|Subject||Status (Planned/Ongoing/Closed)||Information and Action required||Lead/Coordinator||Work Plan Production timelines||Reference Material||Notes/Comments||Background|
|Annual Charter Review||Ongoing||Confirm if the Charter needs a revision - https://kantarainitiative.org/confluence/display/IAWG/IAWG+Charter||Ken Dagg||2020-12-10|
|Consider Reviewing New Zealand's latest Digital Identity Standards||Planned||https://www.digital.govt.nz/standards-and-guidance/identification-management/||TBC||TBC|
|12-month review of all the criteria||Planned||12 month review of KI SACs||Richard Wilsher||TBC|
|Initial Inputs on UK digital identity and attributes trust framework (UK DCMS)||Completed||Sub-group developing comments on the drafts||2020-12-10|
|Consultation about proposed Australian Digital Identity legislation||Completed||Prepare response to the Consultation about proposed Australian Digital Identity legislation, see https://haveyoursay.digitalidentity.gov.au/||Ken||2020-12-18|
|IAWG Leadership Election||Closed||Nominees were appointed by acclamation.||Staff||2020-12-03||Operating Procedures|
|Overview of the Foster Bill with Jeremy Grant, Better Identity Coalition||Closed||Recording Available at: https://kantarainitiative.org/download/overview-of-the-foster-bill-with-jeremy-grant-better-identity-coalition-november-11th-2020/||Colin Wallis||2020-11-11||https://foster.house.gov/media/press-releases/foster-introduces-bipartisan-digital-identity-legislation|
|Province of Ontario (Canada) TBS Market Consultation for Digital Identity Ecosystem.||Closed||https://kantarainitiative.org/confluence/display/IAWG/Kantara+responses+to+the+Province+of+Ontario+Market+Consultation||Ken Dagg||November 16th|
|Comment and Review Scottish Government Digital Identity Scotland - Beta Stage||Closed||Kantara Response for DIS SAPS https://kantarainitiative.org/confluence/display/IAWG/Kantara+response+to+the+Scottish+Government+Engagement+Day+questions||Colin Wallis||2020-10-26||https://kantarainitiative.org/confluence/display/IAWG/Scottish+Government+digital+identity+strategy+and+requirements+-+Call+for+Comments|
|UK GDS drafts||Open - waiting for drafts||Identity and Attributes Exchange (IAX) drafts||Ken||TBC||https://kantarainitiative.org/confluence/display/IAWG/UK+GDS|
|UK DCMS Digital identity policy development||Closed||DCMS Digital Identity policy development - See Kantara Response: https://kantarainitiative.org/confluence/display/IAWG/Kantara+response+to+UK+DMCS+questionnaire+on+Digital+Identity+policy-+2020||Mark King and Colin||October 12th|
|EU Public Consultation on eIDAS regulation||Closed||On October 1st, IAWG comments were submitted to the European Commission https://kantarainitiative.org/confluence/display/IAWG/Kantara+Comments+on+eIDAS+regulation+-+20201001||Mark King||Deadline for Comments: October 2nd||https://ec.europa.eu/digital-single-market/en/news/digital-identity-and-trust-commission-launches-public-consultation-eidas-regulation|
|xAL3 criteria (AAL3, IAL3, FAL3)||Closed||IAF Major release on Thursday, October 15th||Richard Wilsher||October 2020|
|Approve Revised Glossary||Closed||IAWG approval on 2020-08-13: https://kantarainitiative.org/confluence/pages/viewpage.action?pageId=132743335||Richard Wilsher||August 13th|
|Review SoCA Templates||Closed||Statement of Criteria Applicability templates: https://kantarainitiative.org/confluence/pages/viewpage.action?pageId=133366169||Richard Wilsher||TBC|
|Provide Comments on NIST 800-63-3||Closed||See Kantara Comments and proposed changes to SP 800-63-3 to ultimately lead to Revision 4 here: https://kantarainitiative.org/confluence/display/IAWG/Kantara+Initiative+Comments+with+Proposed+Changes+to+SP+800-63+Rev3||Ken||Deadline for Comments: August 10th, 2020||https://csrc.nist.gov/publications/detail/sp/800-63/4/draft|
