Minutes for the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee call on
19 April, 2012
1. Call to Order and Welcome.
2. Roll Call
Attending (please notify me if you attended the meeting but are not on the list below)
Abbie Barbir, Bank of America - y |
Anil Saldhana, Red Hat Bob Sunday |
Brendan Peter, CA Technologies |
Carl Mattocks, Bofa |
Cathy Tilton, Daon - y Charline Duccans, DHS |
Duane DeCouteau |
Colin Wallis, New Zealand Government |
Dale Rickards, Verizon Business |
David Brossard, Axiomatics |
Dazza Greenwood |
Debbie Bucci, NIH |
Deborah Steckroth, RouteOne LLC |
Detlef Huehnlein, Federal Office for Information |
Don Thibeau, Open Identity Exchange - y |
Doron Cohen, SafeNet |
Doron Grinstein, BiTKOO |
Ed Coyne, Dept Veterans Affairs - y |
Ivonne Thomas, Hasso Plattner Institute |
Jaap Kuipers, Amsterdam |
Jeff Broburg, CA |
John Bradley |
John "Mike" Davis, Veteran's Affairs |
John Walsh, Sypris Electronics |
Julian Hamersley, Adv Micro Devices |
Kevin Mangold, NIST Lucy Lynch ISOC |
Marcus Streets, Thales e-Security |
Marty Schleiff, The Boeing Company |
Mary Ruddy, Identity Commons - y |
Massimiliano Masi, Tiani "Spirit" GmbH - y |
Nick Pope, Thales e-Security |
Peter Alterman, NIST - y |
Rebecca Nielsen, Booz Allen Hamilton |
Rich Furr, SAFE-BioPharma Assn |
Ronald Perez, Advanced Micro Devices |
Scott Fitch Lockeed Martin |
Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y |
Shahrokh Shahidzadeh (Intel Corp) - y |
Tony Rutkowski Tony Nadlin Thomas Hardjono, M.I.T. |
William Barnhill, Booz Allen Hamilton Antonio, Bofa |
|
69 percent of the voting members were present at the meeting. We did have quorum.
Abbie discussed the BITS Cybersecurity meeting. OneID Founder Steve Kirsch gave a presentation that included a discussion of how OneID was evaluated against threats. So Abbie would like Steve present to the TC.
2. Agenda review and approval
We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el chat room text is included at the end of the minutes.
Abbie asked if there were any additions to the agenda. There were none and we proceeded with the agenda.
3. Approve Minutes
Abbie to a motion to approve the minutes of April 5.
Peter seconded the motion.
There were no objections. The motion passed.
4. Editors update
We are planning on having a speaker come in to present an industry solution – OneID. This is a start up started by Steve Kirsch. They have a system where shared keys are used in a registry and distributed to various devices to allow the participating party to log in without a UN/PW. OneID has a financial services industry customer. Steve can talk about what it would take to break it. He has created a matrix of about every type of attack. So this gives us a way to establish a reference model.
There was a discussion about whether it was more important to hear about OneID or to get a legal perspective from the ABA next.
Abbie replied that we need both to jump start our analysis phase.
Mary took an action item to get back to Steve and Tom at the ABA.
Mary provided an update on the first deliverable. A version 1.1 is now available on the TC’s website. It is still marked draft, but is otherwise complete. The next step is to formally hold a ballot. She handed the conversation over to Abbie to discuss official approval of the first deliverable.
Abbie wasn’t sure if we need a ballot. Do we want OASIS to review it? The TC has to decide. We need to let the world know what we have done. This is our vision. This is where we stop and then move on to the analysis stage. We could do an OASIS review also. Abbie said he is very flexible here, and asked for input.
Peter asked if there is a standard appropriate approach to go forward that is the OASIS way? Or can we do whatever is most appropriate for the TC?
Abbie replied that we can be flexible. We have followed the OASIS process. This is not a standard, so we don’t go thru the standard approval process.
Peter said he has already shared drafts 1.0 and 1.1 of the first deliverable with Jeremy and the NSTIC team. He will get it on the discussion list for next week’s staff meeting. That is an important direction. We are not asking FICAM at his time. NSTIC is the primary US government location. We should also ping both Tony’s with it and ask them to disseminate it and look for comment. We could send it to Kim C.
Abbie said we can ship it to the Identity Commons list.
Abbie made a motion to try to spread the word of the first deliverable. The request is to share it with NSTIC, ITU-T, Kantara, IDC, OIX and other experts in the Identity space.
Peter seconded that.
Abbie asked if there were any objections.
There were no objections. The motion passed.
Shaheen suggested that maybe we should take it to BITS.
Shaheen said the latest version is good for us to start socializing with our organization.
We can definitely ask IC2 to review. And see if they have any comments.
Abbie asked, also CSA?
Peter replied sure.
5. Peter Alterman and Don Thibeau to lead discussion on Second Deliverable (Analysis phase)
Peter said the real question is funding. Abbie and I have been working on a draft of a funding request for the phase 2 analysis. The plan is to hire someone to do an analytic study of the phase 1 document and come up with a fairly sustentative review of how these methods work and what processes and procedure they rely on. How effective can they be, and lowered risk levels associated with various implementations. All of these things need to be worked out. The first thing we need to do is create a method of doing the analysis and apply that to the document.
We need a new editorial team. I would like to see this move fast as we are already generating some buzz. The review of the proposals for the government secretariat committee grant out of NSTIC, will be done around the end of this month, which is ahead of schedule. It should be selected by the end of May, and we really need to have a head of steam up as the steering group is put in place. So there are three things going on:
1) Finish funding submission and get it to the idTrust steering committee.
2) Make a selection for a contractor.
3) Put together an analytical methodology and refine that. We need to identify a format for the draft of the second deliverable.
Abbie said we started with the mission of discussing what trust elevation is. Within the analysis stage we should revisit if we are really happy with our definition.
Abbie commented so we should revisit that definition and the various categories of 5 factors. Another aspect to consider is do we need to assume a trust pipe model? We know there are multiple models. We can jumpstart by assuming one trust relation. The trust includes A,B,C,D. For example Trust-el in the context of an interaction means x, then build up to multiple IDPs, or maybe a trust broker entity.
Or we can just say theoretically when A and B are combined we have one less check box in vulnerabilities. We need to define the approach so we don’t go in a circle.
Peter commented that it sounds like we are arguing for a use-case based approach as opposed to an ontological approach.
Abbie replies that he is not arguing for anything, as long as we have an approach.
Peter wants to avoid conflict at this stage.
Abbie said we can take multiple directions in sequence.
Peter said the goal is to create a document that serves the purpose that we need it to serve. We need to do two things in parallel: a request for resources ASAP, and at the same time, we really need to work on a methodology or approach.
Abbie asked would the editors of the first deliverable, take on the analysis?
Shaheen asked if the second deliverable is more technical. Most of us are engineers or architects.
Abbie said that yes, you can do phase 2. Professional help will provide part of the effort. All the editors don’t need to be engineers. There are other editor’s roles.
Abbie said his request first is to have continuity of the editorial team and jumpstart phase 2.
Abbie noted that we are waiting to hear from Brendan.
So we should have submitted a funding request in the next week.
Abbie said he wants to have someone volunteer to draft a process methodology in writing.
Abbie asked if Dale was on the call.
Mary replied no.
Abbie commented that the TC should ask Shahrokh. He is addressing some vulnerabilities and could provide input to the analysis methodology. We need some of those submissions quickly for the next step. Then from those, we can start deciding what we want to do.
Pete volunteered to work on it.
Abbie said he wants the approach contribution in writing, so people can respond to it.
Abbie summarized so Peter and Shahrokh can jumpstart this.
Mary also volunteered.
Abbie commented that if we get a presentation from OneID, we don’t want marketing, we don’t want a demo (can have demo on own if want.) We need a description of how to elevate trust and a methodology for analysis. He may also be able to help us in stage 3.
Abbie said we have done enough for today’s purposes.
He asked if there were any additional topics.
Mary raised the issue that our next TC call would normally be on May 3 and that we may not have many people due to a conflict with IIW.
Abbie said maybe we should cancel the May 3rd meeting and have an optional meeting at IIW if can negotiate a room with a phone. Then we can have an unofficial TC meeting with no IPR. Maybe we put the task on Mary and Don to provide a summary of the phase 1method list and start getting guidance on the analysis stage so we can get the community feedback on expectations for the analysis phase. Then we can continue with our guest speaker on May 17.
Abbie asked do I have a motion to cancel the next meeting and replace it with an optional time slot, where by Mary and Don will put a session on the IIW agenda to review the first deliverable and discuss the analysis stage.
Abbie asked Peter if that was a good plan.
Peter said he won’t be able to be there in person.
Abbie said this was an opportunity get feedback from some of the high caliber people that are always there.
Mary and Don took action items to hold a session at IIW.
6. Attendance Update
We achieved quorum.
7. Adjournment
Don asked if we had a motion to adjourn.
Peter moved to adjourn
Shaheen seconded it.
The meeting was adjourned.
>>>>>>>>>>>>>>>>>>>>>>
Please change your name from 'anonymous' using the Settings button
anonymous morphed into Mary Ruddy
abbie: Agenda
abbie: 1. roll call
2. agenda approval
3. approve minutes
4. editors update
5. Peter Alterman and Don Thibeau to lead discussion on Second Deliverable (Analysis phase)
6. roll call
7. conclude