Notes for January 26th call

["Mary Ruddy" <mary@meristic.com>]

Minutes for the meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee

26 January, 2012

 

1. Call to Order and Welcome.

 

2. Roll Call

Attending (please notify me if you attended the meeting but are not on the list below)

Abbie Barbir, Bank of America  - y

Anil Saldhana, Red Hat  - y

Brendan Peter, CA Technologies

Carl Mattocks, Bofa  - y

Cathy Tilton, Daon

Charline Duccans, DHS

Duane DeCouteau

Colin Wallis, New Zealand Government  - y

Dale Rickards, Verizon Business - y  

David Brossard, Axiomatics  -y

Dazza Greenwood 

Debbie Bucci, NIH 

Deborah Steckroth, RouteOne LLC

Detlef Huehnlein, Federal Office for Information

Don Thibeau, Open Identity Exchange  

Doron Cohen, SafeNet

Doron Grinstein, BiTKOO

Ed Coyne, Dept Veterans Affairs - y 

Ivonne Thomas, Hasso Plattner Institute

Jaap Kuipers, Amsterdam 

Jeff Broburg, CA

John Bradley 

John "Mike" Davis, Veteran's Affairs 

John Walsh, Sypris Electronics

Julian Hamersley, Adv Micro Devices

Kevin Mangold, NIST  - y

Marcus Streets, Thales e-Security

Marty Schleiff, The Boeing Company

Mary Ruddy, Identity Commons  - y

Massimiliano Masi, Tiani "Spirit" GmbH  - y

Nick Pope, Thales e-Security

Peter Alterman, NIST 

Rebecca Nielsen, Booz Allen Hamilton  

Rich Furr, SAFE-BioPharma Assn

Ronald Perez, Advanced Micro Devices

Scott Fitch Lockeed Martin

Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y

Shahrokh Shahidzadeh (Intel Corp)  - y

Tony Rutkowski

Thomas Hardjono, M.I.T.  - y

William Barnhill, Booz Allen Hamilton

Bob Sunday – y

 

61 percent of the voting members were present at the meeting.  We did have quorum.

 

2. Agenda review and approval

We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el  chat room text is included at the end of the minutes.

Abbie proposed adding a new item: he wants to take two minutes to update the TC on the next face-to-face meeting.

**Action item to confirm CA as host for second day and NIST for first day.  Need finalize so can put on TC event list.

For the next TC call, need to confirm Bofa as a presenter to provide background on ISO 368, so we will know how trust elevation is done in that part of the world.

There are still weaknesses [in our collection of method examples] in mobile and endpoint security.  We are hoping Intel will provide input on that component of our work. We can take this off line.  Goal is to get these new examples incorporated, and wrap-up a version of the first deliverable to have for discussion at the F2F in March.

No comments.  Agreement assumed.

3. Approve Minutes

There were no objections.  The minutes were approved.

4. Presentation on "Registering for Verizon Universal Identity Services  (UIS)"

(document at http://www.oasis-open.org/apps/org/workgroup/trust-el/documents.php) by  Dale Rickards

Abbie introduced Dale.

Dale:  Explained that her talk is about how Verizon does trust elevation online within the US.

Slide 2, the focus is on non-PKI credentials.  Verizon is approved for LOA-1, 2 and non-PKI 3 by FICAM under the Kantara Trust Framework. The demo uses SMS OTP sent to a mobile phone.

Slide 3, registration.  User is required to provide more information to confirm their identity.  NIST 800-63 does not require KBA.  Verizon has chosen to use KBA to further approve identity.

Slide 4, all users start the process by providing basic info. The mobile number provided will be used later to send a SMS one time password to the user’s phone.

Slide5, the user selects username and password. Verizon has an OTP app that can be download from the web.

Slide 6, Verizon also collects security questions that are used to support the user if the user forgets their password or needs to call the helpdesk.

Slide 7, user selects method to receive the OTP. This example, being shown is only one of many options. The user receives the OTP via phone. They must select at least one OTP method.

Slide 8, Verizon confirms that the mobile phone is able to receive messages and they are asked to confirm that.

Slide 9, the OTP is sent to mobile phone and is displayed on the screen.

Slide 10, the OTP must be put into the OTP registration box. They have 5 minutes to confirm possession.  Once confirmed, the OTP device is active At this point, the user has an LOA-1 credential.  To elevate to LOA- 3, they must provide the last 4 digits of their SOC and month of birth. The system checks that the name with the SOC matches their first and last name, that they are not deceased and verifies their address.  It also checks that the SOC was not issued before the user was born and is unique.  It also checks that the user is above an age defined threshold, and that their zip code is on the list for the state.  If there is an issue, then they need to provide full SOC and DOB. In this example, they match phone info to provided info. If the user exits before completing this process, they just have the LOA-1 credential, and can go thru the process later.

Slide 13, if this is completed successfully; the user is now at LOA-2.

Slide 14, to obtain an LOA-3credential, the user must successfully complete KBA.  The KBA is random and dynamic multiple choice from data provided by public and private 3^rd party databases.  The user must get 4 out of 5 correct. The user gets a second chance, but two of the questions will have been changed.  If they fail, they can be handed by a Notary Public.

Slide 15, if passed, then the user is presented with confirmation screen.

Slide 16, they now have an LOA-3 credential.

Slide 17, via the profile manager, they can change their OTP process so they can choose a land line. Also if a user is LOA-1 or 2, they can elevate trust by performing the SOC, DOB, KBA process.

Moving ahead, some of challenges are that this is currently only available in the US due to privacy law. They can’t get access to enough records to do this outside the US.  They are investigating other options besides F2F identity proofing.  They are looking at government ID cards in France and Belgium, and also the know your customer rules for the US financial services industry.  They are also working with OIX and OASIS and EU organizations for solutions around elevating trust and identity.

Dale asked for questions.

Abbie asked if they were using information from outside data bases. 

Dale said they are using a 3^rd party verification provider like Lexus-Nexus and Acxiom. They send this info to a 3 party that does an initial search of the user.

Abbie asked how they tied this to the user’s phone.   Why do you use Lexus-Nexus rather than the information they provided when they subscribed to the phone?

Dale explained that Verizon is a large company and the divisions are separate from each other. We are looking at attribute exchange between divisions, but aren’t doing it yet, as would need to set up legal agreements between the parts of Verizon.

Abbie commented that they would need to change the user consent forms used when the person became a phone customer

Dale said the user has to agree to TCs and an end user agreement that points back to Verizon’s overall T&Cs and privacy policy.

Abbie asked if the questions at LOA-3 were fixed.

Dale said the questions are dynamic.  Each time the user gets different questions.

Abbie asked what the success rate was at LOA-3.

Dale said the success rate is ~70%. The questions are quite difficult. She has sat with people going thru them. An example question is: in the 1960’s, of these address, which did you not live at.  They have the back-up of a F2F notary.  The challenge is how to do this online.  If need to meet F2F, there is a loss of dollars and time.  Healthcare practitioners don’t have time for F2F identity proofing.

Abbie asked if they including device factors when doing trust elevation, e.g. verification of cell phone device, network, SIM card, voice on home phone, etc.

Dale said they are absolutely looking into doing that, there are privacy concerns.  You can’t just do geo location without notifying the client in a lot of countries.

Dale said the actual credential is an OTP on mobile phone. The user enters a pin and OTP.

Abbie asked if it can be sent to a home phone.

Dale said yes.  We can send the OTP to the home phone via an IVR. The user can specify an office or home phone.

Abbie asked if you have two phones, can you send the OTP to another provider

Dale said absolutely. We can send it to another provider.

Abbie said if you [Verizon] control the end device and it is registered to the same user, your internal risk engine can have different ratios.  Once you are the provider the [risk] equations change.

Dale commented that NIST says you have to have possession, not necessary control.

Abbie replied yes, but this is different for internal risk.

Dale said they are working through that.  She doesn’t have an answer today.

Abbie wondered how this compares to what the Canadian government is accepting.

Bob said Canada hasn’t moved into LOA-3 yet.  He put a note in chat that for change of address online they use KBA (Equifax) to generate and issue those questions for the government now. We don’t issue LOA-3 ourselves.  We are depending on industry to do that via a broker service with a 3^rd party. Currently they are in implementation and plan to go live this spring with a number of credential providers.

Abbie said maybe we should also learn what the Canadian government is doing with a broker service. Can we get a small presentation on that?  We can leave it up to the presenter to give highlights of the process.

Bob said he would put a request in to find out.  They have done public information sessions and will probably do more this spring. After April would be a good time for that.

Abbie said excellent, we can put this on the road map for the second deliverable.

Shaheen asked if it was possible to substitute these KBA and LOA-2 questions for biometics, instead of just relying on what the user knows.

Dale said we aren’t doing it today. We are looking at a number of things. For example, how to improve registration flow.  Today we don’t do voice bio.

Shaheen said KBA isn’t good enough for financial institutions to elevate to LOA-3. 

Dale said NIST 800-63 doesn’t require KBA for LOA-3. Verizon is already certified for FICAM.

Abbie asked Dale if there was any reason why Google, PayPal and Equifax didn’t go beyond LOA-1.

Dale commented that she can’t speak for other companies.

Dale said this service isn’t for Verizon internally. It is to sell identity services to organizations and government.

Abbie commented that PayPal does a lot of identity proofing.

Don commented that PayPal and Google made a business decision [see chat room]

Anil said [chat room] that he is not sure KBA is a way for LOA-3.

Dale said they are meeting LOA-3, when the user gets to LOA-2. It was Verizon’s decision to keep the KBA in there. This is optional. NIST 800-63 doesn’t require a KBA. They originally did it to meet KBA requirements for PKI work.  The federal bridge required KBA according to their supplementary document to issue PKI for medium assurance.

Abbie commented that is really interesting. We are now looking at the interplay of actual requirements vs. business decisions.

Thomas asked if a person chose to leave the service, what the method was to delete all their personal information.

Dale said according to the Kantara Trust Framework, the data must be retained for 7.5 years after it is removed. They encrypt it and after that time, they will delete it.

Abbie asked after they leave, you don’t sell the data.

Dale replied, absolutely not.  We do not sell it.

Abbie commended that those types of guarantees differentiate them from others that sell your personal data.

Dale commented that we are a regulated industry, like a bank.

Someone asked if Kantara certification is endorsed by US.

Dale said yes, under FICAM for LOA-1, 2 and non-PKI level 3.

Dale said they are looking at healthcare. They have other services that they offer that do fall under HIPPA.

Abbie ask about data retention.

Dale says they need to keep the data 7.5 years after revocation, according to Kantara.

Abbie asked how they mitigated man-in-the-middle attacks.

Dale said she would need to ask her security expert to answer.

Abbie asked Dale is she was going to provide any other method examples.

Dale said she was not planning to.  They are looking at other options.

Abbie asked if there were any more questions. There were no further questions.

Abbie thanked Dale.  This was really interesting and very good. He appreciated her time.

 

5. Mary and Editors to provide an overview of Committee Draft of first deliverable

(http://www.oasis-open.org/apps/org/workgroup/trust-el/documents.php?folder_id=2598)

Mary commented that the latest version is available above.  The planned schedule is as follows:

Date	Event/Action Description
12-Jan	Draft 0.15 was posted to OASIS
26-Jan	Verizon presentation to TC
9-Feb	Bofa presentation to TC
13-Feb	Around this time, when significant delta, post new version
	Two weeks to review and respond before RSA
Feb 27-March 1	RSA
	Post near final first deliverable by Sunday March 4
	10 days to review
March 14-15	Next F2F
31-Mar	Final first deliverable  (adjustments based on F2F discussion)

 

Mary said it would be helpful to get everyone’s methods earlier, for example, by the 7^th. 

People promised to get their method examples in by the 9^th.

Abbie raised the issue of versioning.

Mary said that the document has a version number

Abbie said we should tell them what has changed in the version number.

We discussed options.

Mary said that since the document has numbered bullets, changes bars aren’t helpful as changes to the numbers cascade even when the text hasn’t changed.  She offered to list the method examples that had been changed in the change section at the end of the document.

There was a discussion of how to finalize which method examples were in scope and which were out of scope.  The current draft has some edge [corner or boundary] cases. 

Abbie said we may be able to discuss this in a call or may keep it for F2F.  Maybe we could use color codes to differentiate methods we are debating from those that are definitely included.

Shaheen asked if there was a restriction to only one channel or if there could be two separate channels.

Abbie replied that we can have more than one channel.  He doesn’t believe we should tie our hands.  We have to have that discussion.

Abbie asked if there were any more items to discuss   

Abbie commented that we have some new material we need to add to our first deliverable. Part of the action item is to really go after those who haven’t submitted their user cases. We need a deadline for everyone to adhere to if they want to have their use case to be part of the next F2F. After the F2F, we should be ready to conclude the first deliverable and more on to the second deliverable.

Mary said the deadline is February 9^th.

No other items suggested.

6. Attendance Update

Carl was added.

7. Conclude meeting

Abbie asked for a motion to conclude

Shaheen moved to adjourn.

Mary seconded it.

There were no objections

The meeting was adjourned.

 

>>>>>>>>>>>>>>>>>>>> 

Chat room log

Please change your name from 'anonymous' using the Settings button

anonymous morphed into Mary Ruddy

abbie: CHAT ROOM

http://webconf.soaphub.org/conf/room/trust-el

Passcode: 637 218 8139

Int'l Toll: 1-980-939-6928

abbie: toll free 1 866 222 6652

abbie: agenda

abbie: 1. Roll Call

2. Agenda review and Approval

3. Approve Minutes

4. Presentation on "Registering for Verizon Universal Identity Services  (UIS)"

(document at http://www.oasis-open.org/apps/org/workgroup/trust-el/documents.php) by  Dale Ricards

5. Mary and Editors to provide an update of Committee Draft 

6. Attendance Update

7. Conclude meeting

AnilSaldhana(RedHat): I am on the phone too

AnilSaldhana(RedHat): Somebody on mobile?  that leads to echos

David Brossard - Axiomatics: Hi, on the call too

David Brossard - Axiomatics: we should mute in the order of the room list

anonymous1 morphed into Rainer Hoerbe

AnilSaldhana(RedHat): no echo. we can hear you Abbie

Kevin Mangold (NIST): Mary, I just joined the phone call.

anonymous1 morphed into Conor White (Daon)

Carl Mattocks: Carl is on the call

Shahrokh-Intel: Shahrokh is now in chat room

Don Thibeau Open Identity Exchange : don thibeau has joined   sorry i am late

AnilSaldhana(RedHat): How does KBA questions bring you to LOA3?  I am curious.

Bob Sunday: KBA is done in Canada for Canada Post change opf address through Equifax

Thomas Hardjono (MIT): I have a couple of questions.

Shaheen Abdul Jabbar: Me too

Don Thibeau Open Identity Exchange : I have a question re: better understanding Dale's comment re: NIST regulations re: possession of the device versus control of the device

Don Thibeau Open Identity Exchange : how does Verizon mitigate the CallerID Spoofing threat e.g. man in the middle attack?

Don Thibeau Open Identity Exchange : KBA is indeed not good enough as I understand the NIST view of KBA-- can someone cite the NIST position

AnilSaldhana(RedHat): Don: it may be dependent on the verticals.  Finance - maybe not.  A different vertical - maybe.

AnilSaldhana(RedHat): Don: But I am unsure KBA is the way to LOA3

Don Thibeau Open Identity Exchange : PayPal and Google have made a business decision in this regard not tech capability

Don Thibeau Open Identity Exchange : I am not speaking for those companies rather repeating from minutes of discussion in OIX Board Meetings

Thomas Hardjono (MIT): (1) If a person chooses to leave Verizon's service, what method does she/he take to delete all personal information obtained from Verizon to achieve the LOA elevation?

Don Thibeau Open Identity Exchange : +1 Anil to your comment re KBA

Conor White (Daon): How do I apply and sign up?

Thomas Hardjono (MIT): (2) If a customer of Verizon chooses to use a different identity service provider, can she/he "transfer" the LOA data ad LOA assignment achieved by Verizon to the new service provider.

Don Thibeau Open Identity Exchange : Is the Kantara Trust Framework requirement endorsed or certified by the US Government?

Thomas Hardjono (MIT): (3) Related to (1), if within the 7 years the verizon customer data (encrypted) is breached are there any penalties to the identity service provider (ala the HIT regulations in health care).

Shahrokh-Intel: Question: Saved encrypted info can be erased if user opts to erase during that 7 years?

Don Thibeau Open Identity Exchange : I am trying to understand and reconcile NIST's position WRT KBA and the US FICAM's crtification

Don Thibeau Open Identity Exchange : Dale--I assumed your had all the answers 

AnilSaldhana(RedHat): Dale: Thank you very much for the discussion. Quite thought provoking.

Don Thibeau Open Identity Exchange : +1

Thomas Hardjono (MIT): Thank you Dale.

Colin Wallis (NZGovt): +1

Conor White (Daon): Excellent presentation - thank you

AnilSaldhana(RedHat): Is it ok if I pass the verizon presentation to Red Hat internal folks?

abbie: y

abbie: it is public on the oasis site now

AnilSaldhana(RedHat): abbie: think it is still at the TC level.

Thomas Hardjono (MIT): OK, I think I'm on the guilty list 

Don Thibeau Open Identity Exchange : I am guilty  Mary thanks for the nudge  but Shame does work

Shahrokh-Intel: Second

Thomas Hardjono (MIT): Bye all...

Massimiliano Masi (Tiani Spirit): bye all