Motions re. adoption of proposed changes to 63A#0180
Todays call (2024-05-16) addressed the technical agenda item: Proposed 63A#0180 Revisions: The net outcome was (I believe, but read the minutes for yourselves) broad support for implementing the proposed changes, the rational for which was as follows (and the form of which is attached): Whereas NIST wrote SP 800-63 rev.3 from the perspective of what a complete set of proofing, authentication, federation requirements might be Kantara has, in response to market demand, accommodated within the IAF Approval scheme both Full and Component Services. Generally speaking the structure and level of granularity of criteria allows a provider of a Component Service to state which criteria apply and which do not. However, I see some restriction being implied by 63A#0180 by reason of the very high perspective of this criterion and its sub-parts. By stating what the end game (i.e. Full Service) proofing evidence requirements are, and accepting that a criterion is either applicable or not, but there being no provision for partially acceptable, this criterion does not allow a Component Service provider to support part of the evidence selection and processing of a complete proofing while allowing its Service Consumer to provide the other evidence forms within the overall proofing. Such a use case might be a provider which provides for proofing a STRONG form of evidence, perhaps because it can resolve the technologically-demanding parts of the end-end process, while it doesnt supporting the processing of any FAIR evidence. In full disclosure, I have a client which deploys such a service, handling a STRONG and a single FAIR form of evidence while the Service Consumer handles the second FAIR form of evidence. [RGW 20240-05-16: and others are known to be providing similar services and wishing to gain Kantara Approval.] In such cases the criteria should be considered not applicable, yet to do so denies the CSP the recognition for the conformant processing of those forms of evidence which it does handle. I am therefore proposing to the IAWG a revision to 63A#0180 which, by breaking down the inherent breadth of this criterion, allows for more definitive applicability to be denoted. Please see the attached proposed changes. Clearly, in the cases of the expanded sub-criteria c) and d), a Full Service would have to indicate applicable for all sub-parts of c) and/or d) respectively, whereas a Component Service could be selective, according to its architecture/design. It should be noted that in the above discussion Component Service is one which meets the definition in the Kantara Glossary KIAF-1050 v2.0 (§3.4), not the erroneous description on the TSL pages. The same applies to the Full Service definition (§3.5). At the close of meeting I was asked to prepare a motion for e-voting, which I present below, though I have seen fit to propose two motions for the purposes of fully-addressing the requirements for proceeding with the acceptance and publication of the proposed changes. I guess the Secretariat will be responsible for setting the voting in progress with a deadline for submissions? Motion #1: That the subject proposed changes to criterion 63A#0180 be approved by the IAWG as presented and that the KI Secretariat publish them without delay as the latest criteria set (KIAF-1430 SP 800-63A SAC-SoCA v5.1). Motion #2: That the subject changes be approved as being Non-material in nature*, and in their publication, be processed accordingly by the KI Secretariat. * The materiality was not discussed but I will offer the argument that since these changes will add clarity, will not impose any additional operational or functional requirements upon CSPs and will not require any changes to existing Approved services, they are NOT of a material nature. Neither will they affect nor influence one jot any spurious attempts to claim Kantara Approval where none exists. Thank you for your efforts to address these changes. Richard G. WILSHER CEO & Founder, Zygma Inc. www.Zygma.biz +1 714 797 9942
First, I'd note that Richard proposal is separate and only tangentially related to the question of defining a component assessment; and I believe can be reviewed and dealt with currently, without being hampered by the discussion of component assessments that came up last week. That being said, I was a little surprised we spent so much time on the component question; something I thought we had resolved some time ago. I jumped into the minutes and started looking around, trying to find where we left it. So below please find, what I assure you is an incomplete digest of the component discussion, which appeared to reach its end in Fall 2022. In the 2022-09-01 Minutes - We were discussing problems with the term 'partial' approval, with a preference for a 'component' approval versus a 'partial' and the challenge of ensuring potential customers know what they are getting. In the 2022-09-15 Minutes - We handed off to a subcommittee to give a proposal for the group to review and confirm. The term "Component" swept the term "partial" 5-0 in an informal vote and the entire component/assurance program topic was taken off the agenda while the small group worked it. In the 2022-10-27 Minutes - The small group returned and presented the following proposals: 1. 'Partial' should be dropped and 'Component' used consistently. 