Trust and Internet Identity Meeting Europe
5-6 Feb 2018: Workshops and Tutorials
7-8 Feb 2018: Unconference

TIIME 2017: Session 1 "Son-of-IAF"

(Leif Johansson, Collin Wallis)**

All this is based on the Kantara IAF. Restructuring the framework, putting it back together anew.

We need a new way of looking at the IAF, start from scratch basically.

Extensibility is important, a platform to base things on.

VOT (Vectors of Trust): each concern is assigned to a set of requirements, with the possibility of adding more requirements.What is the IAF?

Requirements -> can be evaluated with a Conformity Assessment Scheme (criteria)

-> These two are intertwined in the current Kantara model.

  • Conformity
  • Assessment
  • Program/Process

Are the assessment rules only accepted by third parties?

Proposal :

The profile happens together with the criteria, and is very specific.

A profile should define a scope of applicability and only address a subset of requirements to make it more specific.

A profile can be response to a selection of risks.

Are there actually a common set of requirements for things as they are now? Does it make sense to keep it common?

Talking about Risk Assessment :

Not all systems are the same, not all purposes have the same potential for exposing risks.

There needs to be a way to enumerate things. The only thing that needs to be fixed and agreed on is naming and numbering, and a fundamental set of requirements.

There is a list of Risks & Threats in the standard which needs updating and extending.

The big question is how to get from where we are to this proposed new model.

Address the same catalogue as the original Kantara IAF, however it doesn't make sense to transfer everything. Some profiles do not make sense to keep, because they do not address actual needs, others can just be referred to in the old model.

In practice organisations already make up their own models, because some of the standards do not necessarily make sense.

Kantara would be a better place to publish a new proposal, having a broader scope.

There should not be restrictions on organisations submitting their own assessment rules, if their consumers accept it, because it is expensive to get third party assessments.

Next steps: Internet2 Global Summit in Washington DC at the end of April, as a meeting place for working further on the discussed topic.