[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Corrected minutes for 6-28-12 call
Minutes for the face-to-face meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee
June 28, 2012
1. Call to Order and Welcome.
2. Roll Call
Attending (please notify me if you attended the meeting but are not on the list below)
50 percent of the voting members were present at the meeting. We did have quorum.
2. Agenda review and approval
We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el chat room text is included at the end of the minutes.
Don proposed an addition to the agenda on potential liaison opportunities.
Shaheen commented that that sounds interesting.
Hearing no objection, the topic was added to the agenda.
Don began by explaining that members of organization of UK cabinet office recently met in DC to provide an overview on a series of UK procurements. These procurements involve a substantial opportunity to learn about trust elevation and online identity. In DC, we (Peter, Mary and I) briefed the cabinet office team about the Trust elevation TC activities, and their response was very positive. They followed this meeting with a request for more information and an offer to brief this group on plans initiated in London. We have an option to schedule a briefing by the UK team in next several weeks. One of the opportunities is to have a UK effort to TC information exchange. But we are also exploring how a formal liaison between the two working groups forming under OIX/UK and the TC would be mutually beneficial. I believe it would be an opportunity to look at identity at scale. The UK initiative concerns the exchange of identity attributes for trust elevation for 20 to 30 M people for pension benefits. This is trust elevation in real time in the near future, at scale. The action item is Mary and I will consult with Abbie and OASIS, as appropriate, to see what the benefits might be of a formal liaison association between this TC and the two OIX working groups related to the UK project (Don will be in UK next week) and also for Abbie to give us some feedback.
**Action item for Mary and Don to follow-up with Abbie about UK liaison relationship.
Abbie will work on it.
Don offered to answer questions now or off line.
Cathy commented in that liaison relationship, usually there is a person or 2 to act as the liaison. Do we have any candidates for that?
Don replied no, but be careful what you ask for. I was going to defer to Abbie for those details on how best to organize that action.
Colin commented that it seems like a good idea. What liaisons do we have?
Don replied, I believe, Abbie correct me, the ITU- OITF effort.
Abbie responded, Don, we do have that. We don’t really need to appoint someone. We can just say we established the relationship and then share information. We don’t need a person, but if someone such as Cathy wants to volunteer…
Cathy replied, I wasn’t looking to volunteer.
Abbie continued, if there are no objections, I will start the paperwork. Once we have the ballot approved, we can formally approve the liaison.
Abbie made a motion to establish a liaison with the OIX/UK branch of UK effort.
Mary seconded the motion.
Abbie asked if there were any amendments or discussions, and there were none. He asked if there were any objections, and there were none.
The motion was approved.
3. Approve Minutes
Gershon made a motion to approve the minutes of June 14.
Cathy seconded. He asked if there were any objections. There were no objections. The minutes were approved.
5. Editors update on Second Deliverable (Analysis phase)
Mary started by explaining that the editors have been iterating on an example analysis of the end point identity method that Peter had drafted. The next step is to further iterate on the analysis. Mary read from the example that had been sent to the list and pasted into the chat room [formatting was lost in the chat room version.]
Colin commented that it sounded like it was heading in the right direction.
Dale asked if we have this assurance level impact profiled based on the initial credential from the identity provider.
Mary responded that that was a great question. She talked about the method supporting combinations that included hard tokens, so it could impact multiple levels of assurance.
Cathy asked is the person implementing the method a part of the use case? She commented that first blush one can have a single method handled in some cases by the RP and in other cases, depending on the app and how it is implemented, it may handled by the identity provider. Is seems these are both important, but not as tightly bound. So the entity performing the method is an important detail. Do others have input on this issue?
Colin commented that yes, it is worth explaining.
Mary asked that any additional feedback be sent to her.
Cathy asked if we were going to include more details in the example.
Mary said we hope to make the use cases as general as possible.
Mary asked if there were other comments. Are there other dimensions needed for next stage of analysis or stage 3? We know we need to address the issue of the impact on LOA.
Colin responded that we need a little more done.
Mary replied that we know we aren’t done. We just need more feedback.
Colin commented that is a good question to put on the list.
Don commented that I think we are ready to move on to the next agenda item. I think the direction we are taking is exactly on target.
6. Attendance Update
We achieved quorum.
Don made a motion to adjourn.
Dale seconded the motion.
The meeting was adjourned.
Mary Ruddy: Agenda
1. roll call
2. agenda approval
3. approve minutes
4. Editor discussion on Second Deliverable (Analysis phase)
anonymous morphed into Suzanne Gonzales-Webb
Don Thibeau Open Identity Exchange : Mary, Abbie et al -- As per our discussion-- this is to share with the group our plans to investigate a liaison with the OIX Attribute Exchange Working Group and OIX UK IDA Working Group
Don Thibeau Open Identity Exchange : I will act as the TC liasion
Mary Ruddy: Are there implementation requirements for improving trust? If so, what are they and why are they necessary?This method assumes that there is a persistent one-to-one relationship between the login data and the device used at the customer end. Moreover, there is the possibility of aliased device ID for each user addressing shared devices challenge. Besides per user device ID, a per service/app device ID to segregate the device identity provisioned for a financial institution from a social network or content provider. Prior registration of that relationship could improve trust, since that information could serve also as a shared secret. Agreement by the user not to share the device could improve trust, perhaps, by providing some confidence that no other user's login credentials were affiliated with that device. Because users do sometimes change devices and devices are not always exclusive, this method can result in too many false negatives, unless as we have noted above, there is a unique binding of the user to a distinct device identity and service. In many cases, such as use of a family computer by many members of a household or as a public kiosk, this would be impractical.
Are there privacy and/or confidentiality issues engaged when using the method, such as user consent for attribute release/exchange? Are there reasonable solutions for potential privacy impacts?Since the method does not engage the customer in the exchange of information, he or she may not be aware that the device attributes are even being sent. Mobile devices particularly can expose PII. Explicit consent for release of device data should be a prerequisite of application device query. If the device identity of each service is aliased and is unique, privacy risk is significantly reduced
What are the usability issues when using the method? Are there reasonable solutions for potential usability impacts?This method is particularly well-suited to customer usability as it requires little or no user interaction for the typical session. This method is typically used in conjunction with an additional method such as relationship-based KBA.
Just for grins, Ive added the M 04-04 risk/assurance table. It continues to make perfect sense.
Table 1 Maximum Potential Impacts for Each Assurance Level
Assurance Level Impact Profiles
Potential Impact Categories for Authentication Errors 1 2 3 4
Inconvenience, distress or damage to standing or reputation Low Mod Mod High
Financial loss or agency liability Low Mod Mod High
Harm to agency programs or public interests N/A Low Mod High
Unauthorized release of sensitive information N/A Low Mod High
Personal Safety N/A N/A Low Mod
Civil or criminal violations N/A Low Mod High
Don Thibeau Open Identity Exchange : As per liaison with the UK Title: OIX UK Working Group meeting - TO CONFIRM
Description: TO CONFIRM ARRANGEMENTS (after a number of queries):
1. The meeting Tony Fish has posted on Huddle at this time is the next OIX UK Working Group meeting.
2. There is a small fee to cover the hosting costs of the Innovation Warehouse.
3. We will put up proposed sessions on the Huddle Whiteboard prior to each meeting.
4. Each month there will be one OIX UK WG meeting at Innovation Warehouse and one at another venue.
When: 7/3/2012 12:30 PM - 7/3/2012 5:00 PM
Location: Innovation Warehouse, 1 East Poultry Avenue, London, EC1A 9PT
Don Thibeau Open Identity Exchange : the UK Government POC is firstname.lastname@example.org