Page tree
Skip to end of metadata
Go to start of metadata

Kantara Initiative Identity Assurance WG Teleconference



Date and Time


  1. Administration:
    1. Roll Call
    2. Minutes approval: 
      1. DRAFT IAWG Meeting Minutes 2015-05-07
      2. DRAFT IAWG Meeting Minutes 2015-04-30
      3. DRAFT IAWG Meeting Minutes 2015-04-23
      4. DRAFT IAWG Meeting Minutes 2015-04-16
      5. DRAFT IAWG Meeting Minutes 2015-04-09
      6. DRAFT IAWG Meeting Minutes 2015-03-26
    3. Staff reports and updates
    4. Assurance Review Board (ARB) and Leadership Council (LC) reports and updates
    5. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
  2. Discussion
    1.  NIST SP 800-63 comments from IAWG


Link to IAWG Roster

As of 2015-01-22, quorum is 6 of 11

Use the Info box below to record the meeting quorum status

Meeting achieved quorum





Lee Aber
Ken Dagg (C)
Scott Shorter
Colin Wallis


 Angela Rey

Steve Skordinski 



Joni Brennan


  • Andrew Hughes (VC)
  • Rich Furr

Voting Members for Cut/Paste

  • Ken Dagg (C)
  • Andrew Hughes (VC)
  • Scott Shorter (S)
  • Rich Furr
  • Paul Calatayud (VC)
  • Devin Kusek
  • Adam Madlin
  • Kenneth Myers
  • Cathy Tilton
  • Richard Wilsher
  • Lee Aber

Selected Non-Voting members for Cut/Paste

  • Bill Braithwaite
  • Björn Sjöholm
  • Susan Schreiner
  • Jeff Stollman


Notes & Minutes




Ken: a scheme comes to mind for NIST's first question, based on discussions at identity north, separation of three functions, identification, authentication, and authorization. Scott agrees, will expand on comment about A&I to cover this.

CW Oasis trust elevation discussion - some transactions where people won't ask for authentication, by we leak so much data that low risk transactions are supported without clear authentication step.

UMA developing binding obligations and controls.

Contact Eve Mahler, ask for her comments?

Scott to ping Pete Palmer.

Ken will mention at leadership council.

Examples of authentication, identification and authorization system does it that way. Those three functions take place. Age authorization for old age security. Length of time in country during twelve month calendar. Employement status. Visa, work status.

Ken in terms of privacy, like the comment with respect to the triple blind being part of the privacy spectrum. Additional spect, PIA is focused on client and end user and protecting their privacy. Conducting a PIA gets the questions asked, and if a privacy commissioner exists in a jurisdiction they can say whether privacy is being respected.

When out to RFP for privacy solution the privacy commission, who can adjust the text of that.

Colin says should be a risk assessment is applied up front, it is not that clear what risk is being assessed and for what reason. Do an identity related risk assessment on the service, need approaches for doing the identity related risk assessment.

Ken, sent a link to Canadian govt assurance and guidance. Risk assessment to identity assurance. Scott to review.

CSPs are coming out and saying we have a level three system. The identity risk assessment rather than the system compromise risk assessment.

Scott to put the links in the minutes...

Joni to talk to UMA and CSPs.
Ken speak to LC.

Scott to distribute comments, ask for a COB Monday deadline. Get to Joni next Tuesday, joni will create cover letter and send to NIST.

Suggest to meet next week to discuss what was submitted, catch up on administrative stuff and decide on whether to meet biweekly again.


Carry-forward Items





Next Meeting