|Subject||Status (Planned/Ongoing/Closed)||Information and Action required||Lead/Coordinator||Work Plan Production timelines||Reference Material||Notes/Comments||Background|
|IAF 1050 - IAF Overview and Glossary||Ongoing||Public Comment and IPR review closed on July 5 (45 days). Editors will work on the DoC.||Ken Dagg and Richard Wilsher||July 2019|
|Send feedback to NIST on 800-63-3||Completed||IAWG approved the 5 Reports to submit to NIST. Ken submitted the Reports to NIST on Wednesdsay, July 10.||Ken||July 2019||https://kantarainitiative.org/confluence/display/IAWG/Updated+Reports+for+Submission+to+NIST|
|DIACC Request for Review & Comment: Verified Login Component & Verified Login Conformance Profile||Completed||IAWG comments on DIACC Request for Review & Comment: Verified Login Component & Verified Login Conformance Profile.||Ken Dagg||Comments submitted on 2019-06-17||DIACC Request for Review & Comment: Verified Login Component & Verified Login Conformance Profile|
|DIACC’s PCTF||Completed||DIACC Request for Review and Comment: Pan Canadian Trust Framework Model Overview||Ken Dagg||Comments submitted on 2019-03-15|
|GSA TFS Program Process and Procedures Docs.||Closed||KD||WIKI PAGE|
|Developing NIST 800-63-3 Implementation Guidance and Updates to SAC||Closed|
The IAWG has updated the Service Assessment Criteria (SAC) in response to the three memos containing implementation guidance with respect to interpreting the NIST 800-63-3 requirements at AL2 that were issued in the summer. T
After the approval of the changes by All Member Ballot, we have published 3 revisions in the SACs:
KIAF 1410 (CO-SAC) version 2.0;
KIAF 1430 (63A_SAC) version 3.0 and
KIAF 1440 (63B_SAC) version 3.0.
Summary of the changes:
1) KIAF 1410 version 2.0 (CO-SAC). The following changes are included in this revision, mostly in relation to the requirement that the CSP actually demonstrate the availability of the services:
a) ‘AL[2/3/4]_CO_NUI#020 Service Definition inclusions’ has been modified to specifically mention ‘Authentication’ and to accommodate separate availability specification for different components of an overall service, with AL[2/3/4]_CO_SER#020 Demonstrated availability’ being introduced to require that availability be determined and therefore assessable.
b) Additional explanatory material added to §3.3;
You will see the changes with grey background.
2) Regarding KIAF 1430 (63A_SAC) version 3.0 and KIAF 1440 (63B_SAC) version 3.0, we have consolidated the changes by recording the differences between v2.0 and v3.0, please see the 2 pdfs ending in "diffs".
The OP-SAC, KIAF 1420, did not change.
|Scott Shorter||https://kantarainitiative.org/confluence/display/IAWG/Developing+NIST+800-63-3+implementation+guidance+-+3+memos||In March Scott Shorter proposed the following scope of work for NIST 800-63-3 Implementation Guidance, with participation across the TFS community: To provide a forum for submission, discussion and publications of interpretation guidance with respect to NIST 800-63-3 on topic areas such as:|
a) Evaluating real types of evidence and verification/validation methods against 63A Tables 5-1, 5-2 and 5-3
b) Evaluating real types of authenticators, authentication protocols and authenticator lifecycle procedures against 63B requirements
c) Clarification of terminology that the source document leaves undefined or defines unclearly.
|Classic SAC - Service availability criterion applicability flaw||Closed||Discuss on Sep.13th: ALn_CM_CSM#040 applicability issue based on Richard Wilsher 8/9 email||Scott||TBC|
|IDESG- Kantara amalgamation and IDESG Trust Mark||Closed||On Jul 26th Colin introduced the process to take on the work artifacts, current workstreams, committees and membership of the IDESG and IAWG discussed possible impacts to the WG and IDESG a Kantara Trust Mark||Colin and Ken Dagg||https://kantarainitiative.org/7956-2/|
|DIACC RFP||Closed||Discuss on July 26th the DIACC Request for Proposal: Development of the Pan-Canadian Trust Framework||Andrew Hughes and Ken Dagg||TBC||https://diacc.ca/2018/07/23/rfp-pctf-community/|
|Release 800-63A Service Assessment Criteria (KIAF-1430 63A_SAC) and Identity Assurance Framework NIST SP 800-63B Service Assessment Criteria (KIAF-1440 63B_SAC).||Closed||KI SAC for 800-63-3 was approved by All Member Ballot on March 19th; IAF 1430 (63A_SAC) and IAF 1440 (63B_SAC) were published as planned on March 21st. Available for Members Only at https://kantarainitiative.org/confluence/display/LC/Identity+Assurance+Framework||Ken||March 21st||https://kantarainitiative.org/confluence/display/IAWG/800-63-3||Kantara has historically based its ‘Operational’ Service Assessment Criteria on a broad interpretation of NIST’s SP 800-63 rev.2. With SP 800-63 rev.3 coming into full effect from 2018-06-21, Kantara is gearing-up to extend its Trust Framework Program to also provide for assessments against 800-63 rev.3.|
Kantara has developed criteria which will be used for SP 800-63 rev.3 conformity assessments for identity proofing and authentication functions, at the respective AL2, i.e. against the strictly normative requirements of SP 800-63A and ’63B at IAL2 and AAL2 respectively.
