OASIS members & interested parties,
A new OASIS technical committee is being formed. The OASIS Electronic Secure Authentication (ESAT) Technical Committee (TC) has been proposed by the members of OASIS listed in the charter below. The TC name, statement of purpose, scope, list of deliverables, audience, IPR mode and language specified in this proposal will constitute the TC's official charter. Submissions of technology for consideration by the TC, and the beginning of technical discussions, may occur no sooner than the TC's first meeting.
The eligibility requirements for becoming a participant in the TC at the first meeting are:
(a) you must be an employee or designee of an OASIS member organization or an individual member of OASIS, and
(b) you must join the Technical Committee, which members may do by using the Roster "join group" link on the TC's web page at [a].
To be considered a voting member at the first meeting:
(a) you must join the Technical Committee at least 7 days prior to the first meeting (on or before 12 November 2020; and
(b) you must attend the first meeting of the TC, at the time and date fixed below (19 November 2020).
Participants also may join the TC at a later time. OASIS and the TC welcomes all interested parties.
Non-OASIS members who wish to participate may contact us about joining OASIS [b]. In addition, the public may access the information resources maintained for each TC: a mail list archive, document repository and public comments facility, which will be linked from the TC's public home page at [c].
Please feel free to forward this announcement to any other appropriate lists. OASIS is an open standards organization; we encourage your participation.
[b] See http://www.oasis-open.org/join/
âCALL FOR PARTICIPATIONâ
OASIS Electronic Secure Authentication (ESAT) Technical Committee Charter
The charter for this TC is as follows.
Section 1: TC Charter
(1)(a) TC Name
OASIS Electronic Secure Authentication (ESAT) Technical Committee
(1)(b) Statement of Purpose
The Electronic Secure Authentication (ESAT) Technical Committee (TC) will survey methods that online relying partners and service providers currently use to authenticate electronic identities. It will include identity methods under development or described in theoretical models. The TC will compare and contrast these methods in order to propose a set of protocols service providers can reliably use. The set of protocols will enable authentication without static credentials or passwords, and provide increasing levels of identity assurance, risk mitigation, and authentication certainty.
The ESAT TC will collect information on no-shared-secret authentication techniques (in particular, quick response (QR) code) and risk mitigation techniques being standardized, marketed and implemented in the public or private sector. The TC will analyze the approaches and assess their effectiveness at assuring the identity of the electronic claimant. The goal will be to create a general model that describes how password replacement authentication/risk mitigation efforts can be used to create trusted online transactions. Once the initial collection and analyses have been completed, the TC will correlate the results with various other trusted credential and trusted transaction models. The objective will be to get the proposed protocols more widely-recognized and adopted, in order to make them more useful to governments, businesses, and individuals engaged in eGovernment and eCommerce.
The ESAT TC intends to solicit and respond to suggestions from governments in order to support private sector development of national and global identity infrastructures. It will assist private sector cooperation across providers, users, and subjects of trusted identity systems. The specifications produced by this TC will promote interoperability among multiple identity providers, identity federations, and frameworks. They will do this by facilitating clear communication about common and comparable operations that present, evaluate and apply identity data/assertions to sets of declared authorization levels.
Strong authentication is needed to protect against account take-over and identity theft. Many technologies are being developed to reduce the reliance on passwords for authentication. Solutions based on FIDO Standards set a high bar by eliminating account take-overs based on phishing attacks. Unfortunately, many other solutions, and in particular those that are based on QR code, do not offer the same resistance to Man-in-the-Middle attacks. The work in this TC aims to remedy the risks associated with the use of QR code for strong authentication
Overall, the benefits of assuring authentication will improve the user experience, and reduce the costs related to IdM, security and usability.
Any vendor involved in authenticating electronic identities, passwordless authentication providers, identity service providers, local and national governments, businesses, and individuals engaged in eGovernment and eCommerce will all benefit from this work.
Work within the ESAT TC's scope includes descriptions of the process steps and component services necessary to confirm a conclusion of Authentication steps that do not rely on providing a shared secret (i.e. a password). Those descriptions and analyses may include catalogs of data services (or types of services), taxonomies or functional definitions of the types of identity and assertion data on which those services operate, substantive data exchanges or models, and model message exchange patterns.
The TC may include functional data security and integrity requirements in its process descriptions. This may include recommendation of certain Authentication methods for enhancing online security, in particular when conducted within certain minimum levels of data integrity protection.
Where possible, the TC generally will rely on existing, widely-used definitions and data categories. The TC may also make functional comparisons of alternative assurance level schemes, so as to map its Secure Authentication processes to a variety of regulatory frameworks.
The following work will be out of scope for the TC:
* Mandates of specific message formats or schema. The TC will provide process and data requirements that can be equally applied regardless of the transport method or data schema encoding. No one data format or schema will be mandated. The TC may provide detailed instances of assurance and elevation message exchanges, as examples, but its output should be generally applicable regardless of schema encoding.
The Electronic Secure Authentication (ESAT) TC will create the following deliverables:
1. The initial deliverable is a comprehensive list of methods currently being used to authenticate identities online to the degree necessary to transact business where material amounts of economic value or personally identifiable data are involved. First Public Review Draft to be completed by six months after the first meeting.
2. The second deliverable is an analysis of the identified methods to determine each one's ability to provide a service provider with the assurance of the submitter's identity sufficient for elevation between each pair of assurance levels, to transact business where material amounts of economic value or personally identifiable data are involved. First Public Review Draft to be completed by [nine] months after the first meeting.
