Rochard, I see you've glossed over the Liberty Alliance, which was the actual and direct precursor of the Kantara Initiative... Yrs., Robin On Thu, 6 Feb 2025, at 01:37, Richard G. WILSHER (@Zygma Inc.) wrote:
Not really. For the record: The genesis was in EC-funded studies done in the late 1990s and very early 2000s which looked at assurance in the commercial sector as the “infosec ” cat got out of the “ spooks’ ” bag. The very first (to the best of my knowledge) trust assurance framework was put into place by the Federation of the Electronics Industry (FEI) in the UK, commencing in 2000, which with the benefit of EC –funding, became *tScheme*. With GSA’s interest, that became the Federal government’s Electronic Authentication Initiative which was then pushed into a private/public partnership, as the Electronic Authentication Partnership, from which has developed Kantara Initiative. A lot of smart people have put thousands, and most probably tens of thousands, of hours into this process over that quarter of a century. I’ve been lucky enough to work with them. One day when I have some spare time I’ll write the history, but for now I’d suggest that adjectives such as “pioneering” and “well-founded” would be far more appropriate.
*Richard G. WILSHER CEO & Founder, Zygma Inc. www.Zygma.biz +1 714 797 9942*
*From:* Andrew Hughes [mailto:andrewhughes3000@gmail.com] *Sent:* Wednesday, February 5, 2025 16:07 *To:* Richard G. WILSHER (@Zygma Inc.) *Cc:* IAWG *Subject:* [WG-IDAssurance] Re: IAWG Charter Update text
Apologies - I meant it in the sense that the program was essential and had to be built from the ground up. Which meant that it was bespoke. ———————— *Andrew Hughes *CISM m +1 250.888.9474 AndrewHughes3000@gmail.com
On Wed, Feb 5, 2025 at 8:05 AM Richard G. WILSHER (@Zygma Inc.) <RGW@zygma.biz> wrote:
“In the original days of the program (the first 7-10 years or so), the Kantara program was bespoke and quirky”
Well Andrew, that’s very neatly trashed the efforts of many people over a couple of decades. Well done.
*Richard G. WILSHER CEO & Founder, Zygma Inc. www.Zygma.biz +1 714 797 9942*
*From:* Andrew Hughes [mailto:andrewhughes3000@gmail.com] *Sent:* Wednesday, February 5, 2025 15:30 *To:* Jimmy Jung *Cc:* IAWG *Subject:* [WG-IDAssurance] Re: IAWG Charter Update text
Thanks Jimmy
The role of IAWG does have to shift. One of the main drivers is that with the move towards 17065 accreditation, Kantara needs to have control over contracting with applicant CSPs to ensure quality, timeliness, suitability, etc. In today's US assurance program, the accredited assessor contracts with the applicant CSP and performs assessments according to their internal procedures. This has resulted in inconsistencies between individual assessors capabilities and uneven quality of assessments. Significantly, in today's arrangements, the accredited assessor is accountable for when things go wrong - if something is assessed incorrectly that results in a harm, it's on the assessor's contract with the CSP and the assessor's insurance to deal with. Don't expect today's ARB to offer any cover. In the 17065 accredited US program, Kantara owns that contract, and thus is exposed to new risks. And so, needs to adjust responsibilities.
The balance of responsibilities between the Kantara US program and IAWG will have to be negotiated in 2025. That's why it's critical for participants in IAWG to participate consistently.
In the original days of the program (the first 7-10 years or so), the Kantara program was bespoke and quirky. Now Kantara needs an industrial-strength program. Given that this robust, scalable, consistent program is coming, IAWG really should focus on the requirements, not the criteria used by assessors to evaluate and record findings. Since 2016-ish IAWG has focused exclusively on NIST 800-63 as the basis for requirements. That has not always been the case. Going forward we need to look beyond the US environment (gradually) - it's not the only way to deliver reliable credentials! And if we do not, we risk having situations like the requirements for syncable authenticators imposed on us with no real lattitude to offer real alternatives. It's time for our singular focus on 800-63 to pass.
(yes Jimmy, I know you are offline for a few days) andrew.
———————— *Andrew Hughes *CISM m +1 250.888.9474 AndrewHughes3000@gmail.com
On Wed, Feb 5, 2025 at 2:56 AM Jimmy Jung <jimmy.jung@slandala.com> wrote:
Andrew,
I won’t be able to attend tomorrow, but I was hoping the conversation might pick up a little of last weeks meeting (non-quorum get-together). Specifically, is the notice the long-term solution for passkeys, in light of the fact that it seems 63-4 will look a lot like the supplement.
Regarding the charter, don’t under sell it. I think your updates are non-trivial. I thought the IAWG did a fairly successful job with the 63-3 criteria, (maybe less so with the 63B supplement). But these updates seem to move the management and maintenance of the criteria out of the relatively open spaces of the IAWG, to a situation where the IAWG is more advise and consent (an approach that’s going just great here in Washington DC).
Can you expound on the 17065ness of it all? As you and I have occasionally touch n the IAWG meeting cadence, I think this will likely lower their necessity.
Jimmy
https://kantara.atlassian.net/wiki/spaces/IAWG/pages/1278189/IAWG+Charter?pr...
*From:* Andrew Hughes <andrewhughes3000@gmail.com> *Sent:* Tuesday, February 4, 2025 1:00 PM *To:* IAWG <wg-idassurance@kantarainitiative.org> *Subject:* [WG-IDAssurance] IAWG Charter Update text
Hello IAWG!
It's time to review/renew our WG Charter.
Yehoshua and I have refined the front sections of the charter and have started to adjust it in light of Kantara US seeing accreditation under ISO 17065. No major changes - just trying to set IAWG up for success particularly during the development of next-generation assessment criteria.
The plan is to discuss this text this week and approve the updated Charter on February 13.
thanks!
andrew.
*Purpose & Scope:* The Identity Assurance Work Group (IAWG) supports Kantara in developing and maintaining assessable identity assurance criteria for the Kantara US Identity Assurance Program and other relevant frameworks. IAWG ensures that criteria define measurable methods for compliance rather than restating requirements. The workgroup provides subject matter expertise to Kantara, advises the Assurance Review Board (ARB), and facilitates discussions on identity proofing, authentication, and assurance.
IAWG's focus is on defining certification criteria that align with the specific functions organizations perform within identity proofing and authentication. The workgroup remains technology- and vendor-agnostic while emphasizing strategic and policy-oriented assurance practices.
*RESPONSIBILITIES:* • Assist Kantara in developing and evolving identity assurance criteria that support certification of specific identity proofing and authentication functions. • Ensure that criteria are assessable and define how compliance must be demonstrated. • Provide expert input on identity assurance policies, standards, and interoperability with other assurance schemes. • Advise Kantara leadership and the ARB on assurance-related topics. • Engage with other Kantara groups to align identity assurance efforts with broader industry needs.
*Andrew Hughes *CISM
mobile/signal +1 250.888.9474 AndrewHughes3000@gmail.com _https://www.linkedin.com/in/andrew-hughes-682058a_
A Community Group mailing list of KantaraInitiative.org WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org To unsubscribe send an email to staff@kantarainitiative.org List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantara... ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance