First, I’d note that Richard proposal is separate and only tangentially related to the question of defining a component assessment; and I believe can be reviewed and dealt with currently, without being hampered by the discussion of component
assessments that came up last week.
That being said, I was a little surprised we spent so much time on the component question; something I thought we had resolved some time ago. I jumped into the minutes and started looking around, trying to find where we left it. So below
please find, what I assure you is an incomplete digest of the component discussion, which appeared to reach its end in Fall 2022.
In the 2022-09-01 Minutes – We were discussing problems with the term ‘partial’ approval, with a preference for a ‘component’ approval versus a ‘partial’ and the challenge of ensuring potential customers know what they are getting.
In the 2022-09-15 Minutes – We handed off to a subcommittee to give a proposal for the group to review and confirm. The term “Component” swept the term “partial” 5-0 in an informal vote and the entire component/assurance program topic
was taken off the agenda while the small group worked it.
In the 2022-10-27 Minutes – The small group returned and presented the following proposals:
1.
‘Partial’ should be dropped and ‘Component’ used consistently.
2.
Definitions:
·
Full is NOT IAL+AAL. There maybe ‘full [enrollment & proofing] service’; ‘full [authentication & lifecycle management] service’
·
‘full service’ – means either a
full [enrollment & proofing] service or a full [authentication & lifecycle management] service
or both of these services. (It should be noted that there were several discussion about the use of non-applicability, as vetted by an assessor prior to this proposal)
·
‘component service’ - a service which does not meet completely the requirements of any
full service.
3.
Several updates to the CO_SAC: with the goal of simplifying the CO_SAC
4.
Classes of Approval: The ‘NIST 800-63 rev.3 (Technical)’ Class of Approval should be removed at the earliest opportunity thereby requiring such assessments to
transition to being of the Class ‘NIST 800-63 rev.3’ and requiring inclusion of the CO_SAC, subject to some qualifications
5.
Simple guide to SP 800-63 Approvals: Discussion in IAWG sessions addressed the confusion surrounding what a KI Approval means and what claims may (or may not)
be made about it. It was suggested that a concise description be provided, emphasizing what KI stands for and how that can be ascertained. The final outcome of this would need to align to the final outcome of the preceding recommendations.
6.
Trust Mark format/structure: To avoid the TM becoming overloaded with information and therefore lacking a clear KI-corporate image the mark should be kept as simple
as possible: The proposal identified considerations for the final Trust Marks
IAWG members were encouraged to review and comment.
In the 2022-11-03 Minutes – Lynzie recapped; The definitions were discussed further. Andrew called for any final modifications to the report. None were made. Andrew moved to accept this report as the IAWG recommendation for updates to the
Kantara IAF and relevant controlling documents. Michael Magrath seconded. The motion was Approved.
Jimmy
https://kantara.atlassian.net/wiki/spaces/IAWG/pages/134938625/2.+2023+Meeting+Minutes
https://kantara.atlassian.net/wiki/spaces/IAWG/pages/1278650/3.+2022+Meeting+Minutes
https://kantara.atlassian.net/wiki/spaces/IAWG/pages/58195969/2022-09-01+Minutes
https://kantara.atlassian.net/wiki/spaces/IAWG/pages/70483969/2022-09-15+Minutes
https://kantara.atlassian.net/wiki/spaces/IAWG/pages/104333353/2022-10-27+Minutes
https://docs.google.com/document/d/1rApk9MLllK9X4I02T9GVUpYdKSuq2j0q/edit?pli=1
https://kantara.atlassian.net/wiki/spaces/IAWG/pages/108494971/2022-11-03+Minutes