Preparations for the NIST SP 800-63 RFI
Incorporate Privacy items into the main body of SAC
Relying Party Obligations
Planning for interacting with the National and International bodies
Link to IAWG Roster
As of 2015-01-22, quorum is 6 of 11
Meeting achieved quorum
DRAFT IAWG Meeting Minutes 2015-02-05
Motion to approve minutes of 2015-02-05: Richard Wilsher pending a correction to the AOB
Seconded: Lee Aber
Motion Carried | Carried with amendments | Defeated
See the Action Items Log wiki page
Andrew Hughes has volunteered to be editor for the Kantara response. Expected questions based on listening to Paul Grassi: "are LOA still the right model", "how does 800-63 apply to private sector", "whether government or private industry has primary authorship of 800-63 going forward"
RGW asked if Paul Grassi had stated that list, Andrew confirmed that he did, perhaps at cloud identity summit talk.
Angela confirmed that 800-63 is cited frequently for government services, Andrew agreed that this is the prior scope of 800-63, but commercial applications could be covered in the new document. RGW suggested that a non-govt doc could be used to support identity assurance in commercial space.
Ken asked if anyone had heard of other questions, RGW suggested that the idea of international standardization could be raised.
Andrew suggests that the way to prepare is to get the document templates ready, and to re-read SP 800-32.
Ken asks if there is a volunteer or a statement of what might be involved.
RGW suggests the answer to the latter - expect there will be a PRIV-SAC in parallel to OP-SAC and CO-SAC, or else folded into the existing sections.
Ken states that his preference is for distinct privacy criteria. Privacy will be a topic of great interest, he things we need to address directly with requirements woven into the SAC.
Angela mentions that the NIST Privacy Advisory Committee is having testimony tomorrow afternoon.
RGW mentions that there are existing criteria that address PII, perhaps they can be tagged to indicate that they have a privacy focus instead of a general information security focus.
Ken asks for any volunteers for leading this. With no volunteers, he suggests that he may be able to fill this role considering his a strong privacy background. He will ask for volunteers from the list but will take the lead for now.
The e-gov group has taken this on for their 2015 goals, it is their single work item. There is interest in Canada and EU in the question of RP obligations. Obligations on RP by CSPs and IDPs. Ken participated on the e-gov call, will be willing to coordinate with this. Angela asked for clarification on the work item, Ken responded that it is about the responsibilities and obligations on the relying parties.
RGW states that the IAF is about assessing and approving service providers, and RPs are not service providers. Difficulty in performing assessments of RPs. Can see guidelines for standard code of conduct, but don't see there could be a way to make it enforceable or assessable. Ken agrees with that point - might have to be a guideline for best practices for RP.
Andrew asks if this will be a counterpart to the federation operators guide? Ken says that could be but would need a refresher.
Ken asks if there's interested in setting this up as a counterpart to the federation operators guide? Andrew said good idea but not volunteering.
Ken will check in with next group and determine what the nature of their deliverable will be.
Andrew reminded that the idea is that IAWG should have a plan for the types of interactions we would like to have with other bodies. List bodies that are significant and why, do we need to liaise formally with other bodies, do we attend other groups or invite others to join our calls? We should identify what the goals are then implement them. The thought was to enumerate our connections to the other organizations so that we can keep track. Andrew offers to lead the discussion next week if that makes sense. Ken suggests that Andrew put a call out to the list for international groups that people may be participating in.
Ken asked for other thoughts on the topic, no response.
Identity Relationship Management WG is putting out the Laws of Identity Relationship Management as a Kantara work product, Ken will distribute to the list.
RGW moves to adjourn, Andrew seconds.
Next week to discuss whether to switch to a weekly rotation through the projects specific calls