I took the freedom to propose to consider not only the US NIST Level of Assurance, but also
the European eIDAS Level of Assurance according to Art. 8 of the eIDAS-Regulation https://www.eid.as/#article8 , as further
detailed in CIR (EU) 2015/1502 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32015R1502&from=EN .
Von: Chet Ensign <firstname.lastname@example.org>
Gesendet: Mittwoch, 16. September 2020 22:07
An: email@example.com; firstname.lastname@example.org; OASIS Charter Discuss List <email@example.com>; firstname.lastname@example.org
Cc: Dee Schur <email@example.com>; Carol Geyer <firstname.lastname@example.org>; abbie barbir <email@example.com>; Jason Burnett <firstname.lastname@example.org>; John Sabo <email@example.com>; Anil Saldanha <firstname.lastname@example.org>; Bojan Simic <email@example.com>; firstname.lastname@example.org; Ori Eisen <email@example.com>; firstname.lastname@example.org; Lauri Korts-PÃrn <email@example.com>
Betreff: [members] Call for Comment: proposed Charter for OASIS Electronic Secure Authentication (ESAT) TC
To OASIS Members:
A draft TC charter has been submitted to establish the OASIS Electronic Secure Authentication (ESAT) Technical Committee. In accordance with the OASIS TC Process Policy section 1.2: (https://www.oasis-open.org/policies-guidelines/tc-process-2017-05-26#formation), the proposed charter is hereby submitted for comment. The comment period shall remain open until 23:59 GMT on 30 September 2020.
We encourage members to comment. OASIS maintains a mailing list for the purpose of submitting comments on proposed charters. Any OASIS member may post to this list by sending email to: firstname.lastname@example.org. All messages will be publicly archived at: http://lists.oasis-open.org/archives/oasis-charter-discuss/. Members who wish to receive emails must join the group by selecting "join group" on the group home page: http://www.oasis-open.org/apps/org/workgroup/oasis-charter-discuss/. Employees of organizational members do not require primary representative approval to subscribe to the oasis-charter-discuss e-mail.
This call for comment is also available as a Google Doc. See https://docs.google.com/document/d/19SxC1AS9a9QX0CO9keLWxrJcoQOGep8YsMNaILoCtpE/. Comments and suggestions may be left on that document.
Comments received will be reviewed by the proposers and a log of the comments and their resolution will be posted to oasis-charter-discuss mailing list before the telephone call with the convener.
A telephone conference will be held among the Convener, the OASIS TC Administrator, and those proposers who wish to attend no more than four days after the comment period closes. The announcement and call-in information will be noted on the OASIS Charter Discuss Group Calendar.
We encourage member comment and ask that you note the name of the proposed TC (ESAT TC) in the subject line of your email message. Comments received will be reviewed by the proposers and a log of the comments and their resolution will be posted to oasis-charter-discuss mailing list before the telephone call with the convener.
If you wish to be listed as a co-proposer in the Call for Participation, please contact the convener Abbie Barbie (email@example.com). For representatives of OASIS organizational members, a statement of support from their Primary Representative will be required.
--- Draft charter ---
Section 1: TC Charter
(1)(a) TC Name
OASIS Electronic Secure Authentication (ESAT) Technical Committee
(1)(b) Statement of Purpose
The Electronic Secure Authentication (ESAT) Technical Committee (TC) will survey methods that online relying partners and service providers currently use to authenticate electronic identities. It will include identity methods under development or described in theoretical models. The TC will compare and contrast these methods in order to propose a set of protocols service providers can reliably use. The set of protocols will enable authentication without static credentials or passwords, and provide increasing levels of identity assurance, risk mitigation, and authentication certainty.
The ESAT TC will collect information on no-shared-secret authentication techniques (in particular, quick response (QR) code) and risk mitigation techniques being standardized, marketed and implemented in the public or private sector. The TC will analyze the approaches and assess their effectiveness at assuring the identity of the electronic claimant. The goal will be to create a general model that describes how password replacement authentication/risk mitigation efforts can be used to create trusted online transactions. Once the initial collection and analyses have been completed, the TC will correlate the results with various other trusted credential and trusted transaction models. The objective will be to get these protocols more widely-recognized and adopted, in order to make them more useful to governments, businesses, and individuals engaged in eGovernment and eCommerce.
The ESAT TC intends to solicit and respond to suggestions from governments in order to support private sector development of national and global identity infrastructures. It will assist private sector cooperation across providers, users, and subjects of trusted identity systems. The specifications produced by this TC will promote interoperability among multiple identity providers, identity federations, and frameworks. They will do this by facilitating clear communication about common and comparable operations that present, evaluate and apply identity data/assertions to sets of declared authorization levels. .
Strong authentication is needed to protect against account take-over and identity theft. Many technologies are being developed to reduce the reliance on passwords for authentication. Solutions based on FIDO Standards set a high bar by eliminating account take-overs based on phishing attacks. Unfortunately, many other solutions, and in particular those that are based on QR code, do not offer the same resistance to Man-in-the-Middle attacks. The work in this TC aims to remedy the risks associated with the use of QR code for strong authentication
Overall, the benefits of assuring authentication will improve the user experience, and reduce the costs related to IdM, security and usability.
Any vendor involved in authenticating electronic identities, passwordless authentication providers, identity service providers, local and national governments, businesses, and individuals engaged in eGovernment and eCommerce will all benefit from this work.
Work within the ESAT TC's scope includes descriptions of the process steps and component services necessary to confirm a conclusion of Authentication steps that do not rely on providing a shared secret (i.e. a password). Those descriptions and analyses may include catalogs of data services (or types of services), taxonomies or functional definitions of the types of identity and assertion data on which those services operate, substantive data exchanges or models, and model message exchange patterns.
The TC may include functional data security and integrity requirements in its process descriptions. This may include recommendation of certain Authentication methods for enhancing online security,e in particular when conducted within certain minimum levels of data integrity protection.
Where possible, the TC generally will rely on existing, widely-used definitions and data categories. The TC may also make functional comparisons of alternative assurance level schemes, so as to map its Secure Authentication processes to a variety of regulatory frameworks.
The following work will be out of scope for the TC:
* Mandates of specific message formats or schema. The TC will provide process and data requirements that can be equally applied regardless of the transport method or data schema encoding. No one data format or schema will be mandated. The TC may provide detailed instances of assurance and elevation message exchanges, as examples, but its output should be generally applicable regardless of schema encoding.
The Electronic Secure Authentication (ESAT) TC will create the following deliverables:
1. The initial deliverable is a comprehensive list of methods currently being used to authenticate identities online to the degree necessary to transact business where material amounts of economic value or personally identifiable data are involved. First Public Review Draft to be completed by six months after the first meeting.
2. The second deliverable is an analysis of the identified methods to determine each one's ability to provide a service provider with the assurance of the submitter's identity sufficient for elevation between each pair of assurance levels, to transact business where material amounts of economic value or personally identifiable data are involved. First Public Review Draft to be completed by [nine] months after the first meeting.
3. The third deliverable will be a "Secure Authentication Methods Protocol" specification. This document will recommend particular methods as satisfying defined levels of assurance for elevating trust in an electronic identity credential, in order to assure the submitter's identity sufficiently to support elevation between each pair of assurance levels and to transact business where material amounts of economic value or personally identifiable data are involved. Alternative and optional methods may be included. The description of each recommended method shall include: functional definitions of the types of identity and assertion data employed by each method; specification of the data services required in each elevation; substantive data exchange patterns or models; message exchange patterns or models; and such other elements as the TC deems useful. The first Public Review Draft will be completed by [fifteen] months after the first meeting.
4. Other deliverables that fall within the scope of the project may be identified over time as the TC engages in its work.
