Re: [oasis-charter-discuss] Re: Notes from ESAT convener call 10/14/2020

[Chet Ensign <chet.ensign@oasis-open.org>]

Hey Jason - Here is the text of Ken Granger's suggestion:Â

---

The NIST 800-63-3 publication mentions the use of QR codes twice, both in the context of Out-of-Band devices and authenticators. The mentions include:

• The claimant transfers a secret received via the primary channel to the out-of-band device for transmission to the verifier via the secondary channel. For example, the claimant may view the secret on their authentication session and either type it into an app on their mobile device or use a technology such as a barcode or QR code to effect the transfer.
• The authenticator SHALL accept transfer of the secret from the primary channel which it SHALL send to the verifier over the secondary channel to associate the approval with the authentication transaction. The claimant MAY perform the transfer manually or use a technology such as a barcode or QR code to effect the transfer.

The fundamental difference between NISTâs guidance on the use of QR codes and the position of the Oasis TC is this; NIST 800-63-3 states that the claimant receives a secret via the primary authentication channel and uses the QR code as a transfer mechanism to share said secret. The Oasis TC is not advocating the use of QR scans to exchange shared secrets, but rather as a transport vehicle to assert a user identity based on the public/private keys used to bind a usersâ identity to their authenticator app. The approach recommended by the Oasis TC involves the QR payload to consist of a session ID and completely absent of PII. When the QR is scanned, a GUID representing the claimant is passed through the secondary channel and ultimately to the primary relying party. The claimant is then challenged for user presence via the OS security of the authenticator device.

---

And here is how I fit it into sect 2.a. Note that this hasn't been circulated for the group's review and approval yet:Â

---

(2)(a) Identification of Similar Work

There is no direct work in other standards bodies that overlaps with the ESAT TC. There are some efforts done by various researches that look into security consideration for DID authentication using QR codes.

<added paragraph> In particular, NIST 800-63-3 publication mentions the use of QR codes twice, both in the context of Out-of-Band devices and authenticators. The fundamental difference for this TC is that, where NIST 800-63-3 states that the claimant receives a secret via the primary authentication channel and uses the QR code as a transfer mechanism to share said secret, the OASIS TC is not advocating the use of QR scans to exchange shared secrets. Rather, the TC sees QR scans as a transport vehicle to assert a user identity based on the public/private keys used to bind a usersâ identity to their authenticator app. The approach recommended by the TC involves the QR payload to consist of a session ID and completely absent of PII. When the QR is scanned, a GUID representing the claimant is passed through the secondary channel and ultimately to the primary relying party. The claimant is then challenged for user presence via the OS security of the authenticator device.ÂÂ

---

/chet

On Thu, Oct 15, 2020 at 3:40 PM Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

Hi folks;

Â

"
We reviewed the comments received. For comment 3 from Jason Keirstead on how this relates to NIST 800-63-3, Abbie shared text from Ken Granger (Trusona) providing a response. The attendees agreed to adopt language from that reply into the charter to address the comment.
"

Â

Can someone provide this text? I haven't seen it on the mailing list...

Thanks;

Â

-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management
www.ibm.com/security

Co-Chair - Open Cybersecurity Alliance, Project Governing Board

www.opencybersecurityalliance.org
Â

Â

Â

----- Original message -----
From: "Barbir, Abbie" <BarbirA@aetna.com>
Sent by: <oasis-charter-discuss@lists.oasis-open.org>
To: Chet Ensign <chet.ensign@oasis-open.org>, OASIS Charter Discuss List <oasis-charter-discuss@lists.oasis-open.org>, Duncan <duncan@sfractal.com>, Jason Burnett <jsburnett@digitaltrust.net>, John Sabo <john.sabo711@yahoo.com>, Anil Saldanha <anilsaldhana@gmail.com>, Bojan Simic <bojan@hypr.com>, "spencer.yezo@bofa.com" <spencer.yezo@bofa.com>, Ori Eisen <o@trusona.com>, "TAKECHI HIROSHI(ææ æ)"<h-takechi@nec.com>, "Lauri Korts-PÃrn"<lauri@cyberdefense.jp>, Ken Granger <ken.granger@trusona.com>, "Verry, Erick" <emverry@aetna.com>, Dee Schur <dee.schur@oasis-open.org>
Cc:
Subject: [oasis-charter-discuss] Re: [EXTERNAL] Notes from ESAT convener call 10/14/2020
Date: Thu, Oct 15, 2020 4:34 PM
Â

Look good thank you

Â

Â

---

From: Chet Ensign <chet.ensign@oasis-open.org>
Sent: Thursday, October 15, 2020 3:32:53 PM
To: OASIS Charter Discuss List <oasis-charter-discuss@lists.oasis-open.org>; Duncan <duncan@sfractal.com>; Barbir, Abbie <BarbirA@aetna.com>; Jason Burnett <jsburnett@digitaltrust.net>; John Sabo <john.sabo711@yahoo.com>; Anil Saldanha <anilsaldhana@gmail.com>; Bojan Simic <bojan@hypr.com>; spencer.yezo@bofa.com <spencer.yezo@bofa.com>; Ori Eisen <o@trusona.com>; TAKECHI HIROSHI(ææ æ) <h-takechi@nec.com>; Lauri Korts-PÃrn <lauri@cyberdefense.jp>; Ken Granger <ken.granger@trusona.com>; Verry, Erick <emverry@aetna.com>; Dee Schur <dee.schur@oasis-open.org>
Subject: [EXTERNAL] Notes from ESAT convener call 10/14/2020

Â

**** External Email - Use Caution ****

---

* Agenda:

- Roll call
- Review comments & decide on next steps
- TC Launch Timeline & final 1st meeting date
- TC Resources
- Next Steps

* Roll call:

Abbie Barbir (convener), Jason Burnett, Ori Eisen, Ken Granger, Lauri Korts-PÃrn, John Sabo, Bojan Simic, Duncan Sparrell, Hiroshi Takechi

* Review comments received and decide on changes to charter

We reviewed the comments received. For comment 3 from Jason Keirstead on how this relates to NIST 800-63-3, Abbie shared text from Ken Granger (Trusona) providing a response. The attendees agreed to adopt language from that reply into the charter to address the comment.

For comment 1, requesting adding European eIDAS to the specifications that will be considered, the attendees accepted the comment and agreed to add the suggested text.

For comment 2, grammatical change, the attendees accepted the comment and agreed to make the change.

We discussed a new target date for the first meeting. Attendees agreed on Thursday, Nov. 19th at 7:00 PM eastern. Â

Chet will work with the proposers to incorporate these changes into the changes into the charter.

* TC launch timeline

Chet recapped the next steps and dates leading up to the first meeting. Confirmed that the TC can request affiliation with the Member Section at the first meeting.

* TC Resources

Chet explained that the TC Kavi group will be online when the call for participation so that members can join right away.

* Next steps

Chet will work with proposers to complete the charter. Chet will work with Abbie to get the comment resolution log completed and loaded to thed oasis-charter-discuss group. Chet will get the Kavi collaboration group set up and send out the Call for Participation.

Â

--

/chetÂ
----------------

Chet Ensign

Chief Technical Community Steward
OASIS: Advancing open source & open standards for the information society
http://www.oasis-open.org

Mobile: +1 201-341-1393Â

Â

Proprietary

Â

Â

NOTICE TO RECIPIENT OF INFORMATION:

This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately.

This e-mail may also contain protected health information (PHI) with information about sensitive medical conditions, including, but not limited to, treatment for substance use disorders, behavioral health, HIV/AIDS, or pregnancy. This type of information may be protected by various federal and/or state laws which prohibit any further disclosure without the express written consent of the person to whom it pertains or as otherwise permitted by law. Any unauthorized further disclosure may be considered a violation of federal and/or state law. A general authorization for the release of medical or other information may NOT be sufficient consent for release of this type of information.

Thank you, Aetna

Â

--

/chetÂ
----------------

Chet Ensign

Chief Technical Community Steward
OASIS: Advancing open source & open standards for the information society
http://www.oasis-open.org

Mobile: +1 201-341-1393Â