One document addresses the NIST requirements in SP 800-63A (KIAF-1430 63A_SAC v1.0) and the other the requirements in SP 800-63B (KIAF-1440 63B_SAC v1.0).
|Refinement of CO-SAC IAF-1400 (non-material change) and Repackaging into IAF-1410 and IAF-1420.||Closed||IAF-1410 and IAF-1420 were approved on March 1st by IAWG and were published with IAF 1430 and IAF 1440 on March 21st. Available at https://kantarainitiative.org/confluence/display/LC/Identity+Assurance+Framework||Scott||March 21st|
|NISTIR 8112 New release January 2018||Closed||IAWG decided they will not provide comments.||Ken||TBD||https://csrc.nist.gov/publications/detail/nistir/8112/final|
|List of requirements from ConOps and TF Certification Process drafts and recommendations||Planned|
Create a List of Requirements from ConOps and TF Certification Process
Analysis of impacts on Kantara’s TFOP.
Identify KI internal procedural amendments and changes to TFOP.
Make recommendations on revision of TFOP process and procedures.
|800-63-3 Sub-group||Closed||Dec. 14th IAWG approved 63A and 63B SACs for Public comment and IPR Review until Jan 29th||Richard Wilsher||Jan 29||WIKI PAGE||Dec. 15th realease to 45-day Public Comment Period and IPR Review|
|Initiative to create a structure mapping between the KI IAF and other frameworks towards the improvement of comparability and IAF.next project||Planned||Meeting at Internet2 Global Summit April 23. ||Andrew||Proposed Meeting Goals:|
1) Confirm that the participating organizations and federations wish to continue to use a common structure for specification of rules for identity proofing, credential lifecycle management, identity information lifecycle management, credential verifiers/authentication and federation operations.
2) Discuss/decide on whether defining a common set of requirements that underpins our common IAF is a good objective
3) Analysis of the Kantara SAC. Review the implied requirements structure.
4) Decide on the path forward: resources, funding, organizational timing, other requirements.
5) Establish a Kantara WG to build out the requirements for IAF.next
|During the TIIME Meeting in Vienna, February 2017 it was discussed the need to work together and find common ground within the informal profiles based or inspired in KI IAF, such as Incommon, GEANT, eIDAS, etc. The interested parties will meet during Internet2 Global Summit (April 23-26, WDC US) and start creating a straw man for a structure mapping between the frameworks and the KI IAF, including a common catalogue of risks.|
|Charter review and update||Closed||Charter was approved by LC||Ken||https://kantarainitiative.org/confluence/display/idassurance/2014+IAWG+Charter||(AH suggested to focus on IAF as main objective, consider all innovations across the Identity space).|
|800-63-3 Public Review||Closed||Comments were submitted to NIST on March 31st. New deadline extension on 800-63-3 (Sections A,B and C are closed). IAWG submitted comments to NIST on May 1st.||Andrew and Ken||May 1st||https://pages.nist.gov/800-63-3/||IAWG Comment Wikipage||Working Plan: 1) Comment Period 2) Impact Analysis on IAF and Assurance program. //ARB was invited to engage on the review and comment period. Gathering comments methodology: general comments and then meetings dedicated to sections A, B and C (Feb 23rd. IAWG made general comments on 800-63-3. Scott will take notes of the discussions and comments during March and Ruth will help to compile them and add the final and approved comments to GitHub. March 2 IAWG reviewed SP 800-63A. On March 9th IAWG reviewed 800-63B. March 16th reviewed 800-63C). To follow up the discussions, please visit the IAWG Comment Wikipage: http://kantarainitiative.org/confluence/display/idassurance/800-63-3+KI+Comments+2017|
|SAC update project||Closed||D3 delivered||Ken and Richard||Consultants have finished D1, D2 and delivered first draft of D3.||Service Assessment Criteria project to improve usability and clarity of the criteria, which includes adding statements of risk mitigation objectives|
|Wiki refresh||Closed||Overview after NIST 800-63-3 comment period||Ruth||May 2017|
800-63-3 Potential impacts
|Planned||KD: Understand the potential gap (task IAWG volunteer or hire consultant). AH. How to approach it instead of getting a list of changes. 2 stages 1) 2-3 days PIR review, focus on "x" sections (someone competent and flexible). 2) Criteria review could take 60 or more days. Then come up with IAF 2.|
|IDEF Mapping to KI IAF - Operationalization||Closed for IAWG||Operationalization||Andrew||May 2017|
|Review of IDESG mapping to the KI IAF||Closed||Andrew||https://kantarainitiative.org/confluence/display/idassurance/IDESG+Mapping+to+KI+IAF?src=contextnavchildmode||February 9th IAWG approved the comments on the Mapping and Colin sent them to IDESG. January 15th: Andrew sent the spreadsheet containing draft comments to IDESG about the mapping of IDEF Baseline Requirements to IAF SAC to determine the amount of coverage an approved entity could expect to receive if applying to be listed on the IDESG Self-attestation Registry.||The purpose of the maping spreadsheet is: |
- For a Kantara-approved CSP that wants to apply for recognition in the IDESG Registry, the requirements marked "Full" are deemed to be met by the CSP's Kantara Approval.
- For "Partial" requirements, the CSP needs to do additional work to meet the IDESG Requirement.
|NISTIR 8149||Closed||Scott||NISTIR 8149||*Colin submitted the comments to NIST on February 22nd. *February 9th IAWG approved the comments about NISTIR 8149 including the disenting comments from Zygma. *Scott sent the first round of comments to IAWG on December 16th. *Richard Wilsher has commented the following on December 16th: "I feel compelled to observe that these remarks are far from the opinions I hold about this IR, and they don’t really come very close to those I thought I heard aired when the IR was discussed during an IAWG call some months back...."||IAWG Feb 9th meeting notes|
|IAWG Elections||Closed||Ken||Early March||Operating Procedures.||Candidates and nominations: Ken as Chair; Scott as Vice-Chair and Denny as Secretary||Call for Nominations|