The sound of one hand clapping? It's also quite possible to be in more than one federation, and I'm not sure how that is covered. The parties presumably do not have to be currently active. The EU cross-border provisions of eIDAS have a lot of one-way requirements (even if couched in 'Mutual' language) but the 'first to market' must be allowed in, even if there is nobody else yet to play with. Five-Eyes arguably have no federation agreement, just five sovereign decisions to play nicely with the rest of the group. Passports also in theory comply with standards by peer-pressure, and there are presumably North American 'States/provinces rights' issues on driving/drivers licences/licenses where it's hardly up to Kantara to define what they must do.
That was a possibility I was considering, but I think our criteria would seem to specifically prohibit it;
"in the absence of a Federation Authority, the parties in the federation must organize the creation of a Federation Agreement between themselves." "Federation participants SHALL inter-operate in accordance with a documented Federation Agreement which SHALL define the obligations upon participants within the applicable Federation."
NIST seems to imply that there will be a Federation Authority enforcing a standard; we seem to allow for not having an "authority," but still needing a standard/federation. In your case, perhaps the law defining the PKI and prohibiting the closed monopoly is the standard/agreement; which begs the question, can a party-of-one organize the creation of a Federation Agreement JUST between themselves.
From: mhaeaking@freeuk.com <mhaeaking@freeuk.com>
Sent: Wednesday, March 20, 2024 2:59 AM
To: Richard G. WILSHER (@Zygma Inc.) <RGW@zygma.biz>
Cc: Jimmy Jung <jimmy.jung@slandala.com>; wg-idassurance@kantarainitiative.org
Subject: Re: [WG-IDAssurance] Re: FAL?
Could the context be federable, i.e. has all the links in to make it connect to any equivalent competition should there be any? My example is the West Australian system with a (privately-provided) PKI for those dealing in property and the land registry (I do not have the exact names to hand). The law is careful to demand that this is not setting up as a closed monopoly, even if nobody is interested in setting up a competitor.
Thus the one provider should be checked out as being standards compliant and open to federation, even if no such federation is expected to emerge?
Mark
On 2024-03-20 02:39, Richard G. WILSHER (@Zygma Inc.) wrote:
Richard G. WILSHER
CEO & Founder, Zygma Inc.
www.Zygma.biz
+1 714 797 9942
From: Jimmy Jung [mailto:jimmy.jung@slandala.com]
Sent: Wednesday, March 20, 2024 01:21
To: Richard G. WILSHER (@Zygma Inc.); wg-idassurance@kantarainitiative.org
Subject: RE: [WG-IDAssurance] FAL?
My thinking follows your; no, yes and how-would-you-even-do-that.
That being said, I believe somewhere in the various US federal standards there is something that say you must be IAL, AAL and FAL compliant. No doubt written by someone who thought it safer to be comprehensive and didn't quite think it through, consequently the FAL question does get asked where there is no federation.
RGW: I would have to assume the unwritten/unspoken 'as applicable'.
Also, I see situations where someone sort of seems to be in charge, but seem uninterested in the mantle of "FEDERATION AUTHORITY."
RGW: Just talking a wag at that poss situation: Is there a Fedn Agrmnt which states how the Fedn is to operate, who approves the document? If it says that decisions as to the Agrmnt are determined by a majority, then show me the records of that happening, show me how a revised doc is approved. Someone has to take these steps, even if they rotate the responsibility annually (or even monthly!). If no control can be deomstrated by some rule / process then that's a nonconformity in my mind, and I'm tending towards it being Major.If you can't show decent management of a Fedn iaw its Agrmnt it isn't worthy of Approval (imho: h = 'hasty'). There may be many ways to construct, control, operate a Fedn, and I have no preferences, nor limitations, as to how that might be accomplished, so long as the 63C_SAC criteria can be met and that means there has to be a working Fedn Agrmnt and effective 'authority' over it (note, small 'a').
jimmy
From: Richard G. WILSHER (@Zygma Inc.) <RGW@Zygma.biz>
Sent: Tuesday, March 19, 2024 8:43 PM
To: Jimmy Jung <jimmy.jung@slandala.com>; wg-idassurance@kantarainitiative.org
Subject: RE: [WG-IDAssurance] FAL?
I have to assume that by '63C compliant' you mean 'conformant to the Kantara 63C_SAC criteria', because you'd have a hard job determining conformity/compliance against the NIST doc as published (which NIST have admitted was a bit of a 'suck it and see' approach - nice to notice that the idea of a Fedn Agrmnt has been adopted for rev.4).
We invented the notions of a Fedn Agrmnt and a Fedn Authy because without certainly the former one would have little against which to assess, and the latter, well, it's just good to have someone in charge (or to put it another way, at whom to point one's finger). So I reckon it's a 'No', a 'Yes, if you must' – I mean, I'd want to see that it functioned as a genuine cooperative, because if there was only a single entity appearing to run the show then ... aren't they the authority?
And on your third question, I'd tend towards a definitive 'No' – I don't see how can you have a federation without a federation ??You should have your wife listen to the next IAWG call – she'd certainly be arranging to have you taken away to the funny farm!
That's my Fedora thrown into the ring.
Richard G. WILSHER
CEO & Founder, Zygma Inc.
www.Zygma.biz
+1 714 797 9942
From: Jimmy Jung [mailto:jimmy.jung@slandala.com]
Sent: Tuesday, March 19, 2024 19:00
To: wg-idassurance@kantarainitiative.org
Subject: [WG-IDAssurance] FAL?
I recall us working on the FAL criteria, and I even recall when we came up with the concept of a Federation Agreement, I even recall my wife thinking we were all quite daft, listening to one of our meetings as we drove down to the beach; but I don't recall much more. So, as I was glancing through the criteria, I was struggling to answer the following:
Can you be 63C compliant, without a federation agreement, a federation authority or a federation. I think the answers are no, yes and I don't think so.
That is to say, I think our criteria is set up to require an agreement, and folks that you are agreeing with – even if no one is "in-charge." I will eventually get into it deeper, but I base this on our criteria that says, "in the absence of a Federation Authority, the parties in the federation must organize the creation of a Federation Agreement between themselves."
jimmy
_______________________________________________
A Community Group mailing list of KantaraInitiative.org
WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org
To unsubscribe send an email to staff@kantarainitiative.org
List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantarainitiative.org/
______
Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance