Join Us In One Hour - IAWG Meeting
Dear IAWG Members: Please join us today in an hour for our next IAWG meeting. The proposed agenda and Zoom details are below. *Date and Time* - *Date: Thursday, 2024-03-28* - *Time: 9:00 PT | 12:00 ET (**time zone calculator* <https://www.timeanddate.com/worldclock/converter.html>*)* - Please join the meeting from your computer, tablet or smartphone: https://zoom.us/j/93167965850?pwd=dldoT0hYK1k4MkVGYkQ3TkNqdG1Idz09 - Meeting ID: 931 6796 5850 - Passcode: 884696 - You can also dial in using your phone. Find your local number: https://zoom.us/u/aeg9vt8LSr <https://www.google.com/url?q=https%3A%2F%2Fzoom.us%2Fu%2FabUx61ivsc&sa=D&ust=1633443687084000&usg=AOvVaw3ehbrEjQRyzH1hFSxphQeQ> - Need to add IAWG meetings to your calendar? Do so here! <https://kantara.atlassian.net/wiki/spaces/IAWG/overview> DRAFT Agenda 03.28.2024 1. Administration: - Roll call, determination of quorum. - Minutes approval - 2024-03-15 DRAFT Minutes <https://kantara.atlassian.net/wiki/spaces/IAWG/pages/403505154/2024-03-14+DRAFT+Minutes> - Kantara Updates - Assurance Updates 2. IAWG Actions/Reminders/Updates: 3. Discussion: - Richard Wilsher - Interpretation of criteria <https://kantara.atlassian.net/wiki/spaces/IAWG/pages/353632257/2024+Meeting+Materials> - Continue discussion on second criteria question #0180 (superior v. strong evidence) with a “tidied” updated version of Richard’s proposed alternative/comparable criteria <https://kantara.atlassian.net/wiki/spaces/IAWG/pages/353632257/2024+Meeting+Materials> (sent 2024.03.14, also attached)) - FAL Criteria - Jimmy Jung’s email and subsequent thread 4. Any Other Business Reach out with any questions or concerns! Best, -A -- *Amanda Gay | **Administrative** Coordinator* *Twitter:* @KantaraNews *LinkedIn:* @KantaraInitiative
We have mostly avoided the federal agency/FIPS 140 criteria, but I was looking at 63B#0120, which is taken word for word from 800-63B and requires “verifiers to meet FIPS 140 Level 1 or higher.” “Verifiers” refers to an organization, typically the CSP – specifically, 63 defines it as “an entity that verifies the claimant’s identity by verifying the claimant’s possession and control of one or two authenticators using an authentication protocol. To do this, the verifier may also need to validate credentials that link the authenticator(s) to the subscriber’s identifier and check their status.” But FIPS 140 is Security Requirements for devices, specifically Cryptography and Cryptographic Modules. So, I can’t figure out what they want here. 63B#0120 Federal agencies SHALL only operate verifiers which have been validated as meeting FIPS 140 Level 1 or higher. (possibly that cryptographic authenticators should meet FIPS 140 – but that would appear to conflict with other criteria and guidance?) Jimmy
My understanding is that the cryptographic modules that are validating the signatures need to be FIPS level 1 certified. The authenticators for AAL3 would need to be FIPS-140 level 2 physical 3 certified. There is a FIPS authenticator requirement at AAL2 as well but it is L1 physical 3 I think. It is in SP-800-63. John B.
On Apr 6, 2024, at 5:30 AM, Jimmy Jung <jimmy.jung@slandala.com> wrote:
We have mostly avoided the federal agency/FIPS 140 criteria, but I was looking at 63B#0120, which is taken word for word from 800-63B and requires “verifiers to meet FIPS 140 Level 1 or higher.” “Verifiers” refers to an organization, typically the CSP – specifically, 63 defines it as “an entity that verifies the claimant’s identity by verifying the claimant’s possession and control of one or two authenticators using an authentication protocol. To do this, the verifier may also need to validate credentials that link the authenticator(s) to the subscriber’s identifier and check their status.” But FIPS 140 is Security Requirements for devices, specifically Cryptography and Cryptographic Modules. So, I can’t figure out what they want here. 63B#0120
Federal agencies SHALL only operate verifiers which have been validated as meeting FIPS 140 Level 1 or higher. (possibly that cryptographic authenticators should meet FIPS 140 – but that would appear to conflict with other criteria and guidance?)
Jimmy
_______________________________________________ A Community Group mailing list of KantaraInitiative.org <http://kantarainitiative.org/> WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org <mailto:wg-idassurance@kantarainitiative.org> To unsubscribe send an email to staff@kantarainitiative.org <mailto:staff@kantarainitiative.org> List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantara... ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance
I've always thought of this as having to do with the fact that part of the validation process should involve crypto modules (hash algorithms as an example). This would make sense to require them at FIPS Level 1. This should extend to more than the CSP as well, and would affect any RP that needs to validate a credential directly. Bryan Rosensteel Ping Identity- US Federal CTO On Tue, Apr 9, 2024, 10:19 PM John Bradley <ve7jtb@ve7jtb.com> wrote:
My understanding is that the cryptographic modules that are validating the signatures need to be FIPS level 1 certified. The authenticators for AAL3 would need to be FIPS-140 level 2 physical 3 certified. There is a FIPS authenticator requirement at AAL2 as well but it is L1 physical 3 I think. It is in SP-800-63.
John B.
On Apr 6, 2024, at 5:30 AM, Jimmy Jung <jimmy.jung@slandala.com> wrote:
We have mostly avoided the federal agency/FIPS 140 criteria, but I was looking at 63B#0120, which is taken word for word from 800-63B and requires “verifiers to meet FIPS 140 Level 1 or higher.” “Verifiers” refers to an organization, typically the CSP – specifically, 63 defines it as “an entity that verifies the claimant’s identity by verifying the claimant’s possession and control of one or two authenticators using an authentication protocol. To do this, the verifier may also need to validate credentials that link the authenticator(s) to the subscriber’s identifier and check their status.” But FIPS 140 is Security Requirements for devices, specifically Cryptography and Cryptographic Modules. So, I can’t figure out what they want here. *63B#0120*
*Federal agencies SHALL only operate verifiers which have been validated as meeting FIPS 140 Level 1 or higher.* (possibly that cryptographic authenticators should meet FIPS 140 – but that would appear to conflict with other criteria and guidance?)
Jimmy
_______________________________________________ A Community Group mailing list of KantaraInitiative.org <http://kantarainitiative.org/> WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org To unsubscribe send an email to staff@kantarainitiative.org List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantara... ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance
_______________________________________________ A Community Group mailing list of KantaraInitiative.org WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org To unsubscribe send an email to staff@kantarainitiative.org List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantara... ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance
-- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
I might buy that, but still, at the very least, your answers seem to highlight the fact that “verifiers” is an odd choice of words. You both immediately talk about modules, whereas they define verifiers as entities. It also seems a little out of balance. 800-63B ONLY requires authenticators to meet the requirements of FIPS 140, when they are procured by government agencies. So federal agencies supporting BYOD (including RPs, as Bryan notes) must use FIPS modules – I might even buy that. But it also seems broad. 800-63B goes on to talk about Memorized Secret Verifiers, Look-Up Secret Verifiers and Out-of-Band Verifiers. Are these to be FIPS validated? jimmy From: Bryan Rosensteel <bryanrosensteel@pingidentity.com> Sent: Tuesday, April 9, 2024 10:48 PM To: John Bradley <ve7jtb@ve7jtb.com> Cc: Jimmy Jung <jimmy.jung@slandala.com>; IAWG <wg-idassurance@kantarainitiative.org> Subject: Re: [WG-IDAssurance] Re: FIPS 140 and verifiers I've always thought of this as having to do with the fact that part of the validation process should involve crypto modules (hash algorithms as an example). This would make sense to require them at FIPS Level 1. This should extend to more than the CSP as well, and would affect any RP that needs to validate a credential directly. Bryan Rosensteel Ping Identity- US Federal CTO On Tue, Apr 9, 2024, 10:19 PM John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>> wrote: My understanding is that the cryptographic modules that are validating the signatures need to be FIPS level 1 certified. The authenticators for AAL3 would need to be FIPS-140 level 2 physical 3 certified. There is a FIPS authenticator requirement at AAL2 as well but it is L1 physical 3 I think. It is in SP-800-63. John B. On Apr 6, 2024, at 5:30 AM, Jimmy Jung <jimmy.jung@slandala.com<mailto:jimmy.jung@slandala.com>> wrote: We have mostly avoided the federal agency/FIPS 140 criteria, but I was looking at 63B#0120, which is taken word for word from 800-63B and requires “verifiers to meet FIPS 140 Level 1 or higher.” “Verifiers” refers to an organization, typically the CSP – specifically, 63 defines it as “an entity that verifies the claimant’s identity by verifying the claimant’s possession and control of one or two authenticators using an authentication protocol. To do this, the verifier may also need to validate credentials that link the authenticator(s) to the subscriber’s identifier and check their status.” But FIPS 140 is Security Requirements for devices, specifically Cryptography and Cryptographic Modules. So, I can’t figure out what they want here. 63B#0120 Federal agencies SHALL only operate verifiers which have been validated as meeting FIPS 140 Level 1 or higher. (possibly that cryptographic authenticators should meet FIPS 140 – but that would appear to conflict with other criteria and guidance?) Jimmy _______________________________________________ A Community Group mailing list of KantaraInitiative.org<http://kantarainitiative.org/> WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org<mailto:wg-idassurance@kantarainitiative.org> To unsubscribe send an email to staff@kantarainitiative.org<mailto:staff@kantarainitiative.org> List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantara... ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance _______________________________________________ A Community Group mailing list of KantaraInitiative.org WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org<mailto:wg-idassurance@kantarainitiative.org> To unsubscribe send an email to staff@kantarainitiative.org<mailto:staff@kantarainitiative.org> List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantara... ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
All very fine points, and I agree on the vagueness. Bryan Rosensteel Ping Identity- US Federal CTO On Wed, Apr 10, 2024, 6:37 AM Jimmy Jung <jimmy.jung@slandala.com> wrote:
I might buy that, but still, at the very least, your answers seem to highlight the fact that “verifiers” is an odd choice of words. You both immediately talk about modules, whereas they define verifiers as entities.
It also seems a little out of balance. 800-63B ONLY requires authenticators to meet the requirements of FIPS 140, when they are *procured* by government agencies. So federal agencies supporting BYOD (including RPs, as Bryan notes) must use FIPS modules – I might even buy that. But it also seems broad. 800-63B goes on to talk about Memorized Secret Verifiers, Look-Up Secret Verifiers and Out-of-Band Verifiers. Are these to be FIPS validated?
jimmy
*From:* Bryan Rosensteel <bryanrosensteel@pingidentity.com> *Sent:* Tuesday, April 9, 2024 10:48 PM *To:* John Bradley <ve7jtb@ve7jtb.com> *Cc:* Jimmy Jung <jimmy.jung@slandala.com>; IAWG < wg-idassurance@kantarainitiative.org> *Subject:* Re: [WG-IDAssurance] Re: FIPS 140 and verifiers
I've always thought of this as having to do with the fact that part of the validation process should involve crypto modules (hash algorithms as an example). This would make sense to require them at FIPS Level 1.
This should extend to more than the CSP as well, and would affect any RP that needs to validate a credential directly.
Bryan Rosensteel Ping Identity- US Federal CTO
On Tue, Apr 9, 2024, 10:19 PM John Bradley <ve7jtb@ve7jtb.com> wrote:
My understanding is that the cryptographic modules that are validating the signatures need to be FIPS level 1 certified. The authenticators for AAL3 would need to be FIPS-140 level 2 physical 3 certified. There is a FIPS authenticator requirement at AAL2 as well but it is L1 physical 3 I think. It is in SP-800-63.
John B.
On Apr 6, 2024, at 5:30 AM, Jimmy Jung <jimmy.jung@slandala.com> wrote:
We have mostly avoided the federal agency/FIPS 140 criteria, but I was looking at 63B#0120, which is taken word for word from 800-63B and requires “verifiers to meet FIPS 140 Level 1 or higher.”
“Verifiers” refers to an organization, typically the CSP – specifically, 63 defines it as “an entity that verifies the claimant’s identity by verifying the claimant’s possession and control of one or two authenticators using an authentication protocol. To do this, the verifier may also need to validate credentials that link the authenticator(s) to the subscriber’s identifier and check their status.”
But FIPS 140 is Security Requirements for devices, specifically Cryptography and Cryptographic Modules. So, I can’t figure out what they want here.
*63B#0120*
*Federal agencies SHALL only operate verifiers which have been validated as meeting FIPS 140 Level 1 or higher.*
(possibly that cryptographic authenticators should meet FIPS 140 – but that would appear to conflict with other criteria and guidance?)
Jimmy
_______________________________________________ A Community Group mailing list of KantaraInitiative.org <http://kantarainitiative.org/> WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org To unsubscribe send an email to staff@kantarainitiative.org List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantara... ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance
_______________________________________________ A Community Group mailing list of KantaraInitiative.org WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org To unsubscribe send an email to staff@kantarainitiative.org List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantara... ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.*
-- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
Hi all, Jumping in while I have a moment because this hits a particular bugaboo for me. "*validated as meeting FIPS 140 level 1*" is not a thing. FIPS 140 is a certification process for cryptographic modules, and certified modules will have a security policy published which instructs customers how to operate in FIPS mode. Unless something has changed while I was not paying attention, there is no "validation" process to confirm whether modules are being operated in compliance with the instructions. Yet another example of meaningless requirements in 800-63. Thanks and FWIW, Scott On Sat, Apr 6, 2024 at 8:30 AM Jimmy Jung <jimmy.jung@slandala.com> wrote:
We have mostly avoided the federal agency/FIPS 140 criteria, but I was looking at 63B#0120, which is taken word for word from 800-63B and requires “verifiers to meet FIPS 140 Level 1 or higher.”
“Verifiers” refers to an organization, typically the CSP – specifically, 63 defines it as “an entity that verifies the claimant’s identity by verifying the claimant’s possession and control of one or two authenticators using an authentication protocol. To do this, the verifier may also need to validate credentials that link the authenticator(s) to the subscriber’s identifier and check their status.”
But FIPS 140 is Security Requirements for devices, specifically Cryptography and Cryptographic Modules. So, I can’t figure out what they want here.
*63B#0120*
*Federal agencies SHALL only operate verifiers which have been validated as meeting FIPS 140 Level 1 or higher.*
(possibly that cryptographic authenticators should meet FIPS 140 – but that would appear to conflict with other criteria and guidance?)
Jimmy
_______________________________________________ A Community Group mailing list of KantaraInitiative.org WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org To unsubscribe send an email to staff@kantarainitiative.org List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantara... ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance
participants (5)
-
Amanda Gay -
Bryan Rosensteel -
Jimmy Jung -
John Bradley -
Scott Shorter