[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes from March 15 F2F Trust Elevation meeting
Minutes for the face-to-face meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee 15 March, 2012 1. Call to Order and Welcome. 2. Roll Call Attending (please notify me if you attended the meeting but are not on the list below)
54 percent of the voting members were present at the meeting. We did have quorum. 2. Agenda review and approvalAbbie asked if there were any additions to the agenda. There were none and we proceeded with the agenda.3. Approve MinutesAbbie made a motion to approve all previously submitted minutes.Brendan seconded the motion.There were no objections. The motion passed 4. Discussion of outstanding questions and issues about first deliverable Peter said the first draft includes hardware based crypto solutions to ensure that the platform is secure. Mary began reviewing a list of questions. What is in scope? Are use cases that include credentials out of scope? Mary proposed that use cases that only use credentials are out of scope and use cases that include credentials as well as other techniques are in scope. Abbie asked is the Verizon method example in or out? Peter commented that we might need to have an appendix for hybrid solutions. Abbie said an endpoint is part of trust elevation, so we need a credential to bind the hardware piece. If we can’t bind the SIM card to a user, we are only solving part of problem. Peter replied, so we say the PIV card needs to be inserted. Abbie remarked that the PIV card has issues. Peter replied the alternative is UN/PW, and PIV is better than UN/PW. Peter brought us back to the task at hand. We must have success for first deliverable. We discussed the scope of the deliverable with respect to inclusion of credential use cases. Peter said if the credential is not for initial use, but for subsequent, it is a borderline case. He has come around. In addition to non credential based, there are approaches that use credentials to raise trust. Abbie replied so we should add it to an appendix. Shaheen asked is a cookie a credential? It is used as part of “know your customer” requirements. Peter responded that if it is used to elevate trust, it is appropriate. He commented that in the document, we need to make a clear distinction between pure elevation and also using for elevation. Mary reviewed the existing spreadsheet list of methods and added additional ones as the discussion progressed. Abbie said a pointer can be a collection of pointers to different schema. We reviewed the charter and the scope described in the draft document. If the use case involves a credential, we agreed to include it in its own section. Abbie said we will limit use of credentials [to situations that aren’t credential only.] We do need to include use cases that include a credential. For example, a device attribute could be a device credential. Abbie remarked that a certificate on a SIM device is not the issue. A SIM plus an IP address, that Verizon will attest to, could be useful. Abbie said we need to add the SIM use case. It is a technique used by almost every bank, like KBA. Shaheen commented that they are dropping use of cookies. Abbie said that within the bank, they don’t trust cookies as they are spoofable. So some are moving away from them. Mary took a note to include cookies as a use case. Credentials are also used for elevating endpoint security. This use case is about providing an attribute that can be validated. Peter commented that the fundamental weakness of hardware is the binding between human and device. Mary mentioned the use of continuous authentication. An example would be differentiating between typing patterns to detect when the person at the computer is not the person who originally authenticated. Peter commented that this is a form of behavior analysis, device related, and another new example. Shahrokh said it could be resolved based on contextual information including last login. The system could recognize that device is obsolete and not put tokens into the device any more. Abbie said the bank identifies the device and relates the device to the user. Voice recognition, or looking at a camera with your iris. He talked about the importance of binding. Context is key. Abbie asked if behavior is different than context. It is not what you do. It is the order and what the action is based on. Trust elevation can be economic and risk based. For example only require going to voice if the user is moving a lot of money. Peter commented there is also trust elevation from the end user. It was commented that the first deliverable is cosmetic. Mary replied that a group of [properly chosen] methods provides stronger elevation than the sum of its individual parts. Peter wants to see a list of these techniques. He is Ok with a list with a paragraph on each technique. So we might have four pages of techniques and 30 pages of method use cases. Abbie said we need techniques for attributes as that drives techniques for elevation. Shaheen said it [the challenge] is not lack of technology. It is a lack of understanding of what the key problems are. Peter said use cases are lazy. Shahrokh said we need to identify the basic building blocks and requirements for hardware and software vendors to have a level of trust be operational. We need to focus on brief descriptions of the building blocks and what they solve. Abbie wants to be able to say at the next meeting what is accomplished. The goal is a document, two weeks from today. We need to get it out the door. Lunch break. Ed said he prefers the phrase “evaluation of credential” not demotion. Abbie said it is not the credential we are evaluating, it is the chain. Sometimes the credential has a lower level of confidence. Abbie said write a paragraph. Peter said put a note and move on. If you start with LOA-2, and fail KBA, are still a two, or less. It would depend on evaluation, not demotion. They may terminate the session, and ask the user to call [a customer service rep.] Shaheen replied so if bank fraud is detected, nuke the session. Peter continued, an example of demotion is when an RP has accepted assertion at a certain level of assurance, and subsequently decides the assertion is not what it originally thought, and bumps it down. We should have a use case for demotion. Abbie commented that there is a DoD document that maps seven levels to the four levels of assurance. Abbie mentioned Gerry Beuchelt of MITRE. Gerry has an access control model and policies. He asked Gerry to come to the TC. There was a question about Jay Glasgow’s (AT&T) presentation on PLOA at yesterday’s open portion of the meeting. Peter replied it is about separating the enforcement point from the decision point. Abbie said Jay described a method of using attributes. It is good for LOA-2 and LOA-3. He provided a means via a protocol. It is consuming attributes from various vendors. There is a hidden big problem. How can an IdP identify which systems have attributes? You either need discovery mechanism or registries. Peter remarked so it is an attribute aggregation point. Mary commented that the use cases have highlighted the difference between a list of attributes and what to do with the attributes. Peter said one of the use cases that interested him was trust elevation by acquiring and evaluating attributes. That is, utilizing attributes as a secondary auth. This may be a path forward for another phase. 5. Attendance Update Quorum was reached. 6. Conclude meeting Abbie moved to adjourn. Peter seconded it. There were no objections The meeting was adjourned. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]