DRAFT Meeting Minutes - IAWG approval required
Link to IAWG Roster
As of 2014 March 13, quorum is 5 of 9
Meeting achieved quorum
IAWG Meeting Minutes 2014-03-20
Motion to approve minutes of 2014-03-20: Scott moved to approve
Seconded: RGW / Matt Thompson
Joni - describing last week's call with Anil John. It will be an ongoing monthly call to allow trust framework providers to communicate with FICAM.
Rich - similar content on the 2nd call, token managers and identity managers heard that the TFPs have a current deadline of 6 months from publication of FICAM documents, including the TFPAP and the ATOS, the latter of which has major impact on the service providers. Token managers and identity managers will have until their next certification by a TFP certified under the new program to be certified in the new program. Industry is resistant - resources are allocated in the financial year, resources do not exist to make this happen. Verizon is meeting 1-on-1 with Anil, their approach is "we can't do this, but lets find a win-win". This was thought to be a way to get federal business, but none of the agencies are requiring FICAM. There was an RFP on the street requiring LOA3 which was pulled with a statement that there are no currently approved service providers. Agencies have not yet used Verizon's service thus far. Suggestions to FICAM is to find a win-win.
RGW - FICAM is asking for development work but won't lead it.
Rich - there is a working group dealing with the FICAM updates. We need to look at TFPAP, FBCA for LOA4, and there are a number of criteria that will come from the ATOS. We need to work to a point where documents are somewhere between assessor-speak and developer-speak.
RGW - asks for an example. Rich suggests that we can leverage 800-63, but we are assessed against the TFPAP and cross-certified against FBCA CP. We're not assessed against 800-63, although there are references to 800-63 that are valid.
RGW - there was discussion last week about removing the US-centric requirements and including those in profiles. Thereafter a CSP can say "we want to be assessed against KIAF Level of Assurance X, and an additional profile which might be FICAM/800-63.
RF - 800-63 is aguidance document. RGW - it's guidance that gets interpreted by agencies as required.
RF - we believe FICAM is trying to become the normative process by the federal agencies. Agree that this is a US Profile. If Kantara will be a global scheme, a lot of profiles will need to be created. Canada / Europe / Asia / etc.
RGW - Anil is basically turned 800-63-2 to a normative requirement. RF - he's pointed to specific sections of this. RF agreed to take another look at.
RGW - Anil asked for there to be a group established by the TFPs. Richard suggests that Kantara may be the most appropriate group to lead this effort. Because of our connection with SAFE-BioPharma and IDESG, we're willing to lead this "gathering of the tribes". Joni will follow up on behalf of Kantara.
RF - anything else about FICAM?
RF describes the work of the ATOS group. We took the requirements of the TFPAP and divided them into groups, we are each attacking a group. This is a lot of new requirements and it is not a trivial task. It sounded like Anil would like the industry to do ATOS testing so the government will do that.
Joni response that we're working to bring testing in to the TFPs.
RGW points out there needs to be a single reference test harness. RF agrees.
RF mentions that it sounded like identity providers do not have to provoide attributes, but components can provide attributes. It sounds like there should be attribute providers as another type of component within the SAC. We need to make sure we have criteria to cover attribute management.
RGW believes there are two uses of attribute. In this context it's one of those pieces of metadata associated with the identity proofing process which may be passed forward in an assertion. Or does attribute mean a person is a member of a group or has a certain qualification.
RF - the attribute bundles are the NASPO, these are read as attributes of identity used in identity resolution.
RGW - so they are identity attributes as opposed to characteristics/qualities/accomplishments. RF agrees. RGW we need to keep with that language.
Ken - not sure whether these are characteristics of an individual or if it's just the core set like NASPO. RF - for a doctor, an attribute could be medical license number. RGW - call them identity attribute bundles, not related to qualities or status of individual.
Ken reiterates that this usage should be verified.
RGW - here's an attribute "this person is a veteran". RGW this is a relation ship between an identity and a qualification or status. RF - I have my DOD Retired ID card, using Name/SSN.
RGW on SAC 4.0. We distributed 3.1 for comment, received and discussed comments, disposed of comments. This week RGW reviewed the document to make sure that every criterion is listed in one of the compliance tables, and added a statement regarding criteria were new, amended, renumbered, new content. Changes are also highlighted in gray. RGW would move that we vote to approve the document circulated, and release as V4.0 and release to public domain. RF second.
RF asks if there is dissent.
Joni - final vote, goes to the leadership council, they will kick of ballot from all members for the final.
Motion is to "approve the final draft for submission to the leadership council to become V4" RGW makes the motion. RF seconds.
Are there dissenting votes? No.
Approved. Joni will submit.
Leadership council is having a call next week, this could be voted on Weds of next week, and a ballot could be kicked off THursday of next week, so one month for final wrap up.
Kantara IAF-1400 SAC v3-3.docx