Todays call (2024-05-16) addressed the technical agenda item: Proposed 63A#0180 Revisions:
The net outcome was (I believe, but read the minutes for yourselves) broad support for implementing the proposed changes, the rational for which was as follows (and the form of which is attached):
Whereas NIST wrote SP 800-63 rev.3 from the perspective of what a complete set of proofing, authentication, federation requirements might be Kantara has, in response to market demand, accommodated within the IAF Approval scheme both Full and Component Services.
Generally speaking the structure and level of granularity of criteria allows a provider of a Component Service to state which criteria apply and which do not. However, I see some restriction being implied by 63A#0180 by reason of the very high perspective of this criterion and its sub-parts. By stating what the ‘end game’ (i.e. Full Service) proofing evidence requirements are, and accepting that a criterion is either applicable or not, but there being no provision for ‘partially acceptable’, this criterion does not allow a Component Service provider to support part of the evidence selection and processing of a complete proofing while allowing its Service Consumer to provide the other evidence forms within the overall proofing.
Such a use case might be a provider which provides for proofing a STRONG form of evidence, perhaps because it can resolve the technologically-demanding parts of the end-end process, while it doesn’t supporting the processing of any FAIR evidence.
In full disclosure, I have a client which deploys such a service, handling a STRONG and a single FAIR form of evidence while the Service Consumer handles the second FAIR form of evidence. [RGW 20240-05-16: and others are known to be providing similar services and wishing to gain Kantara Approval.] In such cases the criteria should be considered ‘not applicable’, yet to do so denies the CSP the recognition for the conformant processing of those forms of evidence which it does handle.
I am therefore proposing to the IAWG a revision to 63A#0180 which, by breaking down the inherent ‘breadth’ of this criterion, allows for more definitive applicability to be denoted. Please see the attached proposed changes.
Clearly, in the cases of the expanded sub-criteria c) and d), a Full Service would have to indicate ‘applicable’ for all sub-parts of c) and/or d) respectively, whereas a Component Service could be selective, according to its architecture/design.
It should be noted that in the above discussion ‘Component Service’ is one which meets the definition in the Kantara Glossary KIAF-1050 v2.0 (§3.4), not the erroneous description on the TSL pages. The same applies to the ‘Full Service’ definition (§3.5).
At the close of meeting I was asked to prepare a motion for e-voting, which I present below, though I have seen fit to propose two motions for the purposes of fully-addressing the requirements for proceeding with the acceptance and publication of the proposed changes. I guess the Secretariat will be responsible for setting the voting in progress with a deadline for submissions?
Motion #1: That the subject proposed changes to criterion 63A#0180 be approved by the IAWG as presented and that the KI Secretariat publish them without delay as the latest criteria set (KIAF-1430 SP 800-63A SAC-SoCA v5.1).
Motion #2: That the subject changes be approved as being Non-material in nature*, and in their publication, be processed accordingly by the KI Secretariat.
* The materiality was not discussed but I will offer the argument that since these changes will add clarity, will not impose any additional operational or functional requirements upon CSPs and will not require any changes to existing Approved services, they are NOT of a material nature. Neither will they affect nor influence one jot any spurious attempts to claim Kantara Approval where none exists.
Thank you for your efforts to address these changes.
Richard G. WILSHER
CEO & Founder, Zygma Inc.
www.Zygma.biz
+1 714 797 9942