And I'm still trying to parse out the 63B#1980 criteria and below that are directly on the supplement contents. Am I missing it? where's the text that describes how endpoint management tools can be used to enforce settings on devices that are under the control of the CSP or Federal Agency? That's essential stuff - because if the syncable authenticator config and the device on which the syncable authenticator is installed are under the control of the CSP or Agency, then I think (most/all) of the criteria could theoretically be met and the controls on those aspects could be enforced. The big gap is a user-provided syncable passkey on a user-provided device. That's the category where the CSP has no information about configuration and also cannot force configuration. ———————— *Andrew Hughes *CISM m +1 250.888.9474 AndrewHughes3000@gmail.com On Wed, Oct 16, 2024 at 1:40 PM Andrew Hughes <andrewhughes3000@gmail.com> wrote:
I don't understand the wording of e.g. 63B#1290-1320 - specifically these criteria refer to things like "enforce a rate-limiting mechanism" for MF cryptographic software authenticators. Where the proposed criterion talks about "where authenticators that allow the cloning of the secret key..."
But the whole problem with syncable authenticators is that that kind of control is not observable from the CSP viewpoint and is outside of the control of the CSP. It has nothing to do with syncable passkeys - it has to do with authenticator settings that the CSP has no info/control over. ———————— *Andrew Hughes *CISM m +1 250.888.9474 AndrewHughes3000@gmail.com
On Wed, Oct 16, 2024 at 12:20 PM Richard G. WILSHER (@Zygma Inc.) < RGW@zygma.biz> wrote:
Jimmy and I got a little out of step (my tardiness!) and I didn’t get some further thoughts to him in time, so I attach a possible further iteration of these criteria. I think we’re homing-in on a consensus position.
One thing I want to stress independently is the idea of having a ‘FIDO Passkey Profile’. We’ve talked about profiles in the past and defined a basic structure and rules for them. Both Jimmy and I are concerned about the “FIDO-ness” of these proposed changes and the fact that we’re really employing euphemisms for passkeys and abrading the notion of being technology agnostic in our criteria. Having a profile would separate the FIDO-ness from the principles of the base criteria – a separate SAC would be produced which CSPs /Agencies would elect to employ and the specific provisions of the profile would overlay the baseline 63B criterion. In other words, the 63B_SAC need not change.
If this notion gains support I’m happy to draft a 63B_FIDO_SAC for the IAWG’s consideration. I reckon this is the way to go. Until tomorrow, …
*Richard G. WILSHERCEO & Founder, Zygma Inc.www.Zygma.biz <http://www.Zygma.biz>+1 714 797 9942*
*From:* Jimmy Jung [mailto:jimmy.jung@slandala.com] *Sent:* Wednesday, October 16, 2024 01:28 *To:* Amanda Gay; wg-idassurance@kantarainitiative.org *Subject:* [WG-IDAssurance] Re: Invitation and Agenda - IAWG - 17 October 2024
Amanda, folks,
Attached please find a cleaner updated version. Again, selecting in column Q shows the related criteria, with actual changes in RED font.
*From:* Amanda Gay <amanda@kantarainitiative.org> *Sent:* Tuesday, October 15, 2024 3:38 PM *To:* wg-idassurance@kantarainitiative.org *Subject:* [WG-IDAssurance] Invitation and Agenda - IAWG - 17 October 2024
Dear IAWG Members:
Please join us Thursday, October 12th, 12PM ET for our next IAWG meeting.
The proposed agenda and Zoom details are below.
*Date and Time*
· *Date: Thursday, 2024-10-17*
· *Time: 9:00 PT | 12:00 ET (**time zone calculator* <https://www.timeanddate.com/worldclock/converter.html>*)*
o Please join the meeting from your computer, tablet or smartphone: https://zoom.us/j/93167965850?pwd=dldoT0hYK1k4MkVGYkQ3TkNqdG1Idz09
o Meeting ID: 931 6796 5850
o Passcode: 884696
o You can also dial in using your phone. Find your local number: https://zoom.us/u/aeg9vt8LSr <https://zoom.us/u/abUx61ivsc>
o Need to add IAWG meetings to your calendar? Do so here! <https://kantara.atlassian.net/wiki/spaces/IAWG/overview>
*DRAFT 10.17.2024*
*1. Administration:*
o Roll call, determination of quorum.
o Minutes approval
§ 2024.10.10 Minutes DRAFT <https://kantara.atlassian.net/wiki/spaces/IAWG/pages/689242133/2024-10-10+IAWG+Meeting+Notes+DRAFT>
§ 2024.10.03 Minutes DRAFT <https://kantara.atlassian.net/wiki/spaces/IAWG/pages/680329217/2024-10-03+IAWG+Meeting+Notes+DRAFT>
§ 2024.09.26 Minutes DRAFT <https://kantara.atlassian.net/wiki/spaces/IAWG/pages/616497192/2024-09-26+IAWG+Meeting+Notes+DRAFT>
§ 2024.09.19 Minutes DRAFT <https://kantara.atlassian.net/wiki/spaces/IAWG/pages/616661030/2024-09-19+IAWG+Meeting+Notes+DRAFT>
§ 2024.09.05 Minutes DRAFT <https://kantara.atlassian.net/wiki/spaces/IAWG/pages/616661008/2024-09-05+IAWG+Meeting+Notes+DRAFT>
o Kantara Updates
§ DEIA Survey <https://www.surveymonkey.com/r/3LPP3WL> Open to Responses
o Assurance Updates
2. *IAWG Actions/Reminders/Updates:*
- Meeting cadence - weekly. - Final NIST Comments <https://kantara.atlassian.net/wiki/spaces/IAWG/pages/689537027/800-63+rev.+4+2PD+Comments+from+IAWG>
3. *ISO 17065 Discussion Items*
4. *Group Discussion: *
- Proposed syncable authenticator criteria from Richard/Jimmy (Found in Meeting Materials <https://kantara.atlassian.net/wiki/spaces/IAWG/pages/353632257/2024+Meeting+Materials> on IAWG Wiki and attached).
- Review any comments/continued discussion
--
*Amanda Gay | Administrative Coordinator*
*Twitter:* @KantaraNews
*LinkedIn:* @KantaraInitiative
**Please take a few minutes to complete the third annual DEIA survey <https://www.surveymonkey.com/r/3LPP3WL>!**
_______________________________________________ A Community Group mailing list of KantaraInitiative.org WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org To unsubscribe send an email to staff@kantarainitiative.org List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantara... ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance