Right, and CO#0170 requires that the CSP can “Demonstrate a risk management methodology that adequately identifies and mitigates risks related to the specified service and its user community and must show that a risk assessment review is performed at least once every twelve months, such as adherence to CobIT or [IS27001] practices” plus in 63A/B there are requirements that “The CSP SHALL employ appropriately-tailored security controls, to include control enhancements, from the high baseline of security controls defined in SP 800-53 or equivalent federal (e.g., FEDRAMP) or industry standards” and “When fulfilling criterion 63A#0430 the CSP SHALL ensure that the minimum assurance-related controls for high-impact systems or equivalent are satisfied” (virtually directly from SP 800-63 rev.3), but there comes the question as to how much time is invested in pulling-apart the details of the risk management and assessment. Plus there are specific criteria which explicitly address risk-determined measures such as password lengths, use of approved algorithms , …
BUT, … the problem is that a good number of those criteria fall within the passkey infrastructure and are invisible. I think that, whilst (in my experience) CSPs are serious about their risk management and reduction one has to recognize that sometimes a risk is worth taking because of the potential rewards and the rationale is simply that: 1 – passkey service providers will not offer any insight to their functionings; 2 – the specification seems good and is widely recognized, and the claim is that it is being met (by the service providers – see point 1); 3 – clients (RPs) and Subjects are wanting it; 4 - CSPs do not want to lose market share; 5 – there is a recognized advantage over the use of passwords; 6 - the sheer ubiquity of these devices and the fact that they have not yet been shown to be suffering massive failures, i.e. they are demonstrating a generally-accepted degree of robustness. These factors collectively lead to a business risk analysis outcome which says “Yeah, we’ll use them”.
The proposed notice encourages CSPs to advise their users (small ‘u’ – i.e. anyone interfacing to their service) but we felt that requiring such a notice or requiring an explicit risk analysis would therefore have to be expressed as assessable criteria, and we have not gone down that path, in part because of the required drafting / pubic review process and the difficukty in capturing the requirement in a manner which coed with the invisibility of the passkey fabric.
And finally, the ‘chosen standard’ is frankly unlikely to address specific technologies, which is what we are facing.
If you have any suggested changes to the text of the notice (or a different ourse of action?) please let us have them.
Best,
Richard G. WILSHER
CEO & Founder, Zygma Inc.
www.Zygma.biz
+1 714 797 9942
From: Nathan Faut [mailto:n_faut_23658@yahoo.com]
Sent: Thursday, November 21, 2024 19:00
To: IA WG; Richard G. WILSHER (@Zygma Inc.)
Subject: Re: [WG-IDAssurance] Re: Revised Draft KI#N2024-01
Richard -
But as assessors, you should review that the CSP performed a risk assessment according to their chosen standard - ISO, NIST, FEMA, PCI, whatever. You should not necessarily be waiting for NIST vis FIDO - a good risk assessment is still a good thing ...
right?
-Nathan =-=-=-=-=-=-=-
On Thursday, November 21, 2024 at 01:10:39 PM EST, Richard G. WILSHER (@Zygma Inc.) <rgw@zygma.biz> wrote:
“I assume this is predicated on risk assessments performed by NIST on FIDO implementations”
Until such time as NIST actually publishes anything which it claims to be pursuant to a risk analysis the sceptic in me rules! We’ve heard it before but seen nothing.
Richard G. WILSHER
CEO & Founder, Zygma Inc.
www.Zygma.biz
+1 714 797 9942
From: Jimmy Jung [mailto:jimmy.jung@slandala.com]
Sent: Thursday, November 21, 2024 17:59
To: Richard G. WILSHER (@Zygma Inc.)
Subject: RE: [WG-IDAssurance] Revised Draft KI#N2024-01
After my note to Mike, I’m wondering if we should go back to calling them “Cryptographic Software Authenticators”
From: Richard G. WILSHER (@Zygma Inc.) <RGW@Zygma.biz>
Sent: Thursday, November 21, 2024 12:38 PM
To: wg-idassurance@kantarainitiative.org
Subject: [WG-IDAssurance] Revised Draft KI#N2024-01
Well I’ve put to good use the time Amanda just gave back, so attached is a revised version of the Notice which has:
- A prefatory notice about notices and where one is, as reference for final format;
- Inclusion of the criteria sent earlier today by email;
- Accommodation of most recent email exchanges which hadn’t made it into a draft text body – now there with a couple of comments/queries.
Until 12-05 …
Richard G. WILSHER
CEO & Founder, Zygma Inc.
www.Zygma.biz
+1 714 797 9942
From: Amanda Gay [mailto:amanda@kantarainitiative.org]
Sent: Thursday, November 21, 2024 15:58
To: wg-idassurance@kantarainitiative.org
Subject: [WG-IDAssurance] CANCELLED - IAWG - 21 November 2024
Dear IAWG Members:
Apologies for the late cancellation, however, I just got word from Kantara leadership that we will NOT meet today. Please review the Updated Notice (attached) send comments through to the mailing list.
Next Thursday is Thanksgiving in the US--there will be no IAWG call. We will tentatively regroup on December 5th.
Feel free to reach out with any questions or concerns!
Best,
-A
Amanda Gay | Administrative Coordinator
Twitter: @KantaraNews
LinkedIn: @KantaraInitiative
*Please take a few minutes to complete the third annual DEIA survey!*
_______________________________________________
A Community Group mailing list of KantaraInitiative.org
WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org
To unsubscribe send an email to staff@kantarainitiative.org
List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantarainitiative.org/
______
Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance