Minutes for the meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee
9 February, 2012
1. Call to Order and Welcome.
2. Roll Call
Attending (please notify me if you attended the meeting but are not on the list below)
Abbie Barbir, Bank of America - y |
Anil Saldhana, Red Hat -y Bob Sunday – y |
Brendan Peter, CA Technologies |
Carl Mattocks, Bofa |
Cathy Tilton, Daon Charline Duccans, DHS |
Duane DeCouteau |
Colin Wallis, New Zealand Government - y |
Dale Rickards, Verizon Business |
David Brossard, Axiomatics |
Dazza Greenwood |
Debbie Bucci, NIH |
Deborah Steckroth, RouteOne LLC |
Detlef Huehnlein, Federal Office for Information |
Don Thibeau, Open Identity Exchange |
Doron Cohen, SafeNet |
Doron Grinstein, BiTKOO |
Ed Coyne, Dept Veterans Affairs - y |
Ivonne Thomas, Hasso Plattner Institute |
Jaap Kuipers, Amsterdam - y |
Jeff Broburg, CA |
John Bradley |
John "Mike" Davis, Veteran's Affairs - y |
John Walsh, Sypris Electronics |
Julian Hamersley, Adv Micro Devices |
Kevin Mangold, NIST - y Lucy Lynch ISOC- y |
Marcus Streets, Thales e-Security |
Marty Schleiff, The Boeing Company |
Mary Ruddy, Identity Commons - y |
Massimiliano Masi, Tiani "Spirit" GmbH - y |
Nick Pope, Thales e-Security |
Peter Alterman, NIST - y |
Rebecca Nielsen, Booz Allen Hamilton - y |
Rich Furr, SAFE-BioPharma Assn |
Ronald Perez, Advanced Micro Devices |
Scott Fitch Lockeed Martin |
Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y |
Shahrokh Shahidzadeh (Intel Corp) - y |
Tony Rutkowski Thomas Hardjono, M.I.T. |
William Barnhill, Booz Allen Hamilton |
|
66 percent of the voting members were present at the meeting. We did have quorum.
2. Agenda review and approval
We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el chat room text is included at the end of the minutes.
Abbie asked if there were any additions to the agenda. There were none and we proceeded with the agenda.
3. Approve Minutes
Mary made a motion to approve the minutes.
Shaheen seconded the motion.
There were no objections. The minutes were approved.
4. Presentation by Jeff Stapleton (BofA)—“financial global Standards”
http://www.oasis-open.org/apps/org/workgroup/trust-el/documents.php
Completes analysis for first deliverable.
Abbie was please to introduce his colleague Jeff Stapleton and asked Jeff to introduce himself.
Jeff thanked Abbie. He has been with BofA for ~2 years. Prior to that, he worked at MasterCard and KPMG. He has been involved with ANSI and ISO standards for over 20 years. He has been helping to develop several dozen ANSI standards, so he has had to learn about how standard interact and are interpreted.
Slide 2, agenda. Jeff will give an overview of domestic and international standards groups. He can’t list them all, as there are so many. Then he will talk about the standard consensus process, then the security areas and things going on now in the financial services industry and some working group content.
Slide 3, the blue box is the formal organizations. These are those that have recognition at the country level.
ISO is the name, as in the Greek root isomorphism. It is not an abbreviation. There are 172 countries and 248 tech committees. ~3000 standards. Countries are members of ISO. To be a full member, a country must have a standards body. ANSI is the US member. He wants to talk about TC68, for the financial Services Industry, founded in 1948, in 63 countries. Participating in 11 subgroups and 50 standards.
IEC is another recognized organization founded in 1987. This is where IT standards are developed in JTC1. 85 countries, 19 subgroups and 357 standards.
CEN is the standards body to EU. It is recognized by ISO as standard body. It has a relationship, but is not direct member, as it is not a country.
ANSI doesn’t actually produce standards, it accreditates other standards bodies. For example, X9. And is the tag into TC68 and is its secretariat, so the US is running TC68.
INCITS is the tag into JTC1 for US.
There are many other bodies that are internationally recognized that are not part of this. For example, IETF isn’t ISO recognized. PCI is another example. NIST is a government agency in the US. Is has a dotted line to ANSI. NIST is a recognized standard developer, but not all of NIST, just part.
OASIS is well recognized as a standard body, but doesn’t have a formal membership from ANSI or ISO but plan to change that…
Abbie commented that OASIS is an approved submitter for ISO. It can submit a document as is with a cover page. This is for a fast approval process.
Jeff commented that the bottom of the slide has more details. The numbers are a couple years old.
So that is an overview of who these organizations are, interplays and interplay not happening.
Slide 4 walks you through the ISO approval process. ANSI has adopted the ISO process, but sometimes the terminology changes. This is the ISO terminology. First it needs to be assigned a number. Need 5 board level sponsors to submit the new work item. Once it goes thru ballot process and gets approved, then it is a working draft. It might just be an outline or scope, but could also be a draft document. Once it gets to a working group, they work on the draft and debate. In the process of doing that, they have to resolve any comments. Countries can approve it, or submit comments. Comments must be fully addressed. When ready, it goes to committee draft ballot.
In the x9 world, it goes to subcommittee and full committee ballots. Once approved as committee draft, it goes though several drafts. Once get draft to committee level, tech is agreed on, you are getting to editorial issues. If there is a tech change at this stage, need to go back and do another committee ballot.
Once thru review or draft ballot, need to address comments. ISO has one more ballot, then it is an ISO standard ready for publication. In US, once have an American standard, it is often submitted back. Can submit at various levels. ISO can submit at any of the levels. Sometimes most of the work is done in ANSI, sometimes in ISO. So this process is fairly fluid.
Peter asked does any standard ever get passed. This must take years.
Jeff responded the average is 2-3 years. Has seen items take 5 years. He has seen some accelerated to 18 month. This is rare.
Peter wondered how useful that is in advancing the state of the art.
Jeff responded that can pre-publish draft standards, and sometimes organizations benefit from implementations based on that. Sometimes technology has been produced and someone wants it formalized.
You have raised an issue, once a standard is published; it automatically comes up for review every 5 years. Can also update a standard more frequently, as appropriate.
Colin commented that these standards are typically for sale. You have to buy them, not just use them. The org that produce the standard owns the copyright.
Rebecca asked how that works if the country publishes a standard.
Jeff said that when the country brings the standard into ISO, ISO owns the copyright. Usually the country then withdraws their standard and supports the ISO standard. Sometimes when an item is submitted to the ISO process, things in the standard change. Sometimes the submitted standard doesn’t agree with ISO adopted standard. Sometimes the US puts in a comment “this not appropriate for the US.” Sometimes the US maintains its own independent standard.
Slide 5, Jeff said he tried to organize security areas. On the international side, he tried to identify what technical committee and subcommittee is working in that space. In three columns, he has identified what US subcommittees are working on things in that area. This list isn’t exhaustive, but will give you an idea of work being done. This is just to give you an idea of complexity of how some of these things interact.
Slide 6, focused on X9F activities. This group is working on algorithms. Most of this group PHD mathematicians and cryptographers. There is a lot of interplay with NSA and NIST.
Slide 7, XF4 is more applied. It looks at key management and message syntax and PKI standards, and biometric security standards, wireless in mobile space penetration.
Slide 8 – X9F, credit card or debit issued. This includes smart card, includes pin security and corresponding key management and cryptographic devices. He tried to show how this flows into ISO standard. There are a lot of vendors is this group.
Slide 9, for auth standards he tried to list existing standards. There are password standards. We don’t have any ANSI or ISO standards on passwords, but this is used by almost everyone. There were to be FIPS standards, but they were withdrawn. 800-61 does have some stuff. The only official standard on passwords he could find was in an old green book.
Abbie wondered what Microsoft and Google do. Microsoft recently shared information on strong passwords.
Jeff said that every organization has policies on password strength. Yet there is no standard he can find. If someone knows of one, he would like to hear about it.
Peter has heard this point made for several years now. All the rules are generated by ad hoc responses to hacking.
Rebecca commented that passwords are a threat, no matter what they are made of.
Peter commented that part of our life work is to kill off passwords.
Abbie said this on one of goals of the TC.
Slide 10 is a list of cryptographic standards.
Slide 11 is key management standards,
Slide 12 is app security standards.
Slide 13 has URLs for references. Includes all the FIPS documents.
Jeff asked for questions.
Abbie thanked Jeff. This is very interesting. This is an overview of all the work we should reference on one side. Part of our group strategy is to look at means to elevate trust by trying to map within various trust levels. When you are developing within TC68, when you do auth, what kinds of threats do you consider and how can you build confidence?
Jeff responded that X9.117 was where we try to address this for the financial services industry. He also mentioned 800-63. We looked at those 4 levels. The problem is they are designed for 4 levels, but we felt it didn’t map directly to financial services, so we came up with our own 4 levels. The Financial Services Industry is very risk based oriented. We worry about privacy, and theft and ID fraud. That would suggest we also look at that standard. Within ISO itself, there was some work in SE27 and Colin has been contributing to 29115 (x.1254).
Abbie commented that what Jeff said raised a flag if you are using different levels. We need to look at that. At the end of the day we are hoping to support a networked system with mappings between levels. So we need to understand what in 800-63 is not acceptable.
Abbie asked if Jeff looked at 29115 as part of his balloting.
Jeff replied we ran into two problems. We did have a representative but we lost that connection when they retired. We were further along in our process. We went through the 117 process last year and were ready to publish. Then FFIEC came out with their revised guidelines. So we waited 6 months, and we looked at their terminology and looked at our standards and we needed to do a mapping. So we updated 117 before we proceeded. It has now gone back through the ballot process.
Abbie commented so potentially we can slow it down.
Peter commented that he thinks the way to do is to take the draft and do the gap analysis.
Abbie said the problem is we need a liaison to send it to us to be official. So between Jeff and himself we need to find a way to get the draft standard formally.
Jeff said he was not aware of a formal liaison between that group and the OASIS TC.
Abbie asked if Jeff could send it to him in 29115.
Jeff said he didn’t know.
Abbie said that to establish a new formal liaison would take a year.
Jeff said he could provide an unofficial copy
Jeff and Abbie agreed to take this off line.
** Action item for Jeff to follow-up on official access.
Abbie commented that this is important and we need to be consistent with the financial services industry standard.
Jeff agreed.
There was a question about what is happening in consumer auth.
Jeff said he has been working on that. There were a lot of vendors that thought their solution was the best. The problem is when you do debit on Internet with or without pin, and bump up against the pin management standard. Not everyone has a tamper resistant pin pad at home. For non pin debit transactions, they haven’t gotten too far down this path.
Jeff was asked if there was a standard for the life cycle of identities.
Jeff responded that was presented to be included in 117 and the working group decided that was too big and they removed it to narrow the focus. There is nothing in x9.
Jeff said in 117 we assumed the customer relationship has already been established. The Financial Services roundtable, BITS, has done some work in that space.
Abbie asked to put BITS on the list. BITS runs identity management stuff for financial services.
Jeff said FSTC did some of the pre-work and was part of the roundtable, and now BITS.
Abbie said we will have an analysis group – maybe lead by Mary. Mary, the gap could be done by a person and we present the gap, and this could be posted on the OSIS site.
Jeff said 117 has been submitted for its formal x9 ballot. That is only 30 days, so will be published soon anyway.
Abbie said to let him know if there are more questions for Jeff. We are out of time.
Abbie thanked Jeff.
Abbie commented we don’t have time for a detailed update from the editors.
