Attendees:

Voting Participants: Mark King, Mark Hapner, Richard Wilsher, Ken Dagg, Martin Smith

Non-voting participants: Tim Reiniger, James Jung, Pete Palmer

Guests: Rene McIver (SecureKey)

Staff: Colin Wallis, Ruth Puente

Quorum: 3 out of 5. There was quorum.


Agenda


Administration:
Roll Call
Agenda Confirmation
Minutes Approval 2021-03-11 DRAFT+Minutes

2. Discussion

a. Review NISTIR 8344 (Ontology for Authentication) available at https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8344-draft.pdf (Deadline to comment: April 9, 2021)
b. NIST open discussion issues in light of SP 800-63 rev.4: https://github.com/usnistgov/800-63-4/issues (Deadline to comment: May 15, 2021)
c. Kantara 63B_SAC subset vs NIST source text (clarification request).

3. Any Other Business


Minutes Approval

2021-03-11 Minutes were approved by motion. Moved: Mark King Seconded: Mark Hapner. Unanimous approval. 


Review NISTIR 8344 (Ontology for Authentication)



63B_SAC issues 

ARB questions on two 63B_SAC criteria, 63B#0030 and 63B#0150.

1.Re 63B#0030 – The KI criterion and NIST source text says this criterion is limited to Agencies. ARB wonders if this could be considered for any CSP.

2. Re 63B#0150 - ARB pointed out that they are separate re-authentication requirements, not optional. 

Kantara criteria:

“The RP SHALL terminate a session and the life of the current session secret whenever they are unable to receive affirmative re-authentication of the Subject, either:

  1. a) prior to a period of session inactivity reaching 30 minutes; OR
  2. b) prior to an extended usage session reaching 12 hours since the last successful re-authentication, regardless of user activity”.

NIST text:

 


[Note that EITHER of the conditions in a) or b) is grounds for the termination of the session and therefore the CSP must continue to check BOTH conditions in order to determine whether either has been breached.
The NIST text makes three separate statements but the third is conditional upon EITHER of the two preceding requirements being unsuccessful, but in fact is poorly expressed since termination is implicitly conditional on it not being possible to reauthenticate the user but this qualification is not stated - s written it could be found that termination SHALL occur after either 30 mins or 12 hrs (and the second case would never be true).  This third 'SHALL' expression needs to be qualified by stating "if reauthentication fails", hence the Kantara clause is constructed as is and needs no change].