|63C_SAC at FAL2 Public Comment and IPR Review||Closed||2020-06-03: IAWG Approved KIAF NIST SP 800-63C Service Assessment Criteria at FAL2; KIAF 1450. It was under Public Comment and IPR Review (45 days) until July 24th. No comments were received.||Ken and Richard||July 2020||https://kantarainitiative.org/confluence/display/IAWG/KIAF+1450+-+63C_FAL2|
|xAL3 SAC development Subgroup||Closed||Conclusion of the Work of the XAL3 Sub Group. The subgroup completed the AAL3 and FAL3 review on 2020-07-22. IAWG approved IAL3 on 2020-07-09.||Ken and Richard||Started: 2020-06-03 Completion: September 2020 TBC||https://kantarainitiative.org/confluence/display/IAWG/xAL3+SAC+sub-group|
|Request for Review and Comment: 63A_SAC at IAL2 and IAL3||Closed||https://kantarainitiative.org/confluence/display/IAWG/Request+for+Review+and+Comment:+63A_SAC+at+IAL2+and+IAL3||Richard||Closed on 2020-07-02|
|DIACC request for comment on new PCTF component||Closed||DIACC request for comment and IPR Review on the Credentials (Relationships & Attributes) Draft Recommendations, which describe requirements for processes related to attributes and relationships and provides criteria to measure compliance with those requirements. IAWG is preparing comments (continue discussion on 2020-06-18).||Ken||Comments are due by July 2, 2020 at 23:59PT.||https://diacc.ca/2020/06/01/credentials-overview-conformance-draft-recommendations/|
|Review and Comment on PCTF Verified Person, Privacy, and Glossary Draft Recommendations V1.0.||Closed||IAWG submitted comments to DIACC on April 16th.||Ken||Closes: April 30, 2020 at 23:59 PST||https://diacc.ca/interoperability/verified-person-privacy-glossary-draft-recommendations/|
|ARB findings on OP-SAC related to Classic at LoA3||Closed||ARB has found that the Classic OP-SAC AL3_CM_CRN#040 (token strength) and AL3_CM_CRN#050 (Onetime password strength) might address insufficient protection against security risks, such as phishing attacks. Therefore, they asked guidance to IAWG on a) if they should recommend to the CSP that in addition to fulfilling all requirements in the SAC, it should closely follow the evolving landscape around phishing-resistant authentication technologies OR b) IAWG will develop guidance on this regard. IAWG discussed the issue on 2020-02-20. IAWG added a phrase to item g) in the list of AL3_CM_CTR#020 Protocol threat risk assessment and controls. Richard sent the new wording to IAWG on March 21st. The IAWG approved the updated text of the OP-SAC on March 26, 2020.||Richard Wilsher||March 2020||IAF 1420 - OP-SAC|
|Review and Comment on PCTF organization component||Closed||IAWG Comments on PCTF organization component submitted to DIACC on March 17th, 2020||Ken||Deadline: March 19th||https://diacc.ca/interoperability/verified-organization-overview-conformance-draft-recommendations/|
|Review and Comment on UK GDS document||Closed|
Provided input to UK Government Digital Services on
their GPG44 (Using authenticators to protect an online
|Ken||End of February||https://www.gov.uk/government/publications/authentication-credentials-for-online-government-services|
|Comments on Verified Login Component and Conformance Profile of the Pan Canadian Trust Framework (PCTF)||Closed||IAWG Comments on the updated PCTF Verified Login Component and Conformance Profile were submitted to DIACC on 2020-01-17 You can see the comments here: |
