[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes for the May 31st Trust elevation call
Minutes for the face-to-face meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee
31 May, 2012
1. Call to Order and Welcome.
2. Roll Call
Attending (please notify me if you attended the meeting but are not on the list below)
82 percent of the voting members were present at the meeting. We did have quorum.
2. Agenda review and approval
We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el chat room text is included at the end of the minutes.
Abbie asked if there were any additions to the agenda. There were none and we proceeded with the agenda.
3. Approve Minutes
Don made a motion to approve the minutes of May 17 and the corrected minutes of April 17.
There were no objections. The motion passed.
4. Presentation of the results of Kantara Attribute Management Discussion Group (see http://kantarainitiative.org/confluence/display/AMDG/Home ) by Salvatore D'Agostino
Abbie introduced Sal. Sal chaired this discussion group. They have done excellent work.
Sal began by saying a link to the slides is available in the chat room [and above]. There is a link to the full report on the Kantara site. This work has been 6 months in process, and is an area that needs further investigation.
Slide 1, the charter is to look at requirements and do a gap analysis (internal to Kantara and external) and recommend the scope of work. An important part of this is a repository. It has turned out to be a useful tool to get our arms around a very busy space.
Slide 3, attribute management gaps. Sal asked for the TC’s particular areas of interest. He is interested in discussion.
Abbie responded if you present your findings quickly, then we can go into the discussion phase.
The scope of our work is for a given credential, regardless of the type of the credential, what we can do to enhance our confidence in the authentication in online transaction. That is, enhance trust in the auth process, so we can say the risk is reduced if we follow steps 1,2,3,4. Peter do you want to add anything?
Peter replied that definition works for this context.
Sal continued. There are nine areas where we found gaps:
1. Terminology (There are still issues, here, even though definitions exist)
2. Identify Common Core Business Activity (related to 4, attributes and context. – trying to get to some normalization.)
3. Attribute Normalization (how do you normalize things in the wild?)
5. Common Language – Schema & Metadata (recognize is relevant, but there are many others working on this. Higher Ed has been addressing this.)
6. Interoperability Between Protocols (and new ones continue to surface. Not sure if getting better or worse)
7. Trust Frameworks (lot going on here. Idea of confidence or assurance is important. People have been talking about levels of confidence recently.
8. Designing and Implementing Consent (looked at this, it is important, but didn’t drill down on it. There are many others involved with this.
9. Governance Around Attributes (general)
Slide on recommendations. This really was a discussion group. We asked questions rather than answered them.
1. Defining Contexts – work more on context. Context is driving a lot of this.
1. Gaps 3, 4, 5, 6
2. Clarify Use. To do context, you need to talk use, which means talking to RP’s.
1. Gaps 2, 8, 9
3. Definitions and General Coordination – space needs coordination. Seems analogous to what NSTIC is supposed to be doing. It isn’t doing it yet.
Peter commented he felt he needs to defend NSTIC.
1. Gaps 1 (and 3)
4. Query Language – we just left this alone – OASIS and W3C are working on it
1. Gap 6
5. Trust Frameworks – looking at how this might relate to attributes and LOC and LOA
1. Gap 7
6. Governance – there has to be. NSTIC will be getting into this
1. Gaps 8, 9
7. Mechanisms – mechanisms for discovery. Is there a public sector version of attribute exchange? Is OIX an attribute exchange? The actual mechanisms of attribute mgt, and exchange. Needs further clarity/definition.
1. Gap 8
Next steps are under discussion. We are looking for comments. We are continuing to build the repositories. We may continue to explore an environmental survey that is broad. We may look at attributes and context and maybe create some catalogue, then maybe quasi normalization and accreditation. That is probably where we go next. We will probably determine this in the next 30 days.
Abbie thanked Sal. That was excellent.
Peter commented that Sal is right. NSTIC didn’t have anything to work from. The decision on the NSTIC secretariat should be announced very soon. That should be up and running by the end of July. The governance entity should be selected and will be asked to get started in July. Second, Keith has been working in this field since 2003 or 2004. They tried to translate eduPerson. He is a good addition.
Sal explained that Keith is the vice chair of the discussion group (Keith Hazelton, Wisconsin/ Madison and Internet2.)
Peter replied it sounds like you went to many of the relevant sources.
Mike Davis commented that in looking over this (I’m from VA and have a healthcare lens) I was surprised there was not much recognition that Healthcare is a leader in the attribute access control area. I’m thinking of HL7 vocabularies.
Sal replied that we are aware of healthcare use cases. We didn’t have anyone from healthcare.
Mike recommended HHS for data segmentation for privacy.
Sal thanked Mike. He will make sure that gets into this. He will make an addition to the repository.
Abbie asked Sal if his group made any assumption on where in the framework the attributes will be aggregated. It seems that the RP will be the attribute aggregator. I can see a situation where a broker would be involved and send a score back to the RP based on the risk level and RP’s risk appetite.
Sal responded the last recommendation around mechanism is a catch all for those things. The federation examples of attribute exchange that we looked at were federation, as opposed to the loose authorization, providers. You are describing a constellation of attribute providers and aggregators. We are aware that that is how this is evolving. We tried not to define things that didn’t exist yet. We left that for next steps.
Abbie asked have you taken any look at if you just aggregate attributes, soon you have huge data sets? Have you looked into logical or other ways (tokens or other payload format) of delivering attributes?
Sal relied in the group, no. It is an area I have some interest in. There was very little about technology in this. There are a lot happening in the token world now. It is evolving as we speak.
Abbie said in our third deliverable, this is one of the aspects we must look at.
Colin commented on the Kantara site, we dumped a whole lot of stuff into a repository. One of these is presentation on tokenization that was presented at this TC.
Sal, that is not to say we didn’t put things into our repository. But we didn’t drill into it. To Peter’s point, we tried not to fall prey to boiling the ocean.
Abbie thanked Sal again.
Don said Sal, before we lose you, you were part of the discussion with the RP’s that gathered at the White House under the NSTIC umbrella; and you also talked with the UK gov procurement team about online identity verification and the work of the Trust-el TC
Sal thanked Don. That was a nice opportunity. In order for any of this to move from a very specific federation purpose to more general eCommerce or eGov, I think very much what you are describing needs to evolve. What was interesting last week is that there is a pretty wide range of people who are interested in this. People are showing up and putting in effort and funding solutions. We are working on something that hopefully people will use in the very near future and that people need. For any digital strategy, exchange of identity and attribute info is front and center. For anyone wading in, it is difficult. For UK, the fact we are having the conversation, means we are working on the question. The issue is how to move from a general conversation to a tactical one that generates real value. That is a challenge. We have given ourselves 6 months to think about it. Getting to something useful is what all of us want to see. These conversations have been taking place for 10 years.
Don comment that the UK gov procurement, and idea of moving 30 m citizens online is going to be a real game changer. The presentation on Trust-el that Mary and Peter made last week to members of the UK team was very well received. They see trust el as key to the success of moving large populations online
Abbie asked Mary to post the Trust-el presentation
** Action item for Mary to post the May 24th Trust-el presentation.
Brendan had an additional comment. Don and he had a chance to meet with the European Commission about creating a legal framework for the uptake of trust services in EU member
5. Editors update on Second Deliverable (Analysis phase)
**Action item for Anil to let Abbie know when he could present his recent use case. (Probably after June)
Mary explained that the editors have been continuing to work on a structure for the phase 2 analysis. A draft analysis structure was sent to the list yesterday. Feedback and suggestions on the analysis approach are strongly encouraged.
Peter said that what we are trying to do is figure out the appropriate way to move forward to do analysis on the methods from Phase 1. That is why we put together a straw man to get your input. It occurred to me that there is a lot of subjective language in this. What we really need in order to do any valid comparison, is to get more precision in what worked better than something else to mitigate risk and assert identity in a trust worthy fashion. So we need some sort of metric besides adjectives. Two options came to mind: OMB 4-04, the four levels of assurance, based on risk. Recently someone sent along the UK risk model which defines 6 levels. Maybe if we adopted one of these, just to use as a ruler, that might give us a head start.
Abbie replied I thought we agreed that we were going to follow 800-63 or ITU-T?
Peter responded, we did Abbie, but that is before the document came out from the UK
** Peter took an action item to look for the UK doc, and if upload it if no one else has it.
Abbie commented that we need to make sure we have permission to do that.
Peter said he is ok with the four levels, using 4 levels may help us with phase 3, but he wants to be open minded.
Mike agreed with Peter, we should leave it open to the various jurisdictions to define their own levels.
Peter commented if we use either the 4 or the 6 level of risk definition and apply those as we ask the questions in the straw man, I think it gives us something to start with.
Mary commented that that approach will help us to operationalize systems.
Abbie commented that if it is not usable, people will find loopholes.
Peter commented that usability is one of the goals of NSTIC.
Abbie pointed out that we are out of time. For next week we need to work on the analysis criteria and maybe look at a couple of use cases from the Identity in the Cloud TC. ID proofing and quality of credential is one entry in the column. We won’t discuss methods of better identity vetting. Our focus is if someone is using a credential of a particular LOA and if someone is doing assessment online, what is needed to elevate trust, without discussion quality of credential at issuance time.
Colin said he is still thinking there is a potential gap or opportunity. With KBA, would there be some guidance we could give, what particular KBA questions would set aside particular LOAs. This is somewhat different.
Peter said I think that one of the things that is explicit in the phase 2 analysis is for us to discuss the relative effectiveness of particular KBA implementations and why some are more effective than the others. We had thought that correlation between these methods and LOAs would be phase 3, when we get to phase 3, you will be in the lead.
Peter replied, Colin, your questions drive a perspective on methodologies for phase 2. It needs to provide the input for phase 3.
Peter said that maybe we should also start looking at planning the next Face-to-face meeting soon.
6. Attendance Update
We achieved quorum.
The meeting was adjourned.
abbie: CHAT ROOM
Passcode: 637 218 8139
Int'l Toll: 1-980-939-6928
abbie: agenda 1. roll call
2. agenda approval
3. approve minutes
4. editors update on Second Deliverable (Analysis phase)
5. Presentation of the results of Kantara Attribute Managemen Discussion Group (see http://kantarainitiative.org/confluence/display/AMDG/Home ) by Salvatore D'Agostino
Please change your name from 'anonymous' using the Settings button
anonymous morphed into Mary Ruddy
AnilSaldhana(RedHat): can you pass the 800 number please
anonymous morphed into Mike Davis (VA)
AnilSaldhana(RedHat): What is the toll free number for US, abbie?
Shaheen Abdul Jabbar: toll free 1 866 222 6652 for the bridge (US/Canada)
AnilSaldhana(RedHat): shaheen: thx.
anonymous morphed into Rebecca Nielsen (Booz Allen)
Mary Ruddy: Link to presentation http://www.oasis-open.org/apps/org/workgroup/trust-el/document.php?document_id=46143
anonymous morphed into Sal
AnilSaldhana(RedHat): that is the public one
AnilSaldhana(RedHat): Suggestion would be to proceed with what you wanted to.
AnilSaldhana(RedHat): then we can then discuss.
Jaap Kuipers (Id Network Netherlands): About EduPerson, also see http://www.terena.org/activities/tf-emc2/schac.html
Jaap Kuipers (Id Network Netherlands): http://www.terena.org/activities/tf-emc2/schac.html
Massimiliano Masi (Tiani Spirit): I think either me or Rainer Hoerbe can provide some inputs on the healthcare field
Massimiliano Masi (Tiani Spirit): (for european use cases)
Massimiliano Masi (Tiani Spirit): for kantara
Jaap Kuipers (Id Network Netherlands): Hae a look at Internet2 Ken Klingenstein http://www.cloudidentitysummit.com/images/presentations2011/3_Klingstein-idcloudsummit-kjk.pdf
Jaap Kuipers (Id Network Netherlands): I will be in Paris
Jaap Kuipers (Id Network Netherlands): Agenda: https://www.eema.org/Data/Documents/SSEDIC_SIIIC_web2.pdf
colin_nz: I know the UK situation pretty well too and we will all learn something out of this procurement. Their message flow sees lots of to and fro between attribute providers so it will be interesting to see how they maintain a good UX through brokering and aggregation techniques.