OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

trust-el message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes for 7-12-12 call

Minutes for the face-to-face meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee

July 12, 2012


1. Call to Order and Welcome.


2. Roll Call

Attending (please notify me if you attended the meeting but are not on the list below)


Abbie Barbir, Bank of America  - y

Anil Saldhana, Red Hat  

Bob Sunday

Brendan Peter, CA Technologies 

Carl Mattocks, Bofa 

Cathy Tilton, Daon  - y

Charline Duccans, DHS

Duane DeCouteau

Colin Wallis, New Zealand Government 

Dale Rickards, Verizon Business - y

David Brossard, Axiomatics 

Dazza Greenwood 

Debbie Bucci, NIH 

Deborah Steckroth, RouteOne LLC

Detlef Huehnlein, Federal Office for Information

Don Thibeau, Open Identity Exchange  - y  

Doron Cohen, SafeNet

Doron Grinstein, BiTKOO

Gershon Janssen – y

Ivonne Thomas, Hasso Plattner Institute

Jaap Kuipers, Amsterdam - y  

Jeff Broburg, CA

John Bradley 

John "Mike" Davis, Veteran's Affairs 

John Walsh, Sypris Electronics

Jonas Hogberg

Julian Hamersley, Adv Micro Devices

Kevin Mangold, NIST   

Lucy Lynch  ISOC

Marcus Streets, Thales e-Security

Marty Schleiff, The Boeing Company

Mary Ruddy, Identity Commons - y

Massimiliano Masi, Tiani "Spirit" GmbH

Nick Pope, Thales e-Security

Peter Alterman, NIST  - y

Rainer Hoerbe

Rebecca Nielsen, Booz Allen Hamilton 

Rich Furr, SAFE-BioPharma Assn

Ronald Perez, Advanced Micro Devices

Scott Fitch Lockeed Martin

Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y

Shahrokh Shahidzadeh (Intel Corp) 

Suzanne Gonzales-Webb, VA  - y

Tony Rutkowski

Tony Nadlin

Thomas Hardjono, M.I.T.  

William Barnhill, Booz Allen Hamilton

64 percent of the voting members were present at the meeting.  We did have quorum.



2. Agenda review and approval

We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el  chat room text is included at the end of the minutes.

There were no additions to the agenda.
3. Approve Minutes
Abbie asked if there were any objections to approving the minutes of June 28th.
None heard, the minutes were approved.


