Attendees: Ken Dagg, Richard Wilsher, SATO Hiroyuki, Mark Hapner, James Jung, Nathan Faut, Martin Smith, Ruth Puente
Key discussion items
- Ken raised at the beginning of the meeting, that there has been a thread floating around with respect whether it should be accepted or not assessment from other assessors, see https://kantarainitiative.org/pipermail/sg-63c-sac/2020-March/000023.html. Ken said he would like to hold this discussion before the Service Assessment Criteria. The ARB are the ones that determine whether a KAR is a good one or not, the idea is to have a discussion to inform them about the group’s opinion.
- Nathan argued that when it is being given somebody else’s report, that report has to be assessed and we determine if additional test work is needed or is acceptable as it is. He added that KAR it has to be treated the same way, as a member of the ARB for example, submissions are received, and the ARB has to go back to the assessor and say that something was not understood. If the first draft of the report were provided to someone else as part of another service offering with another entity, this assessor could be seen as looking at the first report going, that does not make sense to him either. The auditors cannot just assume it is right without doing some kind of analysis. Ken said he understands the position and was agreed to defer this discussion until after the assessment criteria is completed. Richard said that there are still criteria that need to be addressed and that we would need to involve ARB on the discussion. Ken stressed that if IAWG or ARB, or the sub-group are going to have a discussion on this, he would not allow this discussion if Nathan is not present; Ken mentioned that Nathan has a valid and very strong opinion and he would like to have him representing that and not himself. Nathan appreciated the consideration.
Discussion on Service Assessment Criteria
The draft used during the meeting was: KIAF-1450 SP 800-63C Service Assessment Criteria v0.05.1.xlsx
- Richard asked that when the three criteria that relate to FAL3, 63C#0470, are revised, to please have mind the comments from Pradheep, ID.me. It was decided last week to retain these draft criteria as they are for the record. Since they are the only ones which are specifically FAL3, why not include them now and cover them all in one. Ken agreed on this. Richard stressed that it will be included again unless anybody objects (nobody objected, and Ken ratified it).
- Richard suggested to continue with Dr. Sato comments.
- Sato agreed to withdraw for the moment the comment on non-uniform federations.
- Richard commented that it was started to be discussed if a Federation Assessment is tried to be made, and there are criteria which would be common to any Federation Assessment (because they are not Federation specific), then it could be recognized that on a second or third, or multiple Federation Assessment, findings of a previous assessment could be accepted. Therefore, it has to be reviewed the Federation specific criteria on each time around. He thinks that this principle would be for the IAWG to say “this is how we see our criteria being applied”, and then it goes to the ARB to determine to what extent could one rely on a prior assessment depending upon who did it and how old it was. Martin asked in what document would it be reflected, Richard responded that in the Service Approval Handbook. Ken commented that as it was previously discussed, it will be discussed specifically in a special working group future meeting. It is an ARB decision to make, and this group is only providing advice on this decision, he said that the point raised by Sato, it has to be deferred basically.
- Richard said that as the group goes through these criteria for RPs and IdPs, he thinks that it has to asked if this is a criterion that has to be assessed for each Federation Agreement or it would be a common item, so it does not have to be repeatedly assessed. Ken argued that if it is a criterion that is part of an assessment, it still needs to be determined assessor # 1 might do it, and assessor # 2 might have to do it for another agreement; and whether assessor #1 or #2 trusts the other determination, it is up in the air. Martin added that there are three levels of change here, one is a different assessor, one is a different framework authority like Kantara, and one is a different federation. Thus, there is not much that can be done about some of these differences. Ken argued that determination, he thinks it is whether if it is a different assessor, different set of rules or different federation being looked at, does assessor #1 or #2 trust each other’s work? Ken continued saying that regardless whether it is a Kantara assessor, the same issue holds. For example, he said, if Nathan is asked to do some work and Richard is asked to accept it, Richard would still review Nathan’s work. Nathan pointed out that the second assessor perform their own analysis and determine for themselves whether it is valid or not, and if the ARB says what did you do about that first assessment that you received? They can produce their work paper and make a determination based on its analysis.
- In relation to row 7: “The CSP SHALL at all times use cryptographic functions which are approved by the applicable authority” Richard commented that for him it has nothing to do with the specific federation which is being considered as part of a Federation Assessment. Ken said they have to at least review it, but if the assessors agree on this, it is ok.
- Again, about row 7: “Kantara-specific criterion to broadly enforce this requirement rather than state it repeatedly as it is found in the source requirements”, Richard explained that it is something he created because there are later requirements to use approved crypto functions. He thought it was much easier if it is put in here and it can be discussed. The terminology used in “The CSP SHALL at all times use cryptographic functions which are approved by the applicable authority” (KI_criterion), comes out of the criteria that was previously stablished. Richard asked if there is any problem with the wording in here. Ken commented around Federation Agreement potentially applicable for national authority. Richard said that he wonders if it is something that should be added to the requirements for Federation Agreement. He continued that when the requirements for having a Federation Agreement was written, it was broken into two parts. There is the requirement that addresses specific things that are in this publication “The Federation Agreement SHALL, as a minimum, address the need for:” (row 62), and there a set of things related to it. Richard said that it could explicitly be stated here indicating the applicable authority for 63C#006, and then, if others are found the list would be extended. It was stated as “specific applicable authorities to be referred to in 63C#0035”. It was accepted as a suitable solution.
- In relation to 63C#0050, Richard explained he wanted to be more specific and that is why he added in KI_criterion “FAL2” and FAL3”. Ken commented he agrees with it, it is a good statement that is testable and shows the requirement is met.
- About 63C#0060, Richard pointed out that he has to check the wording, he added it is inconsistent language.
- In 63C#0070, Richard expressed he has some issues with the interpretation of this criteria. He suggested to read the original source text (4.1). Ken said it seems to make sense. The criterion identified (the wording), seems to accurately reflect the requirements in the NIST document. He is confused with the actual requirement, but he mentioned that it is a different story. It was added as a note: “Seek NIST confirmation that these are mutually-exclusive options. How does the existence of a Federation make this any more useful than in a non-Federated?”. It was asked (because it confused him in 4.1), 63C covers Federations with and without a broker, correct? It was confirmed by Richard and Ken. He continued saying, when there is a broker, a broker takes under both, the role of an RP and an IdP. It was again confirmed. Within 4.1 when it talks about impersonation, this could be applying to the broker case where there is a relying party, there are two relying parties’ functionaries. Ken said it changes the NIST requirements, but number 2 on that, yes, the entity that is performing the role of broker takes on the role of an RP in one instance and takes on the role of and IdP in another instance. It is two separate roles that are undertaken by one physical entity. Impersonation to him is one role impersonating another role. It was added that RP1 is unable to create an assertion which would appear to be from IdP1. It was argued that the basic point here is that you have two conditions, you got a binary interaction between an RP and an IdP outside of a Federation, and then you have a Federation where there is some grouping of these things. Also, 63C is trying to define sort of what is different about that, in this particular case, you got an IdP who is a source of identity information and they see that they are interacting with some group of RPs. Then, IdP is simply saying we want to be sure that nobody claims a guide information from us that did not. Ken said he agrees, there should not be any difference; he stressed that this is beyond the scope of this sub-group because it is a NIST requirement, that it is an ideal question to NIST and the wording that Richard proposed fulfills that.
- Ken expressed that the discussion was really good, not many criteria were covered but some important points were raised for discussion.
- Richard said that he will not re-issue the document, he suggested to pick up with the same document at 63C#0080.