Proposed Charter for OASIS Biometric Open Protocol (BOPS) TC

[Anthony Nadalin <tonynad@microsoft.com>]

Please find the enclosed comment on the proposed charter:

 

Statement of Purpose:

 

1.       This charter is very hard to understand relative to the “the purpose”, it is very unclear if this charter is about identification or about authentication or even authorization, maybe you are trying to do all these things? Suggest you clarify the exact purpose of this TC. Reading through the whole charter it seems the proposal is to create something  that provides Identity assertions, role gathering, multilevel access control and auditing. Also it will provide continuous protection of resources and assure placement and viability of adjudication and other key features. Later in the deliverable section you also talk about “criteria necessary for intrusion detection”. So I’m very confused as what this TC is really proposing to do.

2.       The charter states that there “are some” use cases that require the enterprise or the provider to store the biometric information on the local server, but never gives any examples of these use cases. For the most part the industry has chosen not to have biometric data leave the local device due to privacy concerns, this charter does not address the privacy concerns or even mentions any privacy issues.

3.       It is unclear if this effort is geared towards consumers, developers or enterprises as the wording changes throughout the charter

4.       It is very unclear if this is charter is about developing APIs or a protocol maybe both? The TC name indicates a protocol but charter talks about API

5.       The charter says that the aim is “to protect digital assets and digital identities on the server” so it’s not clear what this means is this an authorization mechanism ?

6.       “BOPS will define a biometrics-agnostic standard API for registered developers” not sure what a registered developer is ? Suggest you clarify.

7.       “BOPS will not compete with other standards like FIDO” not sure what this means since this is an actual alternative to FIDO, I understand it is going after a different undefined use case but the charter indicates that it will be creating a new API and protocol, thus it seems it will be competing with other standards, suggest that this sentence be removed

8.       “BOPS may be used as the sole security mechanism”, and in the paragraph prior to this you state that TLS/SSL or secure transport is needed and that the BOPS server must be protected against threats and attacks, so it unclear what you mean by sole security mechanism.

 

Scope:

1.       “communicates with a trusted BOPS server”, not sure what a trusted BOPS server is since it’s not within the scope of the charter for a deliverable

2.       “develop the BOPS standard”, is this an API, a protocol or something else?

3.       “the scope does not consider the how” but above that you say how this standard will be built which states “servlet specification, open secure sockets layer, java, etc….” this does not make sense as you also state “independent of implementation”

 

Deliverables:

 

1.       “The deliverable is an end-to-end specification” so is this a single specification or multiple ? This also talks about a “solution” yet the scope says that this is not about the “how” so not sure what you mean by solution.

2.       “Development of Interoperability profiles for OASIS Trust Evaluation Protocol FIDO, SAML, OpenID Connect and OAUTH”, not sure what this means since each of these are that are listed are protocols themselves, so does this mean that you will be suggesting how BOPS would work over one of the existing protocols or how the existing protocols would work over BOPS protocol?

 

TC Proposers

1.       Don Thibeaux, I assume you mean Don Thibeau. Also Don does not have the ability to represent Open Identity Exchange, so Don would have to represent himself and I’m not sure of his OASIS status as a individual member.