Rules governing Assurance Assessments
Status: Editor’s Draft
Richard G. Wilsher
The Kantara Initiative Identity Assurance Work Group (IAWG) was formed to foster adoption of identity trust services. The primary de liverable of the IAWG is the Identity Assurance Framework (IAF), which is comprised of many different documents that detail the levels of assurance and the certification program that bring the Framework to the marketplace. The IAF set of documents includes an Overview publication, the IAF Glossary , a summary Assurance Levels document, and an Assurance Assessment Scheme (AAS) , which encompasses the associated assessment and certification program, as well as several subordinate documents, among them these Service Assessment Criteria (SAC) , which establishes baseline criteria for general organizational conformity, identity proofing services, credential strength, and credential management services against which all CSPs will be evaluated.
The latest versions of each of these documents can be found on Kantara’s Identity Assurance Framework - General Information web page .
This document has been prepared by Participants of Kantara Initiative. Permission is hereby granted to use the document solely for the purpose of implementing the Specification. No rights are granted to prepare derivative works of this Specification. Entities seeking permission to reproduce portions of this document for other uses must contact Kantara Initiative to determine whether an appropriate license for such use is available.
Implementation or use of certain elements of this document may require licenses under third party intellectual property rights, including without limitation, patent rights. The Participants of and any other contributors to the Specification are not and shall not be held responsible in any manner for identifying or failing to identify any or all such third party intellectual property rights. This Specification is provided "AS IS," and no Participant in the Kantara Initiative makes any warranty of any kind, expressed or implied, including any implied warranties of merchantability, non-infringement of third party intellectual property rights, and fitness for a particular purpose. Implementers of this Specification are advised to review the Kantara Initiative’s website (http://www.kantarainitiative.org/) for information concerning any Necessary Claims Disclosure Notices that have been received by the Kantara Initiative Board of Trustees.
Status and Readership
SELECTION OF SERVICE ASSESSMENT CRITERIA
Statement of Conformity
Service Component Assessments
Full Service Assessments
Period-of-Time versus Day-Zero Assessments
This document sets out normative Kantara requirements and is required reading for all Kantara Accredited Assessors and applicant Service Providers. It will also be of interest to those wishing to gain a detailed knowledge of the workings of the Kantara Initiative’s Identity Assurance Framework.
The ultimate goal of the Kantara Initiative’s Identity Assurance Framework (IAF) is the facilitation of intra- and inter-Federation transactions based upon a range of identity credentials, across a number of levels of assurance, in which Relying Parties can have the confidence that the credentials bearing the Kantara Initiative Trust Mark are worthy of their trust.
To accomplish this Kantara Initiative operates an Assurance Assessment Scheme (AAS) , an assessment and approval program which assesses the operating standards of certain players in the Identity and Credential Assurance Management space against strict criteria, and grants to Applicants to the scheme the right to use the Kantara Initiative Mark, a symbol of trustworthy identity and credential management services at specified Assurance Levels (i.e. a Grant of Rights of Use – hereafter ‘Grant’).
In implementing the AAS certain Rules are required to be set out, to support fulfillment of the Assessment Scheme and to direct how certain actions and processes within it are bounded and executed. This present document serves that purpose and can be considered to sit between the AAS and the Service Assessment Criteria , to which Approved Services must conform and against which their conformity must be assessed by Kantara-Accredited Assessors.
The latest versions of each of the IAF documents referenced in this document can be found on Kantara’s Identity Assurance Framework - General Information web page .
The principal reason
for changes in this revision
provide for the exclusion of criteria where the obligations
are transferred to the service’s customers.
In addition, the opportunity has been taken to:
larify that, whether Full or Component Service,
ALL criteria in the CO-SAC
must be conformed-to
(this is also stated in the SAC but is re-stated here so as
eutralize the use of ‘CSP’ by replacing with plain language, given the chronic application of TLAs to describe electronic identity-related services in confusing and conflicting ways.
