RE: [oasis-charter-discuss] Proposed Charter for OASIS Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee

["Pim van der Eijk" <pvde@sonnenglanz.net>]

The EU STORK is one of the flagship e-government large scale
pilots (LSPs) in the European Union. STORK's public
deliverables can be downloaded from:
https://www.eid-stork.eu/  Do you have any thoughts on how
the STORK model, concepts and profiles relate to this
proposed TC?

The draft TC charter also mentions "ENISA, Mapping ENISA
Authentication Levels (Nov. 2008)".  It looks as if you are
referring to a publication "Mapping IDABC Authentication
Assurance Levels to SAML v2.0". 

Pim

-----Original Message-----
From: Chet Ensign [mailto:chet.ensign@oasis-open.org] 
Sent: 06 July 2011 17:10
To: oasis-charter-discuss@lists.oasis-open.org
Cc: tc-announce@lists.oasis-open.org;
members@lists.oasis-open.org; peter.alterman@nih.gov; Scott
McGrath; Carol Geyer; Jamie Clark; Robin Cover; Paul Knight
Subject: [oasis-charter-discuss] Proposed Charter for OASIS
Electronic Identity Credential Trust Elevation Methods
(Trust Elevation) Technical Committee 

To OASIS Members:

A draft TC charter has been submitted to establish the OASIS
Electronic Identity Credential Trust Elevation Methods
("Trust Elevation") Technical Committee (below). In
accordance with the OASIS TC Process Policy section 2.2:
(http://www.oasis-open.org/committees/process-2009-07-30.php
#formation) the proposed charter is hereby submitted for
comment. The comment period shall remain open until 11:45 pm
ET on 20 July 2011.

OASIS maintains a mailing list for the purpose of submitting
comments on proposed charters. Any OASIS member may post to
this list by sending email to:
oasis-charter-discuss@lists.oasis-open.org. All messages
will be publicly archived at:
http://lists.oasis-open.org/archives/oasis-charter-discuss/.
Members who wish to receive emails must join the group by
selecting "join group" on the group home page:
http://www.oasis-open.org/apps/org/workgroup/oasis-charter-d
iscuss/. Employees of organizational members do not require
primary representative approval to subscribe to the
oasis-charter-discuss e-mail.

A telephone conference will be held among the Convener, the
OASIS TC Administrator, and those proposers who wish to
attend within four days of the close of the comment period.
The announcement and call-in information will be noted on
the OASIS Charter Discuss Group Calendar.

We encourage member comment and ask that you note the name
of the proposed TC ("Trust Elevation") in the subject line
of your email message.

Best regards,

/chet
----------------
Chet Ensign
Director of Standards Development and TC Administration
OASIS: Advancing open standards for the information society
http://www.oasis-open.org

Primary: +1 973-378-3472
Mobile: +1 201-341-1393

---
Name of the TC: 
OASIS Electronic Identity Credential Trust Elevation Methods
(Trust Elevation) Technical Committee 

Statement of Purpose: 
The Trust Elevation Technical Committee will identify
methods being used currently to authenticate electronic
identities by online relying parties and service providers,
and similar methods in development or identified in
theoretical models.  By comparison and factoring of those
methods, the TC will propose and describe a set of
standardized protocols that service providers may use to
elevate the trust in an electronic identity credential
presented to them for authentication, at
generally-recognized levels of assurance, representing
increasing degrees of authentication certainty.  

The Trust Elevation TC will base its initial analyses of the
identified trust elevation methods on the four levels of
assurance described by the U.S. in OMB [1] and NIST [2]
publications, and work towards a general model that includes
other comparable formal standardized authentication levels
of assurance, such as those published by ISO and ITU.  The
more widely-recognized and adopted these standardized
protocols are, the more useful they will be to governments,
businesses and individuals engaged in eGovernment and
eCommerce.  

The Trust Elevation TC is intended to respond to the
suggestions of several governments, including the US
government's NSTIC strategy document [3] that national and
global identity infrastructures can be developed and
supported by private sector cooperation among providers,
users and subjects of trusted identity systems. The EIC-TEM
documentation from this TC should promote interoperability
among multiple identity providers, and among multiple
identity federations & frameworks, by facilitating clear
communication about common and comparable operations to
present, evaluate and apply identity [data/assertions] to
sets of declared authorization levels.  

[1] Office of Management and Budget Memorandum M-04-04,
E-Authentication Guidance for Federal Agencies, Dec. 2003.
[2] NIST Special Publication (SP) 800-63, Rev. 1, Electronic
Authentication Guidelines, Dec. 2008.
[3] Office of the President, National Strategy for Trusted
Identities in Cyberspace (NSTIC), April 2011:
http://www.nist.gov/nstic/ 

Scope: 
The initial conceptual scenario for this TC's focus is as
follows: An online service provider that has determined its
electronic authentication requirement at NIST Level 3
receives an electronic identity credential from an end-user
that is recognized as a Level 1 credential.  By applying one
or more recognized methods for assessing the identity of the
end-user, the service provider is able to assure itself that
the presented credential actually represents the asserted
identity at higher level(s) of assurance comparable to NIST
Level 2 and 3. 

Work within the TC's scope includes descriptions of the
process steps and component services necessary to confirm a
conclusion of trust elevation between each pair of levels.
Those descriptions and analysis may include catalogs of data
services (or types of service), taxonomies or functional
definitions of the types of identity and assertion data on
which those services operate, substantive data exchanges or
models, and model message exchange patterns.

The TC may include functional data security/integrity
requirements in its process descriptions, e.g., certain
trust elevation methods may only be recommended if conducted
within certain minimum levels of data integrity protection.

Where possible, the TC generally will rely on existing
widely-used definitions and data categories. The TC may also
make functional comparisons of alternative assurance level
schemes, so as to map its trust elevation processes to a
variety of regulatory frameworks. 

The following work will be out of scope for the TC:

- Mandates of specific message formats or schema. The TC
will provide process and data requirements that can be
equally applied regardless of transport method or data
schema encoding.  No one data format or schema will be
mandated.  The TC may provide detailed instances of
assurance & elevation message exchanges, as examples, but
its output should be generally applicable regardless of
schema encoding.

List of deliverables: 
The Trust Elevation TC will create the following
deliverables:

1. The initial deliverable is a comprehensive list of
methods being used currently to authenticate identities
online to the degree necessary to transact business where
material amounts of economic value or personally
identifiable data are involved.  First Public Review Draft
to be completed by six months after the first meeting.

2. The second deliverable is an analysis of the identified
methods to determine each one's ability to provide a service
provider with  assurance of the submitter's identity
sufficient for elevation between each pair of assurance
levels, to transact business where material amounts of
economic value or personally identifiable data are involved.
First Public Review Draft to be completed by [nine] months
after the first meeting.

3. The final deliverable will be an "Electronic Identity
Credential Trust Elevation Methods Protocol" specification
that recommends particular methods as satisfying defined
levels of assurance for elevating trust in an electronic
identity credential to assure the submitter's identity
sufficiently to support elevation between each pair of
assurance levels to transact business where material amounts
of economic value or personally identifiable data are
involved.  Alternative and optional methods may be included.
The description of each recommended method shall include
functional definitions of the types of identity and
assertion data employed by each method, and may include
specification of the data services required in each
elevation, substantive data exchange patterns or models,
message exchange patterns or models, and such other elements
as the TC deems useful.  The first Public Review Draft will
be completed by [fifteen] months after the first meeting.

The TC may re-factor the deliverables above as it sees fit
into fewer, more, or differently combined documents.  In any
case, the deliverables shall:  

- Be vendor-neutral and product-agnostic.  (The TC may also
elect to provide proof-of-concept instances, but will strive
to facilitate ease of implementation regardless of data
schema choices.)  

- To the extent feasible, re-use rather than re-invent
suitable existing definitions of policy concepts such as
identity tokens and personally-identifiable data.

- To the extent feasible, be consistent with generally
accepted definitions of service-oriented architectural
principles.

- Describe with specificity their application to established
US NIST levels of assurance.

- Include a catalog or list of common types of services and
functions.

- Include a set of definitions or sources of definitions for
common functional types of data elements.

IPR Mode under which the TC will operate: 
The Trust Elevation TC will operate under the RF on Limited
Terms mode of the OASIS IPR Policy.

Anticipated audience or users: 
The Trust Elevation TC is intended for the following
audiences: Architects, designers and implementers of
providers and consumers of enterprise identity management
services. 

Language: Work group business and proceedings will be
conducted in English.


Non-normative Information Regarding the Startup of the TC

Similar or applicable work:
The proposers are unaware of any currently published work
that covers the scope described here.  Some elements of the
project may be informed by or related to the following:

- ISO/IEC JTC 1/SC 27/WG 3, Evaluation criteria for IT
security -- Part 3: Security assurance components (ISO/IEC
15408-3:2008). 
- ENISA, Mapping ENISA Authentication Levels (Nov. 2008).
- NIST Special Publication (SP) 800-63, Rev. 1, Electronic
Authentication Guidelines, Dec. 2008.
- Oxford Internet Institute, M. Rundle, ed, Towards a Policy
and Legal Framework for Identity Management: A Workshop
Report, Oct. 2009.
- IDABC: Study on eID Interoperability for PEGS (Dec. 2009).
- Kantara Initiative, Identity Assurance Framework:
Glossary, Levels of Assurance & Service Assessment Criteria,
Feb. 2010.
- Open Identity Exchange, The Open Identity Trust Framework
(OITF) Model, Mar. 2010.
- ITU-T Study Group 17, Draft Rec. ITU-T X.cybex:
Cybersecurity information exchange framework (Dec. 2010).

Date & time of first meeting:
The first meeting will be held Monday, September 5, 2011, at
11:00 US Eastern time, by teleconference. The National
Institute of Standards and Technology (NIST), the Open
Identity Exchange and the eCitizen Foundation will
co-sponsor the first meeting. 

Ongoing meeting schedule:
To be decided by the committee.  Bi-weekly teleconferences
and the occasional (semi-annual) face to face work session
may be appropriate. Meeting leadership will be shared among
the three co-sponsors mentioned above on a rotating basis
until the TC membership decides on another approach.

Participants
The names, electronic mail addresses, and membership
affiliations of at least Minimum Membership who support this
proposal:  

- Peter Alterman; NIST, peter.alterman@nih.gov
- Don Thibeau; OIX, don@openidentityexchange.org
- Abbie Barbir; Bank of America,
abbie.barbir@bankofamerica.com
- Dazza Greenwood; eCitizen,
civicsdotcom-econtracts@yahoo.com
- Anil Saldhana; RedHat, Anil.Saldhana@redhat.com
- Brendan Peter; CA Technologies, Brendan.Peter@ca.com
- Mary Ruddy; Identity Commons, mary@meristic.com
- John "Mike" Davis; Veterans Health Administration,
Mike.Davis@va.gov
- Tony Rutkowski, Yaana Technology, tony@yaanatech.com
- Debbie Bucci, National Institutes of Health,
Bucci@exchange.nih.gov

Primary Representative Statements of Support:

- Paul Lipton, paul.lipton@ca.com, primary representative CA
Technologies - I approve the Trust Elevation TC charter.
- Mark Little, mlittle@redhat.com, primary representative
RedHat - I approve the Trust Elevation TC charter.
- Abbie Barbir, abbie.barbir@bankofamerica.com, primary
representative of Bank of America - I approve the Trust
Elevation TC charter.
- Peter Alterman, peter.alterman@nih.gov, primary
representative of the National Institute for Standards and
Technology - I approve the Trust Elevation TC charter.
- Don Thibeau, don@openidentityexchange.org, primary
representative of the Open Identity Exchange - I approve the
Trust Elevation TC charter.
- John "Mike" Davis, Mike.Davis@va.gov, primary
representative of the Veterans Health Administration - I
approve the Trust Elevation TC charter.
- Dazza Greenwood, civicsdotcom-econtracts@yahoo.com,
primary representative of the eCitizen Foundation - I
approve the Trust Elevation TC charter.
- Debbie Bucci, bucci@exchange.nih.gov, primary
representative of the National Institutes of Health - I
approve the Trust Elevation TC charter.
- Mary Ruddy, mary@meristic.com, primary representative of
the Identity Commons - I approve the Trust Elevation TC
charter.
- Tony Rutkowski, tony@yaanatech.com, primary representative
of Yaana Technology - I approve the Trust Elevation TC
charter.

Convener:
The convener will be Peter Alterman, National Institute of
Standards and Technology.

Member Section:
OASIS ID-Trust Member Section



------------------------------------------------------------
---------
To unsubscribe from this mail list, you must leave the OASIS
TC that generates this mail.  Follow this link to all your
TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_work
groups.php