2. Definitions: * Full is NOT IAL+AAL. There maybe 'full [enrollment & proofing] service'; 'full [authentication & lifecycle management] service' * 'full service' - means either a full [enrollment & proofing] service or a full [authentication & lifecycle management] service or both of these services. (It should be noted that there were several discussion about the use of non-applicability, as vetted by an assessor prior to this proposal) * 'component service' - a service which does not meet completely the requirements of any full service. 3. Several updates to the CO_SAC: with the goal of simplifying the CO_SAC 4. Classes of Approval: The 'NIST 800-63 rev.3 (Technical)' Class of Approval should be removed at the earliest opportunity thereby requiring such assessments to transition to being of the Class 'NIST 800-63 rev.3' and requiring inclusion of the CO_SAC, subject to some qualifications 5. Simple guide to SP 800-63 Approvals: Discussion in IAWG sessions addressed the confusion surrounding what a KI Approval means and what claims may (or may not) be made about it. It was suggested that a concise description be provided, emphasizing what KI stands for and how that can be ascertained. The final outcome of this would need to align to the final outcome of the preceding recommendations. 6. Trust Mark format/structure: To avoid the TM becoming overloaded with information and therefore lacking a clear KI-corporate image the mark should be kept as simple as possible: The proposal identified considerations for the final Trust Marks IAWG members were encouraged to review and comment. In the 2022-11-03 Minutes - Lynzie recapped; The definitions were discussed further. Andrew called for any final modifications to the report. None were made. Andrew moved to accept this report as the IAWG recommendation for updates to the Kantara IAF and relevant controlling documents. Michael Magrath seconded. The motion was Approved. Jimmy https://kantara.atlassian.net/wiki/spaces/IAWG/pages/134938625/2.+2023+Meeti... https://kantara.atlassian.net/wiki/spaces/IAWG/pages/1278650/3.+2022+Meeting... https://kantara.atlassian.net/wiki/spaces/IAWG/pages/58195969/2022-09-01+Min... https://kantara.atlassian.net/wiki/spaces/IAWG/pages/70483969/2022-09-15+Min... https://kantara.atlassian.net/wiki/spaces/IAWG/pages/104333353/2022-10-27+Mi... https://docs.google.com/document/d/1rApk9MLllK9X4I02T9GVUpYdKSuq2j0q/edit?pl... https://kantara.atlassian.net/wiki/spaces/IAWG/pages/108494971/2022-11-03+Mi...
Thank you for taking that trouble, Jimmy. If those findings are observed the matter should be closed. Richard G. WILSHER CEO & Founder, Zygma Inc. www.Zygma.biz +1 714 797 9942 From: Jimmy Jung [mailto:jimmy.jung@slandala.com] Sent: Monday, May 20, 2024 20:53 To: IA WG Subject: [WG-IDAssurance] A VERY non-comprehensive summary of the component thing First, I'd note that Richard proposal is separate and only tangentially related to the question of defining a component assessment; and I believe can be reviewed and dealt with currently, without being hampered by the discussion of component assessments that came up last week. That being said, I was a little surprised we spent so much time on the component question; something I thought we had resolved some time ago. I jumped into the minutes and started looking around, trying to find where we left it. So below please find, what I assure you is an incomplete digest of the component discussion, which appeared to reach its end in Fall 2022. In the 2022-09-01 Minutes - We were discussing problems with the term 'partial' approval, with a preference for a 'component' approval versus a 'partial' and the challenge of ensuring potential customers know what they are getting. In the 2022-09-15 Minutes - We handed off to a subcommittee to give a proposal for the group to review and confirm. The term "Component" swept the term "partial" 5-0 in an informal vote and the entire component/assurance program topic was taken off the agenda while the small group worked it. In the 2022-10-27 Minutes - The small group returned and presented the following proposals: 1. 'Partial' should be dropped and 'Component' used consistently. 2. Definitions: . Full is NOT IAL+AAL. There maybe 'full [enrollment & proofing] service'; 'full [authentication & lifecycle management] service' . 'full service' - means either a full [enrollment & proofing] service or a full [authentication & lifecycle management] service or both of these services. (It should be noted that there were several discussion about the use of non-applicability, as vetted by an assessor prior to this proposal) . 'component service' - a service which does not meet completely the requirements of any full service. 3. Several updates to the CO_SAC: with the goal of simplifying the CO_SAC 4. Classes of Approval: The 'NIST 800-63 rev.3 (Technical)' Class of Approval should be removed at the earliest opportunity thereby requiring such assessments to transition to being of the Class 'NIST 800-63 rev.3' and requiring inclusion of the CO_SAC, subject to some qualifications 5. Simple guide to SP 800-63 Approvals: Discussion in IAWG sessions addressed the confusion surrounding what a KI Approval means and what claims may (or may not) be made about it. It was suggested that a concise description be provided, emphasizing what KI stands for and how that can be ascertained. The final outcome of this would need to align to the final outcome of the preceding recommendations. 