All revisions between v1.0 and v2.0 [ RGW NOTE – as will the final released version be known ] are shown with a grey background.
All special terms used in this document are defined in the IAF Glossary .
Kantara’s Service Assessment Criteria (SAC) are in two classifications, Common Organizational Criteria (CO-SAC) and Operational Criteria (OP-SAC), and Services may be submitted for Approval in two classifications, as a Service Component or as a Full Service. This Section defines the rules under which Applicants for Service Approvals must be assessed and must conform to applicable criteria.
3.1.1 Statement of Conformity
The Statement of Conformity (SoC) (a document required by the
Specification of a Service Subject to Assessment – S3A
state, for each criterion
in each SAC
and at each applicable Assurance Level(s), whether the criterion is:
a) “not within scope” ;
b) fulfilled by another previously-Approved Component Service which is incorporated into the Applicant Service (which must be identified according to its Kanata Approval reference); or
is fulfilled directly by the Applicant Service, in which case the SoC must state how conformity is achieved
(which may include, where justified, a statement that the criterion is ‘not applicable’
Kantara prescribes the required minimum content of the SoC but not a specific
Kantara strongly recommends develop
the conformity tables provided in the
Service Assessment Criteria
may be a stand-alone document or may be incorporated into another document if that is justified. Kantara’s requirement is that a specific documented source of the required information be available and labeled as the SoC.
As stated in the SAC, all services must conform to all CO-SAC criteria. However, depending on whether the service in question is a Full or Component Service, how the criteria from the OP-SAC are addressed may vary, as described below.
A Service Component’s SoC must identify which OP-SAC criteria are applicable (i.e. are within the service’s scope) and for those criteria must state how conformity with them is achieved.
The concept of a Service Component is intended to permit flexibility with a Full Service who
which may choose to operate their service core as the basis for multiple service offerings using different Service Components (e.g. to satisfy different market sectors or to permit operations in different jurisdictions). This approach allows significant flexibility in how services are developed by no longer imposing a specific dominance of any particular aspect of the service’s provision
Applicants for Service Component Approval must justify the selection of OP-SAC criteria to which they have elected to conform – the ARB, in assessing an application, shall review the scope of the SoC and shall have the right to ask the Applicant to justify their scope.
The operator of an Approved Service Component is entitled to market their service as being Kantara (Component)-Approved to any parties but, where the consumer of that service is not another Kantara-Approved Service (whether Component or Full), Kantara Initiative shall make no claims, nor make any warranties, nor have any interest or liability whatsoever .
3.1.3 Full Service Assessments
A Full Service may have all OP-SAC criteria met by the Applicant itself or they may be met by the inclusion of any number of Service Components.
The Applicant’s SoC must (as stated above) state which criteria (if any) are met by any already-Approved Service Components, which will be initially verified by the Secretariat on first receipt of an Application for Full Service.
The Assessment of a Full Service
must address all 100% of the SAC OP-SAC criteria within the collective service. This assessment
need not include re-examination of the conformity of Component Services being included, unless circumstances suggest there is a justified reason to do so, but must establish that:
a) where any criterion happens to fall into more than one Component, that there is a clear responsibility on the part of one specific provider that that criterion is being met or that its dual operation does not present any conflicts in the overall provision of the service;
b) there is adequate contractual specification, driven by the Full Service Provider, governing the technical responsibilities and inter-operation of the Components and evidence that that is being accomplished in reality;
c) the provider of each Component Service has, within the thirty (30) days preceding the start of the assessment, provided an attestation to the effect that the scope, description, operation and conformity of their Component has not materially changed  since the last Assessment of that Component.
The implication of the above is that a Full Service Provider may submit for Assessment and Approval a service constructed purely of previously-Approved Components (i.e. one in which the Provider making the Application provided no essential functionality whatsoever), thus making the determination of contractual arrangements fundamental to ensuring that the Components collectively deliver a Full Service.