3. The third deliverable will be a "Secure Authentication Methods Protocol" specification. This document will recommend particular methods as satisfying defined levels of assurance for elevating trust in an electronic identity credential, in order to assure the submitter's identity sufficiently to support elevation between each pair of assurance levels and to transact business where material amounts of economic value or personally identifiable data are involved. Alternative and optional methods may be included. The description of each recommended method shall include: functional definitions of the types of identity and assertion data employed by each method; specification of the data services required in each elevation; substantive data exchange patterns or models; message exchange patterns or models; and such other elements as the TC deems useful. The first Public Review Draft will be completed by [fifteen] months after the first meeting.
4. Other deliverables that fall within the scope of the project may be identified over time as the TC engages in its work.
The TC may re-factor the deliverables above as it sees fit into fewer, more, or differently combined documents. In any case, the deliverables shall:
* Be vendor-neutral and product-agnostic. (The TC may also elect to provide proof-of-concept instances, but will strive to facilitate ease of implementation regardless of data schema choices.)
* To the extent feasible, re-use rather than re-invent suitable existing definitions of policy concepts such as identity tokens and personally-identifiable data.
* To the extent feasible, be consistent with generally accepted definitions of service-oriented architecture principles.
* Describe with specificity their application to established US NIST and European eIDAS levels of assurance.
* Include a catalog or list of common types of services and functions.
* Include a set of definitions or sources of definitions for common functional types of data elements.
(1)(e) IPR Mode
The Secure Authentication TC will operate under the RF on Limited Terms mode of the OASIS IPR Policy.
The Secure Authentication TC is intended for the following audiences: architects, designers and implementers of providers and consumers of enterprise identity management services.
Work group business and proceedings will be conducted in English.
Section 2: Additional Information
(2)(a) Identification of Similar Work
There is no direct work in other standards bodies that overlaps with the ESAT TC. There are some efforts done by various researches that look into security consideration for DID authentication using QR codes.
In particular, NIST 800-63-3 publication mentions the use of QR codes twice, both in the context of Out-of-Band devices and authenticators. The fundamental difference for this TC is that, where NIST 800-63-3 states that the claimant receives a secret via the primary authentication channel and uses the QR code as a transfer mechanism to share said secret, the OASIS TC is not advocating the use of QR scans to exchange shared secrets. Rather, the TC sees QR scans as a transport vehicle to assert a user identity based on the public/private keys used to bind a usersâ identity to their authenticator app. The approach recommended by the TC involves the QR payload to consist of a session ID and completely absent of PII. When the QR is scanned, a GUID representing the claimant is passed through the secondary channel and ultimately to the primary relying party. The claimant is then challenged for user presence via the OS security of the authenticator device.
There is work on DID Authentication that will need to be taken into consideration by this TC:
1. Web Of Trust Information: https://github.com/WebOfTrustInfo/rwot6-santabarbara/blob/master/final-documents/did-auth.md
2. DIF Authentication Working Group (DID Auth WG Charter)
(2)(b) First TC Meeting
The first TC meeting is planned for Thursday, November 19, 2020. Meeting will be virtual. Meeting time 7:00 to 9:00 PM Eastern time. CVS will sponsor the first meeting.
(2)(c) Ongoing Meeting Schedule
TC will meet virtually on bi-weekly basis. Face to Face (F2) meeting will be sponsored by the founding members (Trusona, Digital Trust, CVS, etc.)
(2)(d) TC Proposers
* Abbie Barbie , Aetna, (firstname.lastname@example.org
* Jason Burnett, (email@example.com
* John Sabo, (firstname.lastname@example.org
* Anil Saldhana, (email@example.com
* Bojan Simic, HYPR, (firstname.lastname@example.org
* Spencer Yezo, Bank of America, (email@example.com
* Ori Eisen, Trusona, (firstname.lastname@example.org
* Hiroshi Takechi, NEC Corporation (email@example.com
* Lauri Korts-PÃrn, NEC Corporation (firstname.lastname@example.org
(2)(e) Primary Representatives' Support
* I, Abbie Barbie, CVS (email@example.com
) as Primary Representative for CVS confirm that we fully support the creation of the ESAT TC and the participation of our representative(s) listed above.
* I Bojan Simic (firstname.lastname@example.org
) as Primary Representative of HYPR Corp confirms that we fully support the creation of the ESAT TC and the participation of our representative(s) listed above.
* I, David Harte, (email@example.com
), as Primary Representative for Bank of America confirm that we fully support the creation of the ESAT TC and the participation of our representative(s) listed above.
* I, Ori Eisen, (firstname.lastname@example.org
), as Primary Representative for Trusona confirm that we fully support the creation of the ESAT TC and the participation of our representative(s) listed above.
* I, Takahiro Kakumaru, (email@example.com
), as Primary Representative for NEC confirm that we fully support the creation of the ESAT TC and the participation of our representative(s) listed above.
(2)(f) TC Convener
Abbie Barbir will be the convenor.
(2)(g) OASIS Member Section
The ESAT TC intends to affiliate with the IDtrust Member Section.
(2)(h) Anticipated Contributions
1. Diagrams and flows of suggested technical solutions
2. Best practices
3. Security reviews
(2)(i) FAQ Document
(2)(j) Work Product Titles and Acronyms
Chief Technical Community Steward
OASIS: Advancing open source & open standards for the information societyhttp://www.oasis-open.org
Mobile: +1 201-341-1393Â