The Identity in the Cloud TC has asked for volunteers to share what they are doing. If you are willing to present this at a meeting, let me know. I can’t do it as I’m traveling. Please send media and I will hook you up with Anil.
Abbie said that with respect to the F2F meeting at NIST, if you want to attend, NIST needs to know your name and if you are a non US citizen. If you aren’t a US citizen, there is extra paperwork that needs to be done.
Mary said she would send the mailing list a list of what information needs to be provided to attend the F2F at NIST.
Abbie asked that she also include a link to the NIST registration. He commented that he is Canadian.
Mary agreed.
Abbie said Shahrokh of Intel is scheduled to present on endpoint method examples on the next call.
5. F2F meeting details update.
Abbie said there will be a few method examples based on level of LOA. He asked the group to think if we need to have more on end point security. This is very important.
The plan is to have the draft be really stable to have it as a foundation for the F2F. He hopes to have the first deliverable complete by a week or 2 after the F2F. Then we can focus on really moving forward.
Abbie commented that for the next meeting, he will be in Geneva for ITU-T. So he may have a conflict and have someone else chair meeting. We can use same access code.
6. Mary and Editors to provide an overview of Committee Draft of first deliverable
(http://www.oasis-open.org/apps/org/workgroup/trust-el/documents.php?folder_id=2598)
Mary commented that the latest version is available above. The planned schedule is as follows:
Date | Event/Action Description | |
| | |
12-Jan | Draft 0.15 was posted to OASIS | |
26-Jan | Verizon presentation to TC | |
9-Feb | Bofa presentation to TC | |
13-Feb | Around this time, when significant delta, post new version | |
| Two weeks to review and respond before RSA | |
Feb 27-March 1 | RSA | |
| Post near final first deliverable by Sunday March 4 | |
| 10 days to review | |
March 14-15 | Next F2F | |
31-Mar | Final first deliverable (adjustments based on F2F discussion) | |
7. Attendance Update
Anil, Peter and Shaheen were added.
Abbie commented that by the end of the next F2F we want to have something to approve and start working on the second deliverable.
Abbie noted that it was 11:00.
8. Conclude meeting
Abbie asked for a motion to conclude.
Mary moved to adjourn.
Rebecca seconded it.
There were no objections
The meeting was adjourned.
Shaheen asked if there was a way to tell what things had changed in the draft.
Mary commented that change bars don’t work well in Word for numbered lists. She said she would mark the methods that are new and that are core vs. peripheral examples.
>>>>>>>>>>>>>>>>>>>>
Chat room log
Please change your name from 'anonymous' using the Settings button
anonymous morphed into Mary Ruddy
abbie: CHAT ROOM
http://webconf.soaphub.org/conf/room/trust-el
anonymous morphed into abbie
abbie: CHAT ROOM
http://webconf.soaphub.org/conf/room/trust-el
1. Roll Call
2. Agenda review and Approval
3. Approve Minutes
4. Presentation by Jeff Stapleton (BofA)financial global Standards
http://www.oasis-open.org/apps/org/workgroup/trust-el/documents.php
5. F2F meeting details update.
Next meeting presentation on endpoint uses cases by
Shahrokh Shahidzadeh, Intel
6. Mary and Editors to provide an update of Committee Draft
7. Attendance Update
8. Conclude meeting
anonymous morphed into Lucy lynch
AnilSaldhana(RedHat): Slide number right now?
Jaap Kuipers (Id Network Netherlands): slide 3
Jaap Kuipers (Id Network Netherlands): What happens in X9.122 Consumer Authentication?
Jaap Kuipers (Id Network Netherlands): bits
abbie: BITS
Jaap Kuipers (Id Network Netherlands): financial security round table
Shahrokh-Intel: these two questions are very good questions, can u please capture the answers in meeting minutes on lifecycle and rerovisioning as well as the online debitcard and actually we bring in for discussion as a 15-30 minute individual discussions
Colin Wallis (NZGovt): http://www.bits.org/
AnilSaldhana(RedHat): Mary, could you add me to roll please