Review and approve 63A/B SACs
Discuss approach on new GSA requirements and approve Project Plan
Initial comments on GSA Concept of Operations and Certification Process drafts.
As of 2017-03-16, quorum is 4 of 8 (see list box below for voting members)
Meeting (did) achieve quorum
- Mark Hapner, Resilient
- Denny Prvu, Secretary
- Scott Shorter, IAWG Vice Chair
- Ken Dagg. IAWG Chair
- Andrew Hughes, LC Chair
- Richard Wilsher, Zygma
- Aakash Yadav, OKTA
- José Lopez, Zentry
- Christine Abruzzi US Arlington
- Colin Wallis, KI ED
- Ruth Puente, KI Executive
Notes & Minutes
Director's Corner October Report
- GDPR Summit beginning of October. http://www.gdprsummit.london/
- Working on Privacy Summit and Standars. Mark Lizar is leading the effort and evaluating the feasibility to held an event in January 2019., which would be the first KI event.
- Pre-conference workshop to curtain-raise Kuppinger Cole's Consumer Identity World Tour 2017 in Paris, 27th November, where Consumer identity and Access management, UMA and Consent Receipt were presented.
AY asked when 63C SAC would be developed. SSH responded that the work was focused on 63A and 63B (Level 2) as immediate deliverable, in long term we plan to develop criteria for C as well.
AH added that further developments would be demand driven. The current product was developed with the intention that CSPs can be re-certified in alignment with 800-63-3, basically IAL2 and AL2. In the furture, KI will be developing criteria for 63-3 AL 1 and 2, IAWL 1 and 3, 63-C.
SS presented 63A/B SACs that SG 800-63-3 has developed:
KD thanked Scott for leading the team that developed the SAC and all the volunteers that helped to develop the SACs. Also, he thanked ID.me sponsorship of this work. CW stressed the relevance of ID.me sponsorship and thanked KUMA for the volunteer effort, as well as to all volunteers.
KD provided SACs next steps and schedule:
- Public Comment Period and IPR Review: Opens: 4 December 2017. Closes: 22 January 2018
- Potential changes implementation according to comments received 22 January - 31 January 2018
- LC to Certify sending the SACs to All Member Ballot: 1-8 February 2018
- All Member Ballot Opens 9 February – Closes (?) 24 March 2018 (maximum). Min 14 days – Max 45 days. Requires a "Supermajority of those voting, with at least 15% of all members voting" (i.e. at least 75% of those casting a vote must vote to approve).
- Implementation Deadline set by NIST: 22 June 2018
AH requested to list the active contributors of this work in the front page or second page.
SS commented about the philosophy that was applied.
- A SHALL was an easy guidance to follow. NIST requirement about SHOULD is not mandatory, but there was a lot of discussion on this. What is intended with SHOULD?, you should but there are not consequences?. Should it be interpreted as a SHALL or weak (no enforceable at all)?.
- Original requirement on the left. In KI criteria we added a Subject as most of the texts were passive.
- The group tunned the requirements to ensure CSP is doing its part.
AH asked if SACs reflect the errata of 800-63-3 documents? He does not see version and date of document, so he suggested to make sure the documents are correctly labeled and identify the date we pulled the source document.
SS commented that as additional value it would be good some exposition about theories of why different types of identity evidence meet different strings, provide specific examples, explanations and analysis. He is not sure if KI would put a stamp on it or GSA would provide a implementation guidance similar to what NIST did with FIPs 114. He said that now that we have new requirements let´s make sure real work examples are following into the same slots when everybody evaluates.
AH added that having guidance documents and real implementation examples would be part of the document kit. He also commented that we can collate the material over the time.
SS said that we can take a proposal to ARB, take out of each assessment what level of evidence was used, etc. more transparency when possible. CW confirmed that this is a policy decision to ARB.
Potential Changes to the policy
SSH Panels 2 and 3 Identity evidence validation string table for the different levels. Verification of identity evidence at the different levels.
AH spreadsheets forms into a traceability matrix, we can demonstrate coverage to 800-63-3 requirements. Other are mapping to the requirements of 800-63-3. KI criteria has some traceable properties
63B done for AL2. Only one panel, no sub-tables. Types of authenticators are reflected in groups below, there come blocks of applicable criteria are mandatory.
Row 91 Number 63B#0280- Scott to add references.
AH suggested that we should remove the highlights in yellow.
Motion on 63A SAC moving to next step in the process.
AH after the cosmetic changes be circulated 63A SAC be circulated to public comment and PR Review.
Motion 63B same motion above.
Mark H seconded both motions.
GSA has circulated process and procedures documents for TFS Program ConOps and Certification Process drafts. They request hthat 22 December to have comments back to them on these 2 documents.
Second part of KI work will be to identify changes to its internal process
KD presented the Project Plan to tackle comments to GSA and changes to KI Trust Framework Operations Program
KD proposed to create a sub-group and made a call for participants
First meeting Tuesday 14:00EST
AH stressed that importance of this process, as these docs. under review at GSA are the requirements for KI to be able to offer approvals and assessments.
There are some significant requirement increases, these are the docs by which KI operates.
KD ARB emphasizes get their input to this process. Encouraging to offer their comments.
RP to re-send the comments of RW
RW reviewed the COSA 4.5 tcriteria could be withdrawn as they are covereded 63A oB SAV
Scott suggested Cross cjeck discussion Next Tuesday
CW encouraged the participants to take this survey as it is related to current IAWG discussion: https://www.surveymonkey.com/r/5YZ3Y9X
Motion to approve SACs:
- Date: Thursday, 2017-12-7
- Time: 12:00 PT | 15:00 ET
Write a comment…
Powered by a free Atlassian Confluence Community License granted to Kantara Intiative . Evaluate Confluence today.