|Ken Dagg||January 16th 2020||https://kantarainitiative.org/confluence/display/IAWG/Comments+to+DIACC+on+PCTF+Verified+Login+Component+and+Conformance+Profile+v1.0|
|IAF 1050 - IAF Overview and Glossary||Closed||Approved by AMB on 2019-11-26. Ready to be published||Ken Dagg and Richard Wilsher|
|UK DCMS Call for evidence on Digital Identity||Closed||https://kantarainitiative.org/confluence/display/IAWG/Kantara+response+to+UK+DCMS%27s+Digital+Identity+CfE+-+2019||Ken Dagg and Colin|
|DIACC request for review and comment: PCTF Privacy Component Overview & Conformance Profile.||Closed||https://kantarainitiative.org/confluence/display/IAWG/Comments+to+DIACC+on+PCTF+-+2019||Ken Dagg|
|Send feedback to NIST on 800-63-3||Closed||https://kantarainitiative.org/confluence/display/IAWG/Feedback+to+NIST+2019+and+follow+up+process||Ken||July 2019||https://kantarainitiative.org/confluence/display/IAWG/Updated+Reports+for+Submission+to+NIST|
|DIACC Request for Review & Comment: Verified Login Component & Verified Login Conformance Profile||Closed||IAWG comments on DIACC Request for Review & Comment: Verified Login Component & Verified Login Conformance Profile.||Ken Dagg||Comments submitted on 2019-06-17||DIACC Request for Review & Comment: Verified Login Component & Verified Login Conformance Profile|
|DIACC’s PCTF||Closed||DIACC Request for Review and Comment: Pan Canadian Trust Framework Model Overview||Ken Dagg||Comments submitted on 2019-03-15|
|GSA TFS Program Process and Procedures Docs.||Closed||KD||WIKI PAGE|
|Developing NIST 800-63-3 Implementation Guidance and Updates to SAC||Closed|
The IAWG has updated the Service Assessment Criteria (SAC) in response to the three memos containing implementation guidance with respect to interpreting the NIST 800-63-3 requirements at AL2 that were issued in the summer. T
After the approval of the changes by All Member Ballot, we have published 3 revisions in the SACs:
KIAF 1410 (CO-SAC) version 2.0;
KIAF 1430 (63A_SAC) version 3.0 and
KIAF 1440 (63B_SAC) version 3.0.
Summary of the changes:
1) KIAF 1410 version 2.0 (CO-SAC). The following changes are included in this revision, mostly in relation to the requirement that the CSP actually demonstrate the availability of the services:
a) ‘AL[2/3/4]_CO_NUI#020 Service Definition inclusions’ has been modified to specifically mention ‘Authentication’ and to accommodate separate availability specification for different components of an overall service, with AL[2/3/4]_CO_SER#020 Demonstrated availability’ being introduced to require that availability be determined and therefore assessable.
b) Additional explanatory material added to §3.3;
You will see the changes with grey background.
2) Regarding KIAF 1430 (63A_SAC) version 3.0 and KIAF 1440 (63B_SAC) version 3.0, we have consolidated the changes by recording the differences between v2.0 and v3.0, please see the 2 pdfs ending in "diffs".
The OP-SAC, KIAF 1420, did not change.
|Scott Shorter||https://kantarainitiative.org/confluence/display/IAWG/Developing+NIST+800-63-3+implementation+guidance+-+3+memos||In March Scott Shorter proposed the following scope of work for NIST 800-63-3 Implementation Guidance, with participation across the TFS community: To provide a forum for submission, discussion and publications of interpretation guidance with respect to NIST 800-63-3 on topic areas such as:|
a) Evaluating real types of evidence and verification/validation methods against 63A Tables 5-1, 5-2 and 5-3
b) Evaluating real types of authenticators, authentication protocols and authenticator lifecycle procedures against 63B requirements
c) Clarification of terminology that the source document leaves undefined or defines unclearly.