The TC may re-factor the deliverables above as it sees fit into fewer, more, or differently combined documents. In any case, the deliverables shall:
* Be vendor-neutral and product-agnostic. (The TC may also elect to provide proof-of-concept instances, but will strive to facilitate ease of implementation regardless of data schema choices.)
* To the extent feasible, re-use rather than re-invent suitable existing definitions of policy concepts such as identity tokens and personally-identifiable data.
* To the extent feasible, be consistent with generally accepted definitions of service-oriented architecture principles.
* Describe with specificity their application to established US NIST levels of assurance.
* Include a catalog or list of common types of services and functions.
* Include a set of definitions or sources of definitions for common functional types of data elements.
(1)(e) IPR Mode
The Secure Authentication TC will operate under the RF on Limited Terms mode of the OASIS IPR Policy.
The Secure Authentication TC is intended for the following audiences: architects, designers and implementers of providers and consumers of enterprise identity management services.
Work group business and proceedings will be conducted in English.
Section 2: Additional Information
(2)(a) Identification of Similar Work
There is no direct work in other standards bodies that overlaps with the ESAT TC. There are some efforts done by various researches that look into security consideration for DID authentication using QR codes.
There is work on DID Authentication that will need to be taken into consideration by this TC:
1. Web Of Trust Information: https://github.com/WebOfTrustInfo/rwot6-santabarbara/blob/master/final-documents/did-auth.md
2. DIF Authentication Working Group (DID Auth WG Charter)
(2)(b) First TC Meeting
The first TC meeting is planned for November 4th. Meeting will be virtual. Meeting time 1:30 - 3:30 PM Eastern. CVS will sponsor the first meeting.
(2)(c) Ongoing Meeting Schedule
TC will meet virtually on bi-weekly basis. Face to Face (F2) meeting will be sponsored by the founding members (Trusona, Digital Trust, CVS, etc.)
(2)(d) TC Proposers
* Abbie Barbie , Aetna, (firstname.lastname@example.org)
* Jason Burnett, (email@example.com)
* John Sabo, (firstname.lastname@example.org)
* Anil Saldhana, (email@example.com)
* Bojan Simic, HYPR, (firstname.lastname@example.org)
* Spencer Yezo, Bank of America, (email@example.com)
* Ori Eisen, Trusona, (firstname.lastname@example.org)
* Hiroshi Takechi, NEC Corporation (email@example.com)
* Lauri Korts-PÃrn, NEC Corporation (firstname.lastname@example.org)
(2)(e) Primary Representatives' Support
* I, Abbie Barbie, CVS (email@example.com) as Primary Representative for CVS confirm that we fully support the creation of the ESAT TC and the participation of our representative(s) listed above.
* I Bojan Simic (firstname.lastname@example.org) as Primary Representative of HYPR Corp confirms that we fully support the creation of the ESAT TC and the participation of our representative(s) listed above.
* I, David Harte, (email@example.com), as Primary Representative for Bank of America confirm that we fully support the creation of the ESAT TC and the participation of our representative(s) listed above.
* I, Ori Eisen, (firstname.lastname@example.org), as Primary Representative for Trusona confirm that we fully support the creation of the ESAT TC and the participation of our representative(s) listed above.
* I, Takahiro Kakumaru, (email@example.com ), as Primary Representative for NEC confirm that we fully support the creation of the ESAT TC and the participation of our representative(s) listed above.
(2)(f) TC Convener
Abbie Barbir will be the convener.
(2)(g) OASIS Member Section
The ESAT TC intends to affiliate with the IDtrust Member Section.
(2)(h) Anticipated Contributions
1. Diagrams and flows of suggested technical solutions
2. Best practices
3. Security reviews
(2)(i) FAQ Document
(2)(j) Work Product Titles and Acronyms
Chief Technical Community Steward
OASIS: Advancing open source & open standards for the information society