Additionally, the Provider of a Full Service may exclude specific criteria where it can show that the responsibility for meeting those criteria is assumed by the Service Provider’s customer(s). This provision allows for Providers’ customers to efficiently leverage information and processes already in their hands. Providers who claim such exclusions must demonstrate how the excluded requirements are communicated to their customers and how their customers are obliged to fulfill them and the measures by which they shall be held accountable (typically through explicit notices and sections in service agreements).
Where a Provider seeks to exclude specific criteria they must provide an explicit explanation of their purpose and intent, the affected criteria, and how the measures they will put in place to ensure the be t likelihood of conformity being accomplished by the parties to whom those responsibilities are transferred [ RGW Note: It may be prudent to revise the SoC to provide a pro forma means for conveying this information ] .
may desire a Kantara Approval in advance of there being any operational history on which a Period-of-Time
assessment could be based. Kantara provides for such circumstances by accepting a
) Assessment (i.e. one in which there is no operational record to underpin the quality of the assessment) as an interim measure, conditional upon a PoT Assessment being provided within a specific period (see below)
which elect to seek Approval based on a
Assessment may submit their Application at any time at which they are able to fulfill the applicable SAC, supported by their chosen Kantara-Accredited Assessor’s
Report, subject to the requirement that they must subsequently provide an Assessment Report based upon a PoT Assessment conformant to the operational period described
126.96.36.199 Period-of-Time Assessments
It is a Kantara condition
, versus Component
) Approval that
being subjected to an Assessment
following periods of time are the
for which services must be operating
a Period-of-Time (PoT) assessment can commence (i.e. one addressing a period of time over which the Service has been operational
which can provide
Minimum operational period (days)
of the DZ-based Application, with the exception
LoA1, which must be satisfied by a PoT Assessment being performed on or before the occasion of the first annual assessment.
Failure to submit the PoT Assessment Report within
shall result in Kantara revoking the original Approval.
188.8.131.52 Permiss i ble Exceptions
Applicants may request of the ARB a waiver from any of the above-expressed
minima where that is supported by evidence of an over-riding condition and which is agreed-to by the Applicant’s chosen Assessor. Such conditions might include,
of the Assessor’s auditing schema which permit or require such variance;
of another approval/certification scheme, or possibly regulatory or contractual obligation, to which the Applicant is subject mean that the Applicant would suffer an unreasonable cost- or efficiency-burden by undergoing two audits within a short space of time
the Assessor believes that the Applicant requires greater time to gather sufficient evidence to sustain the PoT Assessment yet can justify an extended provisional Approval.
The ARB will examine closely any requests for waivers to ensure that a
provisional Approval is not taken advantage
as a means to avoid the timely performance of a PoT Assessment
required to underpin an
for full Approval
 Previous versions of IAF-1400 SAC had assumed that the Credential Management component of an overall service would be pre-eminent.
 A material change would be one which required a change to the scoping statement, involved a change of functionality provided or the manner of provision of defined functionality, or which had changed to the point where conformity to any applicable SAC requirement could no longer be upheld or had been replaced by a means of conformity which had not been reviewed in the course of the Assessment on which the present Approval was granted.
[ZYG1] IF Ken Dagg's effort in the IAWG to provide an XLS (or even better, hyper-text) version of the SAC is to go forth then this sentence should be revised (maybe just to say 'on the Kantara web site?) and the tables should be removed from the SAC ?
[ZYG2] Though we have yet to work these out, we can at least assume this working title and decide later how/where they will be identified or listed (though the work Ken is leading on a hyper-text SAC would make that just too easy)
[ZYG3] I find this assertion a tad too bold - I don't believe such a condition prevails, hence the modification in this manner.
[ZYG4] deleted becasue assesors do not make reccs, they only report findings.
[ZYG5] I see no reason to amend this text - it is general and the changes made do not make it redundant in any way, though possibly less likely to be exercised