|Classic SAC - Service availability criterion applicability flaw||Closed||Discuss on Sep.13th: ALn_CM_CSM#040 applicability issue based on Richard Wilsher 8/9 email||Scott||TBC|
|IDESG- Kantara amalgamation and IDESG Trust Mark||Closed||On Jul 26th Colin introduced the process to take on the work artifacts, current workstreams, committees and membership of the IDESG and IAWG discussed possible impacts to the WG and IDESG a Kantara Trust Mark||Colin and Ken Dagg||https://kantarainitiative.org/7956-2/|
|DIACC RFP||Closed||Discuss on July 26th the DIACC Request for Proposal: Development of the Pan-Canadian Trust Framework||Andrew Hughes and Ken Dagg||TBC||https://diacc.ca/2018/07/23/rfp-pctf-community/|
|Release 800-63A Service Assessment Criteria (KIAF-1430 63A_SAC) and Identity Assurance Framework NIST SP 800-63B Service Assessment Criteria (KIAF-1440 63B_SAC).||Closed||KI SAC for 800-63-3 was approved by All Member Ballot on March 19th; IAF 1430 (63A_SAC) and IAF 1440 (63B_SAC) were published as planned on March 21st. Available for Members Only at https://kantarainitiative.org/confluence/display/LC/Identity+Assurance+Framework||Ken||March 21st||https://kantarainitiative.org/confluence/display/IAWG/800-63-3||Kantara has historically based its ‘Operational’ Service Assessment Criteria on a broad interpretation of NIST’s SP 800-63 rev.2. With SP 800-63 rev.3 coming into full effect from 2018-06-21, Kantara is gearing-up to extend its Trust Framework Program to also provide for assessments against 800-63 rev.3.|
Kantara has developed criteria which will be used for SP 800-63 rev.3 conformity assessments for identity proofing and authentication functions, at the respective AL2, i.e. against the strictly normative requirements of SP 800-63A and ’63B at IAL2 and AAL2 respectively.
One document addresses the NIST requirements in SP 800-63A (KIAF-1430 63A_SAC v1.0) and the other the requirements in SP 800-63B (KIAF-1440 63B_SAC v1.0).
|Refinement of CO-SAC IAF-1400 (non-material change) and Repackaging into IAF-1410 and IAF-1420.||Closed||IAF-1410 and IAF-1420 were approved on March 1st by IAWG and were published with IAF 1430 and IAF 1440 on March 21st. Available at https://kantarainitiative.org/confluence/display/LC/Identity+Assurance+Framework||Scott||March 21st|
|NISTIR 8112 New release January 2018||Closed||IAWG decided they will not provide comments.||Ken||TBD||https://csrc.nist.gov/publications/detail/nistir/8112/final|
|List of requirements from ConOps and TF Certification Process drafts and recommendations||Planned|
Create a List of Requirements from ConOps and TF Certification Process
Analysis of impacts on Kantara’s TFOP.
Identify KI internal procedural amendments and changes to TFOP.
Make recommendations on revision of TFOP process and procedures.
|800-63-3 Sub-group||Closed||Dec. 14th IAWG approved 63A and 63B SACs for Public comment and IPR Review until Jan 29th||Richard Wilsher||Jan 29||WIKI PAGE||Dec. 15th realease to 45-day Public Comment Period and IPR Review|
|Initiative to create a structure mapping between the KI IAF and other frameworks towards the improvement of comparability and IAF.next project||Planned||Meeting at Internet2 Global Summit April 23. ||Andrew||Proposed Meeting Goals:|
1) Confirm that the participating organizations and federations wish to continue to use a common structure for specification of rules for identity proofing, credential lifecycle management, identity information lifecycle management, credential verifiers/authentication and federation operations.
2) Discuss/decide on whether defining a common set of requirements that underpins our common IAF is a good objective
3) Analysis of the Kantara SAC. Review the implied requirements structure.
4) Decide on the path forward: resources, funding, organizational timing, other requirements.
