clear that points 1, 2 and 3 in rows 61-63 (#0320) are in essence, part of the Federation Agreement. Richard confirmed it, he will separate it into a different category of criteria ‘Federation Agreement’.
- Richard to separate 63C#0320 rows 61-63 (points 1, 2 and 3) into a different category of criteria as part of the ‘Federation Agreement’.
- Richard to check in ISO what does publish mean (in reference to 63C#0310).