In-line, Richard G. WILSHER CEO & Founder, Zygma Inc. www.Zygma.biz +1 714 797 9942 From: Jimmy Jung [mailto:jimmy.jung@slandala.com] Sent: Wednesday, March 20, 2024 01:21 To: Richard G. WILSHER (@Zygma Inc.); wg-idassurance@kantarainitiative.org Subject: RE: [WG-IDAssurance] FAL? My thinking follows your; no, yes and how-would-you-even-do-that. That being said, I believe somewhere in the various US federal standards there is something that say you must be IAL, AAL and FAL compliant. No doubt written by someone who thought it safer to be comprehensive and didn’t quite think it through, consequently the FAL question does get asked where there is no federation. RGW: I would have to assume the unwritten/unspoken ‘as applicable’. Also, I see situations where someone sort of seems to be in charge, but seem uninterested in the mantle of “FEDERATION AUTHORITY.” RGW: Just talking a wag at that poss situation: Is there a Fedn Agrmnt which states how the Fedn is to operate, who approves the document? If it says that decisions as to the Agrmnt are determined by a majority, then show me the records of that happening, show me how a revised doc is approved. Someone has to take these steps, even if they rotate the responsibility annually (or even monthly!). If no control can be deomstrated by some rule / process then that’s a nonconformity in my mind, and I’m tending towards it being Major. If you can’t show decent management of a Fedn iaw its Agrmnt it isn’t worthy of Approval (imho: h = ‘hasty’). There may be many ways to construct, control, operate a Fedn, and I have no preferences, nor limitations, as to how that might be accomplished, so long as the 63C_SAC criteria can be met and that means there has to be a working Fedn Agrmnt and effective ‘authority’ over it (note, small ‘a’). jimmy From: Richard G. WILSHER (@Zygma Inc.) <RGW@Zygma.biz> Sent: Tuesday, March 19, 2024 8:43 PM To: Jimmy Jung <jimmy.jung@slandala.com>; wg-idassurance@kantarainitiative.org Subject: RE: [WG-IDAssurance] FAL? I have to assume that by ‘63C compliant’ you mean ‘conformant to the Kantara 63C_SAC criteria’, because you’d have a hard job determining conformity/compliance against the NIST doc as published (which NIST have admitted was a bit of a ‘suck it and see’ approach - nice to notice that the idea of a Fedn Agrmnt has been adopted for rev.4). We invented the notions of a Fedn Agrmnt and a Fedn Authy because without certainly the former one would have little against which to assess, and the latter, well, it’s just good to have someone in charge (or to put it another way, at whom to point one’s finger). So I reckon it’s a ‘No’, a ‘Yes, if you must’ – I mean, I’d want to see that it functioned as a genuine cooperative, because if there was only a single entity appearing to run the show then … aren’t they the authority? And on your third question, I’d tend towards a definitive ‘No’ – I don’t see how can you have a federation without a federation ?? You should have your wife listen to the next IAWG call – she’d certainly be arranging to have you taken away to the funny farm! That’s my Fedora thrown into the ring. Richard G. WILSHER CEO & Founder, Zygma Inc. www.Zygma.biz +1 714 797 9942 From: Jimmy Jung [mailto:jimmy.jung@slandala.com] Sent: Tuesday, March 19, 2024 19:00 To: wg-idassurance@kantarainitiative.org Subject: [WG-IDAssurance] FAL? I recall us working on the FAL criteria, and I even recall when we came up with the concept of a Federation Agreement, I even recall my wife thinking we were all quite daft, listening to one of our meetings as we drove down to the beach; but I don’t recall much more. So, as I was glancing through the criteria, I was struggling to answer the following: Can you be 63C compliant, without a federation agreement, a federation authority or a federation. I think the answers are no, yes and I don’t think so. That is to say, I think our criteria is set up to require an agreement, and folks that you are agreeing with – even if no one is “in-charge.” I will eventually get into it deeper, but I base this on our criteria that says, “in the absence of a Federation Authority, the parties in the federation must organize the creation of a Federation Agreement between themselves.” jimmy