Main agenda topic: Review of Initial Draft_Project Plan to implement 800-63-3 and GSA requirements_2017-07_01
KD commented that the timeline is too tight for IAWG adoption of the plan and suggested postponing it for a week. It is a special timing due to the summer period.
SSH said that he would be away for the next 2 weeks on vacations. The work plan looks good and he accepted to be the coordinator of task 1. He also would like to be involved as a contributor in the risk registry process work.
AH pointed out that we should use better wording to describe conformity. We need to use the most correct words for the conformity assessment program or an approval program. We need to be clear on what we are doing, as there are defined terms on the field. Instead of trustmarks, we should say marks of conformity, which is covered by standards; we could align our texts with those standards. He will contribute with something in writing.
|Certification versus Approval Program discussion|
KD asked if Kantara was opening itself to liabilities if it certified something.
AH noted that certification is valuable if has a broad market for acceptance. Certificates are significant and carry lot of weight if other assessment bodies accredit the issuers. He questioned the approval program and asked about its liability.
SSH added that the assessors have some bounds around the responsibilities to provide the most correct information, but the risk decision belongs to the CSP and RP.
RP commented that the most binding artifact we have in the chain of CSP and Assessors responsibilities is the TMLA, which stipulates that the CSP needs to provide the information of the status of conformance, they are obliged to provide the documents and information regarding their assessment, and comply with the timelines they committed to in the trustmark details, including the Annual Conformity Review (ACR) packages. The assessor has to guide them on the documentation they need to provide for the assessment and then the ARB evaluates that. The CSP has a contract with the assessment. Kantara makes the follow-up and make the CSPs comply with the ACRs and if not to provide an explanation so the ARB can evaluate the case. Sometimes, KI reaches the assessor so they can help the CSP to be in good standing.
CW affirmed that KI vision is towards certification, but the hard aspect of 800-63-3 implementation would go first. Then we may tackle the certification process, which should be ready before June 2018.
AH suggested to reach out a certification body and ask about the liability terms in order to be aware of the implications. CW and AH will take this action. This topic should be in the agenda for the next 2 planning meetings. RP to add an additional task in the project plan: Investigation of liability issues around certification.
AH pointed out that in the reporting section should be explicit that there is work to do and then report on that. He also commented that in Page 5 “Notification to CSPs” and the consideration on what´s public, should be discussed and decided before February 2018. This would imply changes the business model, what artifacts we choose to be public and which ones we charge for.
Also, AH commented his concern about the business model sustainability, and we should evaluate what program or service we try to build, as the business case will change.
KD suggested raising the work plan as business as usual in the BoD meeting of July 20th and provide heads up on the conversations we are having in relation certification and evaluate estimated return.
CW asked to add the planning progress and the certification issue on the ARB weekly agenda, as the BoD will take the ARB recommendations on this regard. RP added that it is important to provide rationale on the certification model to open the discussion in the ARB.
AH said that in Table 1, we are going to need item 1 and number 2 but he pointed out that item 3 is not what he has explained to Leif J. RP commented that Leif had this idea so it would be good he can clarify this issue in the next meetings.
CW clarified that the mapping service implies the mapping of the new clients’ profile to our core one that is 800-63-3.
AH added that the risk registry is intended to allow frameworks designers and federation to design control sets that they can then purchase from providers. The risk to criteria is not useful but risk to requirements is more useful.
CW asked AH to engage with Leif to clarify the risk registry issue.
KD asked to me removed as coordinator and suggested that someone more familiar with the SoC helps on this work. AH commented that is a design question, if the current formats are fine. CW suggested Nathan Faut as the lead contributor on this task.
KD pointed out that in Table 3, there might be 4 trustmarks:
b) FICAM + privacy
d) 800-63-3 + FICAM SoPs
AH commented that he would like to have a longer discussion on the accommodation of other schemes. Also, he suggested changing the task name, as it should be about mapping requirements and not accommodation.
In table 3, he recommended to be consistent with the same wording of Table 1 in relation to risk registry.
SSH recommended to share it with David Temoshok to check if the timelines and processes are aligned with NIST and FICAM ones.
|Determinations and general conclusions of July 4th Meeting|
- Develop assessment criteria and methodology for each requirement contained in 800-63-3 and the GSA/FICAM SoP
- Identify the parts of the CO-SAC to be used
- Develop Statement of Conformity template for each Trustmark
- Develop Risk Catalogue
- Modify application process and forms, including Credential Policy Statement, to accommodate each Trustmark
- Develop interoperability testing capability
- AH to provide written comments on the terminology.
- CW and AH to investigate liability issues around certification.
- AH to engage with Leif to clarify the risk registry issue.
- CW to reach out David Temoshok and share the work plan so the process is aligned with NIST and FICAM work.