Kantara eGov Working Group Teleconference (confirmed Jan 7th 2013)
Date and Time
- Date: 3. Dec 2012
- Time: 11:00 PDT | 14:00 EDT | 20:00 CET | 08:00 NZ(+1)
- Rainer Hörbe, Kismed
- Ken Dagg, Fed Canada
- Colin Wallis, DIA NZ Govt, NZ
- Keith Uber, Ubisecure
- Allan Foster, ForgeRock
- Andrew Hughes (Vice chair of identity assurance - non voting)
- Bob Sunday, individual
Note to all: Calendar feed from the Kantara site includes room codes
Non-quorate call, no review of November call minutes.
Minutes taker: Keith Uber
2. Action Item review
Colin: update of the charter, submission to LC and approval -Complete (Waiting on editing rights to charter page)
-- Keith to contact Oliver firstname.lastname@example.org
Colin: manage response to eHerkenning Netherlands B2B SAML solution for consultation. Now closed, we did not get much feedback since October (Rainer's)
3. Report from Face to Face meeting, Washington DC
Trust framework/trust federation world is a new to concept to recent Kantara joiners.
Colin: Terrific workshop, probably the best of that style Kantara has ever staged. "Stunning".
Ken: Good event, excellent discussion - interesting to see a complete 'suite' of identity federation stakeholders there.
Approved identity providers: experian, symantec
Some 'prospective' IdPs: lexis/nexis, daon, maybe equifax
Some assessors: KPMG, Electrosoft (and Deloitte, although Myisha representing the IAWG as Chair)
Governments: US GSA, Ken and Tim from Fed Canada, Colin from NZ
Also present: CA (Phil), ISOC (Karen), Ingo from DT, Dr Alterman for the IRB
Interesting mix of people
Non-government relying parties were missing
All agreed to try for focus group discussions with the RPs on the next workshop. The identity proofers, who already have all the RP customers, are the ideal parties to invite their customers to come and join the discussion.
The day was broken into 4 topics:
The first topic was dedicated to trying to find equivalency between the not quite identical NIST 800-63-1, ISO 29115./ITU-T X1254 and the Kantara IAF v2.0. Relates also to the OASIS Trust Elevation TC's work which attempts to standardise approaches to raising trust to mitigate risk from using a weaker credential/LoA than a service/Transaction is rated at. Rough gap analysis and discussion. Kantara IAWG will try to draft out a mapping table
Note that 800-63 is a set of US gov specs, instead of a set of requirements that need to be met (e.g. the Kantara IAF). 800-63 missing comparability to requirements.
Prospective IdPs working on NASPO ID-V standard. Guides adopters how to identify, how to get increased assurance.
The second topic looked at the new Kantara IAF component option: identity and credential management as separate approval pieces rather than the IAF as a single piece..
FICAM has requested this. Experian and Symantec are the first 'couple' to be approved.
There was almost unanimous agreement on the need for a future discussion for the possibility of standardizing the interface between IDP and credential provider. So that when an IDP and credential provider want to cooperate, they don't have to come up with their own solutions every time. Ideally the interfaces can the assessed independently. The aim is to reduce ardous integration projects. This may not necessarily be a technical API, but some kind of standardization is an absolute requirement.
The identity proofers don't want to give away any secrets on how proofing is performed, so less keen on extending the initiative as far as developing an API.
The Third day began with a presentation from the Kantara IAWG sub group (Canadian gov, Andrew Hughes, Colin Souter, David Walsey) developed over the summer what they are calling the "decoupled binding approach"
- How to separate the credential activities from the identity activities
- doing credential activities first and then bind identity or vice versa
- More detail will come in the meeting notes, with a slide deck.
- Were able to generate a generalized model showing the relationships between the individual, RP, IDP and credential provider.
Canada expanded on its pseudonymous design. Comparison of approaches of Canada and NZ (very similar) to the USA and how the former separate different pieces of the transaction, so that no one party has all of the identity information. FICAM seemed very interested in learning more and leveraging these experiences. Approach is consistent with FICAM future state thinking (Anil). Colin mentioned maybe in the FCIX Federal Cloud Identity Exchange
Andrew sees next pieces of work:
- extending the model and see how other trust frameworks map onto it
- finding commonality between the frameworks
Andrew will summarise his presented work and distribute to the group or through the event report being coordinated by Joni.
Meeting report is yet to be published but will appear.
4. Privacy Enhanced WebSSO
Report from Rainer
Work continues on non-traceability requirement / do not track provisions for WebSSO.
Rainer proposed the new work item to collect requirements, existing or planned solutions (see wiki for this new space).
So far Colin has uploaded some documents from the NZ deployment.
UK & NL contacted but pending responses.
Working title: "Privacy Enhanced WebSSO". Open to better title suggestions
Gap analysis of what is standardized and what isn't.
Rainer is interested in consumer approach (EUStic).Is interested to hear how does NZ/Canada justify their tight controls.
Andrew: Move the linking records to an outside party, such as a broker, which offers persistent anonymous ids to all parties. the sp doesn't know the actual credential.
Andrew: Under 800-63 this model is not possible, because the credential provider must know the identity
Rainer to contact NL again.
Colin: Had seen earlier UK SAML profile from their identity hub (John Bradley was assisting with?).
Rainer: Steven Dunn shared it with us in October at the RSA conference. You couldn't implement the architecture with pure SAML.
Colin to contact UK for the latest documents of the UK SAML profile for their identity hub.
5. Reach out letter update
At the last meeting we put a call out for additional people to go on the list.
If anybody has ideas of new prospective members for the WG, please send them to Rainer/Keith/Colin.
Once the new charter is published, Joni will email the prospective contacts. We have 25 or so. Target is 35 or more.
Next Kantara event: no date has yet been set, but maybe around RSA is last week of February.
NSTIC IDESG has been confirmed for 5,6,7th Feb in Phoenix, AZ. Govs may meet separately also in Feb
European ID Workshop (IIW) will be in Vienna 5,6th Feb 2013 or a week after. Will be announced in the next couple of days.7. Next Call
Next call Monday 7th Jan 2013.