5) Establish a Kantara WG to build out the requirements for IAF.next
|During the TIIME Meeting in Vienna, February 2017 it was discussed the need to work together and find common ground within the informal profiles based or inspired in KI IAF, such as Incommon, GEANT, eIDAS, etc. The interested parties will meet during Internet2 Global Summit (April 23-26, WDC US) and start creating a straw man for a structure mapping between the frameworks and the KI IAF, including a common catalogue of risks.|
|Charter review and update||Closed||Charter was approved by LC||Ken||https://kantarainitiative.org/confluence/display/idassurance/2014+IAWG+Charter||(AH suggested to focus on IAF as main objective, consider all innovations across the Identity space).|
|800-63-3 Public Review||Closed||Comments were submitted to NIST on March 31st. New deadline extension on 800-63-3 (Sections A,B and C are closed). IAWG submitted comments to NIST on May 1st.||Andrew and Ken||May 1st||https://pages.nist.gov/800-63-3/||IAWG Comment Wikipage||Working Plan: 1) Comment Period 2) Impact Analysis on IAF and Assurance program. //ARB was invited to engage on the review and comment period. Gathering comments methodology: general comments and then meetings dedicated to sections A, B and C (Feb 23rd. IAWG made general comments on 800-63-3. Scott will take notes of the discussions and comments during March and Ruth will help to compile them and add the final and approved comments to GitHub. March 2 IAWG reviewed SP 800-63A. On March 9th IAWG reviewed 800-63B. March 16th reviewed 800-63C). To follow up the discussions, please visit the IAWG Comment Wikipage: http://kantarainitiative.org/confluence/display/idassurance/800-63-3+KI+Comments+2017|
|SAC update project||Closed||D3 delivered||Ken and Richard||Consultants have finished D1, D2 and delivered first draft of D3.||Service Assessment Criteria project to improve usability and clarity of the criteria, which includes adding statements of risk mitigation objectives|
|Wiki refresh||Closed||Overview after NIST 800-63-3 comment period||Ruth||May 2017|
800-63-3 Potential impacts
|Closed||KD: Understand the potential gap (task IAWG volunteer or hire consultant). AH. How to approach it instead of getting a list of changes. 2 stages 1) 2-3 days PIR review, focus on "x" sections (someone competent and flexible). 2) Criteria review could take 60 or more days. Then come up with IAF 2.|
|IDEF Mapping to KI IAF - Operationalization||Closed for IAWG||Operationalization||Andrew||May 2017|
|Review of IDESG mapping to the KI IAF||Closed||Andrew||https://kantarainitiative.org/confluence/display/idassurance/IDESG+Mapping+to+KI+IAF?src=contextnavchildmode||February 9th IAWG approved the comments on the Mapping and Colin sent them to IDESG. January 15th: Andrew sent the spreadsheet containing draft comments to IDESG about the mapping of IDEF Baseline Requirements to IAF SAC to determine the amount of coverage an approved entity could expect to receive if applying to be listed on the IDESG Self-attestation Registry.||The purpose of the maping spreadsheet is: |
- For a Kantara-approved CSP that wants to apply for recognition in the IDESG Registry, the requirements marked "Full" are deemed to be met by the CSP's Kantara Approval.
- For "Partial" requirements, the CSP needs to do additional work to meet the IDESG Requirement.
|NISTIR 8149||Closed||Scott||NISTIR 8149||*Colin submitted the comments to NIST on February 22nd. *February 9th IAWG approved the comments about NISTIR 8149 including the disenting comments from Zygma. *Scott sent the first round of comments to IAWG on December 16th. *Richard Wilsher has commented the following on December 16th: "I feel compelled to observe that these remarks are far from the opinions I hold about this IR, and they don’t really come very close to those I thought I heard aired when the IR was discussed during an IAWG call some months back...."||IAWG Feb 9th meeting notes|
|IAWG Elections||Closed||Ken||Early March||Operating Procedures.||Candidates and nominations: Ken as Chair; Scott as Vice-Chair and Denny as Secretary||Call for Nominations|