Kantara Initiative Identity Assurance WG Teleconference

DRAFT Meeting Minutes - IAWG approval required

Date and Time

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Minutes Approval: 
      1. DRAFT IAWG Meeting Minutes 2017-04-13
      2. DRAFT IAWG Meeting Minutes 2017-04-06
      3. DRAFT IAWG Meeting Minutes 2017-03-30
      4. DRAFT IAWG Meeting Minutes 2017-03-23
    4. Action Item Review: action item list
    5. Organization Updates - Director's Corner
    6. Staff reports and updates
    7. LC reports and updates
    8. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
  2. Discussion
    1. Gather comments on the Revised Draft of the parent document for Special Publication 800-63-3 (attached).
  3. AOB

 Attendees

Link to IAWG Roster

As of 2017-03-16, quorum is 4 of 8 (see list box below for voting members)

Meeting (did / did not) achieve quorum

Voting

Non-Voting

Staff

Apologies

Notes & Minutes

Administration 

Minutes Approval

  1. DRAFT IAWG Meeting Minutes 2017-04-13
  2. DRAFT IAWG Meeting Minutes 2017-04-06
  3. DRAFT IAWG Meeting Minutes 2017-03-30
  4. DRAFT IAWG Meeting Minutes 2017-03-23

Motion to approve minutes: Denny Prvu
Seconded: Andrew Hughes
Discussion: 
Motion Carried 

Action Item Review

Staff Updates

Director's Corner (Link)
LC Updates
Participant updates

Discussion

NIST 800-63-3 Comments

Denny - observation about glossary section - how much should we pick nits about missing words - "token" for example is missing.   Scott notes that other docs are trying switch from token to authenticator.

Angela observes that CSP can mean Cloud Service Provider elsewhere, should the doc take account of that?  Andrew points out that since CSP has a meaning in this document they don't need to harmonize with other documents.

Andrew notes about section 5 - can they confirm that the referenced risk assessment is about the relying party's assessment of risk.

Mark Hapner observes that section 5 might be the starting point for a new document about the RP's risk assessment.

RGW notes that section 6 is listed as informative, but contains SHALL statements as if it were normative.

Andrew observes that for CSPs, the Assurance Level is a shorthand for a bundle of controls. For RP, Assurance Level is a business impact assessment that results in a risk impact tolerance for the service in question. (not really a comment on 6303)

General observation that due to Kantara's focus on CSP's, there do not seem to be a lot of direct comments to be made on this particular draft.

RGW offers recommendation that the overall publication be restructured into 5 parts - the first part being informative and descriptive, the four successive parts would be expressly normative, and would address IAL, AAL, FAL and agency obligations respectively.

Ken reiterates that the assurance levels should be able to include more levels, see also comments on the 800-63A.

AOB

Attachments



Next Meeting