4. Update from the UK government on applications of trust elevation to real world environments with an intro by Don.

Done Sees opportunities where trust-el is core to the application. He wants to make sure the TC is advising and receiving feedback from such projects.  Many of the companies in TC are involved in such initiatives. 
Don was in the UK last week.  He is going to provide context and David will join at 10:15 and talk about how his efforts relate to the different procurements and how respondents to the procurements will be proceeding.
Don commented that for the liaison relationship between the OASIS TC and the UK gov what we would like to do is clear away in advance any IP or legal requirements. I trust Abbie that that is part of the liaison relationship? 
Abbie said he will put it on the table for the OASIS board meeting at the end of the month.  We already have approval at the TC level. So he can do that.
[We were notified that David Rennie needed to reschedule his participation.]
Don said he also wants a relationship with the NSTIC funded pilots that are yet to be announced. Is that a useful thing or contentious?
Peter said that, having been away for a couple of weeks: we don’t know yet what is being funded, or if there is a play there; we also don’t know when it will be announced (on or before Sep 30); so we shouldn’t sit around and wait.
Don commented that he didn’t mean to suggest we should wait.
Peter said that from an OASIS context that makes sense. One thing we do know is none of the NSTIC pilots are tightly connected to UK.
Don commented that in both the UK pilots and procurements and NSTIC, trust-el will be an important element.  
Abbie said let me switch gears.  I have one question. That is food for thought.  I can give you one use case that we are working on internally in the bank. When try to look at a windows machine, where usually a smart card is used for multi-factor at desk top, eventually as part of the working an internal gateways swaps a Kerberos token for a SSO token. One of the difficulties is that if you use a user name/password or other approach you still get a Kerberos token and the system doesn’t tell you the LOA used to generate the token. This is one limitation for our TC.  If you don’t know the assurance level the first token, so you can’t piggyback on assurance levels and exchange tokens, we have a problem with trust-el.
Peter commented I think you are buying trouble. We should take it stepwise: first identify, second analyze and 3rd lining it up with the LOA. 
Abbie replied part of the analysis should identify use case limitations, such as his Kerberos example.
Don said he is torn between Peter’s suggested scope creep comment and coming up with something that is truly an end-to-end transaction.
Abbie commented that in an ecosystem of trusted exchange we worry about how attributes are aggregated to elevate trust.  Can be a 1-to-1 relationship based on last source of token or the elevation route is encoded so have visibility on the whole chain (an accumulated event.) I think what is in scope is how far back we should look into the method. What is the scope? Is it across one token or multiple tokens? 
Shaheen said if you go with what you want, can also help with fraud monitoring.
Don welcomed Peter back.
5. Editors update on Second Deliverable (Analysis phase)
Mary started by explaining that the editors have been iterating on an example analysis of the end point identity method that Peter had drafted. The next step is to further iterate on the analysis. 
There are two additional updates that have been identified.  One is to indicate which party is performing the trust-el.  The other is to indicate if the method can be used to elevate an LOA.  We could use a matrix of starting LOA and LOA after applying the method.
Peter commented that we haven’t got a lot of comments on the sample analysis.
Mary commented that we need more example analyses to take the analysis format further. 
Peter remarked that there are ways to go forward and take a short cut.
Abbie commented that a lot of enterprises are using Kerberos. It is here to stay. There is a lot of effort at the enterprise level.
Peter said he has personally seen Kerberos make life so complicated that it had to be superseded. For purposes of the phase 2 analysis, we could talk about elevating trust from some to substantial trust and track that across to the risk mitigation language, i.e. from mitigating modest risk to substantial risk.  This is the sweet spot for business.
Peter remarked that there are some places where trust elevation isn’t a viable model. We could   make the perfect the enemy of good.
Abbie commented to Peter, that he accepts his argument. At MIT, they have an alliance for Kerberos. They are looking into means of applying LOA. We can send them a liaison. We may have use cases that require one to express LOA via Kerberos.
Peter replied I really like that strategy.  Let the MIT guys work on Kerberos. They know it inside and out.  They have a legitimate reason to buy into what we are thinking about.
Abbie commented that we need to move faster on the second deliverable. What would we need to do to move on it faster? What would it take to ignite the analysis stage?
Mary commented that we need to agree that the analysis format is complete before we do high volume analyses. We need to perform a few more sample analysis to validate the approach. 
Abbie asked do we need a face-to-face meeting?
Pete replied we don’t need a F2F yet. We should wait until we are further along. We need people to man up. Can we assign people to methods? Mary did a pass on this.
Shaheen volunteered.
Abbie replied that he has been traveling and is out for the next two weeks.
Peter said we should update the sample and take it to the whole TC can get bids on which method people want to analyze.
**Action item to update the first example method and send it to the list with the list of currently assigned methods and ask for volunteers to do unassigned analyses.
Abbie commented that his job for the next two week is to work on trust-el internally. He is getting all sorts of vendors to explain what they do. Internally we want to get rid of UN/password. 
Peter commented that we need to be there ahead of the lawyers.
Abbie said we need to ignite this TC so we can move this forward and start the third deliverable.

6. Attendance Update

We achieved quorum.


9. Adjournment

The meeting was adjourned.


Mary Ruddy: CHAT ROOM
Passcode: 637 218 8139
Int'l Toll: 1-980-939-6928
Mary Ruddy: Agenda
Mary Ruddy: 1.  roll call
2. agenda approval
3. approve minutes
4. update from the UK government on applying notions of trust elevation to real world environments.
5. editor discussion on Second Deliverable (Analysis phase)
6. conclude
Dale Rickards morphed into Dale Rickards (Verizon)
Cathy Tilton (Daon): Are we still on?  I think my connection may have dropped, but can't tell for sure.
Don Thibeau Open Identity Exchange : Mary for your notes and Abbie -- If it is helpful to securing the liaison relationship between OASIS Trust El TC and the UK Government IDAP - please identify me (Don Thibeau) as the "liaison" POC
Jaap Kuipers (Id Network Netherlands): On LoA I owe you a link to a documnet from the Dutch Government http://www.forumstandaardisatie.nl/fileadmin/os/publicaties/HR_Betrouwbaarheidsniveaus_EN_WEB.pdf



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]