6. Trust Mark format/structure: To avoid the TM becoming overloaded with information and therefore lacking a clear KI-corporate image the mark should be kept as simple as possible: The proposal identified considerations for the final Trust Marks IAWG members were encouraged to review and comment. In the 2022-11-03 Minutes - Lynzie recapped; The definitions were discussed further. Andrew called for any final modifications to the report. None were made. Andrew moved to accept this report as the IAWG recommendation for updates to the Kantara IAF and relevant controlling documents. Michael Magrath seconded. The motion was Approved. Jimmy https://kantara.atlassian.net/wiki/spaces/IAWG/pages/134938625/2.+2023+Meeti ng+Minutes https://kantara.atlassian.net/wiki/spaces/IAWG/pages/1278650/3.+2022+Meeting +Minutes https://kantara.atlassian.net/wiki/spaces/IAWG/pages/58195969/2022-09-01+Min utes https://kantara.atlassian.net/wiki/spaces/IAWG/pages/70483969/2022-09-15+Min utes https://kantara.atlassian.net/wiki/spaces/IAWG/pages/104333353/2022-10-27+Mi nutes https://docs.google.com/document/d/1rApk9MLllK9X4I02T9GVUpYdKSuq2j0q/edit?pl i=1 https://kantara.atlassian.net/wiki/spaces/IAWG/pages/108494971/2022-11-03+Mi nutes
Hi Jimmy, Apologies for the delayed response, things were hectic leading up to Identiverse and I never got around to responding to this before I left. In response to the small task force's report from November 2022, here is where everything stands: 1. *Component vs. Partial:* Partial was dropped, and component used consistently on trust marks and TSL since late 2022. *Completed. * 2. *Definition of ‘component’*: As Jimmy mentioned, approved 2022-11-03. This has not been fully implemented as the current approved services need to be reclassified on the Trust Service List. Lynzie has tried to find assistance in reclassifying services under new definitions but has not been successful. This is the biggest area of concern – as some things are updated while others are not. 3. *Revision to CO_SAC:* has stalled. With the delay in rev.4 this has made no progress – the initial thought was that it would roll out in the next big overhaul to our criteria. 4. *Classes of approval:* this was always contingent on #3; therefore, is not effective yet. 5. *Simple guide to 800-63 approvals*: on website: https://kantarainitiative.org/simple-guide-to-ki-assessment-services/ *Completed.* 6. *Trust Mark format/structure:* QR codes have not come to fruition; new, updated trust marks that align with #2 are live (see first point above). 7. *Forms of assessment:* The ARB was not in full agreement with this and felt that we should offer something in the realm of ‘readiness’. At this point, it is still offered, and we do have two companies approved as RTO. The most critical issue is completing #2 for consistency. Happy to revisit any other points. Lynzie Adams Assurance Program Manager
Re #2, I’m still concerned that we have a misunderstanding as to the final determination of what is ‘component’. I don’t see that any re-classifying is necessary because I don’t think the definition has been fundamentally changed. Possibly refined but not redefined. Something for the meeting of the 13th? R Richard G. WILSHER CEO & Founder, Zygma Inc. www.Zygma.biz +1 714 797 9942 From: Lynzie Adams [mailto:lynzie@kantarainitiative.org] Sent: Monday, June 3, 2024 17:48 To: Richard G. WILSHER (@Zygma Inc.) Cc: IA WG Subject: Re: [WG-IDAssurance] Re: A VERY non-comprehensive summary of the component thing Hi Jimmy, Apologies for the delayed response, things were hectic leading up to Identiverse and I never got around to responding to this before I left. In response to the small task force's report from November 2022, here is where everything stands: 1. Component vs. Partial: Partial was dropped, and component used consistently on trust marks and TSL since late 2022. Completed. 2. Definition of ‘component’: As Jimmy mentioned, approved 2022-11-03. This has not been fully implemented as the current approved services need to be reclassified on the Trust Service List. Lynzie has tried to find assistance in reclassifying services under new definitions but has not been successful. This is the biggest area of concern – as some things are updated while others are not. 3. Revision to CO_SAC: has stalled. With the delay in rev.4 this has made no progress – the initial thought was that it would roll out in the next big overhaul to our criteria. 4. Classes of approval: this was always contingent on #3; therefore, is not effective yet. 5. Simple guide to 800-63 approvals: on website: <https://kantarainitiative.org/simple-guide-to-ki-assessment-services/> https://kantarainitiative.org/simple-guide-to-ki-assessment-services/ Completed. 6. Trust Mark format/structure: QR codes have not come to fruition; new, updated trust marks that align with #2 are live (see first point above). 7. Forms of assessment: The ARB was not in full agreement with this and felt that we should offer something in the realm of ‘readiness’. At this point, it is still offered, and we do have two companies approved as RTO. The most critical issue is completing #2 for consistency. Happy to revisit any other points. Lynzie Adams Assurance Program Manager <https://docs.google.com/uc?export=download&id=1f_FyEBepOKYcAfkyIsaSFzguA7Tg8XgN&revid=0B7AAtl15W-dSdms4Mjk0bVhuUmNDOHZGTjd6Y3dMcDFrRDhvPQ>
participants (3)
-
Jimmy Jung -
Lynzie Adams -
Richard G. WILSHER (@Zygma Inc.)