Voting participants: Mark Hapner; Martin Smith; Ken Dagg; Richard Wilsher; Tom Jones
Non-voting participants: Manvendra Kumar; Sarah Chu, Easy Dynamics (representing JJ Harkema); James Jung, Mark King.
Staff: Ruth Puente
Quorum: As of 2019-12-19, quorum is 3 of 5. There was quorum
c. Action Item Review: action item list
d. Minutes approval 2020-07-16 DRAFT Minutes
e. Staff reports and updates - Director's Corner and Keeping up with the Kantarians
f. LC reports and updates
g. Call for Tweet-worthy items to feed (@KantaraNews)
a. Kantara comments on how SP 800-63-3 could be revised for NIST’s consideration in developing Revision 4
b. Review and approve 63B_SAC at AAL3 and 63C_SAC at FAL3 criteria
c. Review and approve the revised Glossary & Overview
d. DIACC Request for Comment and IPR Review: PCTF Assessment & Infrastructure Draft Recommendations
2020-07-16 Minutes were approved by motion. Moved: Mark Hapner Seconded: Martin Smith. Unanimous Approval.
- eGov WG, after performing lot of good work for Kantara has decided to self-shutdown given that it’s not active for a while and finding it hard to get members to attend; that vote has recently passed LC.
- Mark King reminded about the eIDAS Public Consultation on digital identity and trust https://ec.europa.eu/digital-single-market/en/news/digital-identity-and-trust-commission-launches-public-consultation-eidas-regulation . It was agreed that IAWG will be generating comments on it. Ken added that as the deadline for comments is October, the plan is to start the review at the end of August. Furthermore, it was requested to promote this review work on Kantara channels.
- Tom shared a couple of standards developed at the OpenID and also in FIRE WG. The FIRE WG specification may result in the need for something like criteria for mobile apps at some point along distant future.
Review and approve 63B_SAC at AAL3 and 63C_SAC at FAL3 criteria
- Drafts reviewed during the meeting: KIAF-1440 SP 800-63B Service Assessment Criteria v3.1.0.xlsx and KIAF-1450 SP 800-63C Service Assessment Criteria v0.17.0.xlsx
- Richard explained that it was adopted the multiple parties practice from the FAL2 to work into the IAL and AAL SACs, in doing so we have pulled out those criteria which relates specifically to federal agencies or might also apply to RPs, in order to take the AAL criteria to their fullest implementation responding to absolutely normative criteria.
- He has updated all the tags because it's a substantial change. There is a new contiguous set, and the old ones will be there at least for a year or so while we transition to the new ones.
- Changes are in red text; there have been a few changes which have affected level 2 because we've been more inclusive this time with federal agencies.
- We have around 30 to 40 new discrete criteria of AAL3.
- It was decided to defer the approval for next week.
- Basically, two criteria, one of them has three subparts.
- Richard: We don't assess subscribers, but we could assess an RP. Therefore, we would require the RP to require the subject to prove possession, etc. And that's going to be the reason why we've made these changes.
Motion : IAWG to approve the FAL3 criteria as presented. Moved: Tom Jones. Seconded: Mark Hapner. Unanimous Approval.
- The xAL3 SACs will go as a package for 45-day Public Comment and IPR Review.
- Mark Hapner asked if in terms of the overall impact there are improvements or extensions; What was the actual objective for the changes in general? Richard responded that we have to go back to the NIST requirement for that. He thinks it's a question of demanding greater rigor or in some cases denying some of the authentication techniques that might be allowed at level 2 because they were not considered to be strong enough for level 3. As you move from one assurance level to the next stronger higher level, it's all a question of removing weak solutions and increasing the rigor. Richard pointed out that it was made an extension to the user guide in that document, in order to make the point that these criteria are simply Kantara's way of interpreting the normative statements which NIST have made and we don't offer an explanation of why those criteria should be. So to understand that you have to go back to NIST SP 800-63-3 appropriate volume.
Mark Hapner: What do you think the impact on RPs and CSPs will be too actually conform to these changes? Richard responded that it depends on the individuals, they may have already gone ahead read the NIST specs and implemented something which they believe to be IAL 3 conformant. They have to review these criteria that we've produced and consider whether they can fulfill them if they were to go through an assessment process. It's a question of the maturity with regard to this standard of the any particular organization.
Review and approve the Revised Glossary & Overview
- Richard commented that 4 comments were received from Mark King, so Richard and Ken provided a disposition of comments on the glossary Kantara IAF-1050 v1.0.7 DoC v1.0.xlsx
- He stressed that we’re not defining for the World but only for Kantara.
- Further review and approval was deferred for next week.
DIACC Request for Comment and IPR Review: PCTF Assessment & Infrastructure Draft Recommendations
- Ken commented that the Digital Identification and Authentication Council of Canada (DIACC) released another two components of the Pan Canadian Trust Framework (PCTF) for review. The PCTF Assessment component establishes the certification scheme that verifies that a process, service, or product conforms with PCTF criteria. The PCTF Infrastructure (Technology and Operations) component identifies the policies, plans, technology and technology operations required to implement the principles of the PCTF Profiles in the context of a Digital Identity Ecosystem. It also identifies the criteria that will be used assess that a service’s technology and operations meet those requirements.
- It was agreed to start reviewing and generating comments on the next IAWG meeting.
- Link to DIACC request for comments: https://diacc.ca/2020/07/20/assessment-infrastructure-technology-operations-draft-recommendations/
- Deadline to submit comments: August 10th
Kantara comments on how SP 800-63-3 could be revised for NIST’s consideration in developing Revision 4
- Ken walked the group through the comments and suggestions that have been received to date.
- Tom Barton provided a set of comments on 63C, see Comments on 800-63c TomB-2.docx
Tom Barton general comments:
a. 63c does not seem to deal with B2B, it seems completely addressing C2B use cases. GDPR recognizes the distinction between B2B and C2B and he believes that 63C should also. His suggestion is that they should recognize it, possibly by adding separate editions of 63C, one for consumers and one for businesses. Mark King added that if we're making distinction between C2B, we might also need to make a distinction with C2G. Tom Jones suggested that 'B' is not the right term here and this term would be 'Enterprise' rather than 'Business' so that you would cover both government and business. Ken said that this TB comment should be applicable for the 3 volumes not only 63C. Tom Jones also suggested to use 'Trust Federation'. Ken requested to Tom and Mark to provide him with some suggested text to use in these and he will incorporate that into the response.
b. Although IdPs are required by 800-63C to meet stringent security requirements, none are placed specifically on RPs. He's just basically saying that there should be relevant operational security requirements placed on RPs as well as the IdPs. Richard said that there are quite a few requirements on RPs in 63c. Tom Jones added that he believe this shouldn't be in C. It was clarified that IdP is a subset of what Kantara defines as a CSP. Tom Jones remarked that the fundamental question for the group is whether or not the ideas of mirroring the CSP with the IdP are the right way to go, or whether it would be better to just take that out of 63C, which would be his suggestion. It was agreed that for version 4, the recommendation is that NIST consistently use those the roles and functions terms when they write their normative or even the informative requirements, in other words be clear and consistent in their use across the documents. Tom Jones will create a list of roles and will send it to Ken so we can provide an example to NIST.
- IAWG to review the AAL3 to approve it on 2020-08-06
- Tom and Mark King to provide Ken text with the suggestions for Revision 4, in light of Tom Barton comments.