Kantara Initiative Identity Assurance WG Teleconference
DRAFT Meeting Minutes - IAWG approval required
Date and Time
- Date: Thursday, 2017-04-20
- Time: 12:00 PST | 15:00 EST (time zone calculator)
- Please join the meeting from your computer, tablet or smartphone. https://global.gotomeeting.com/join/380672837
- Roll Call
- Agenda Confirmation
- Minutes Approval:
- Action Item Review: action item list
- Organization Updates - Director's Corner
- Staff reports and updates
- LC reports and updates
- Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
- Gather comments on the Revised Draft of the parent document for Special Publication 800-63-3 (attached).
Link to IAWG Roster
As of 2017-03-16, quorum is 4 of 8 (see list box below for voting members)
Meeting (did / did not) achieve quorum
- Scott Shorter (VC)
- Denny Prvu (S)
- Andrew Hughes
- Richard Wilsher
- Ken Daag (C)
- Boris Kronrod
- Mark Hapner
- Angela Rey
- Ruth Puente
- Colin Wallis
Notes & Minutes
- DRAFT IAWG Meeting Minutes 2017-04-13
- DRAFT IAWG Meeting Minutes 2017-04-06
- DRAFT IAWG Meeting Minutes 2017-03-30
- DRAFT IAWG Meeting Minutes 2017-03-23
Motion to approve minutes: Denny Prvu
Seconded: Andrew Hughes
Action Item Review
- 2017: March director's corner
- Harmonization of identity and privacy a big topic at the Hamilton SC27 meeting - NIST, gov.uk, Canada Gov TBS and the Province of Alberta. Looking for a forum for such a thing, where such a thing might be standardized. They are canvassing other standards group as well as potential working partners. Colin made an offer to NIST to open up a working group and host the conversation.
- ISO 29003 - identity proofing, has failed in the bid for DIS ballot - has been turned into a technical specification. It will probably come around again as an IS (international standard) proposed at a future stage after restructuring.
- ISO 29115 - some national bodies have attempted to weaken the controls to match their national body requirements, that vote has failed. 29115 remains as it was, although there's expected to be a revision and study period.
NIST 800-63-3 Comments
Denny - observation about glossary section - how much should we pick nits about missing words - "token" for example is missing. Scott notes that other docs are trying switch from token to authenticator.
Angela observes that CSP can mean Cloud Service Provider elsewhere, should the doc take account of that? Andrew points out that since CSP has a meaning in this document they don't need to harmonize with other documents.
Andrew notes about section 5 - can they confirm that the referenced risk assessment is about the relying party's assessment of risk.
Mark Hapner observes that section 5 might be the starting point for a new document about the RP's risk assessment.
RGW notes that section 6 is listed as informative, but contains SHALL statements as if it were normative.
Andrew observes that for CSPs, the Assurance Level is a shorthand for a bundle of controls. For RP, Assurance Level is a business impact assessment that results in a risk impact tolerance for the service in question. (not really a comment on 6303)
General observation that due to Kantara's focus on CSP's, there do not seem to be a lot of direct comments to be made on this particular draft.
RGW offers recommendation that the overall publication be restructured into 5 parts - the first part being informative and descriptive, the four successive parts would be expressly normative, and would address IAL, AAL, FAL and agency obligations respectively.
Ken reiterates that the assurance levels should be able to include more levels, see also comments on the 800-63A.
- Date: Thursday, 2017-04-27
- Time: 12:00 PT | 15:00 ET