Notes from Sep 9 TC call

Minutes for the face-to-face meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee

September 9, 2012

1. Call to Order and Welcome.

2. Roll Call

Attending (please notify me if you attended the meeting but are not on the list below)

Abbie Barbir, Bank of America

Anil Saldhana, Red Hat

Bob Sunday

Brendan Peter, CA

Carl Mattocks, Bofa

Cathy Tilton, Daon - y

Charline Duccans, DHS

Duane DeCouteau

Colin Wallis, New Zealand Government -y

Dale Rickards, Verizon Business - y

David Brossard, Axiomatics

Dazza Greenwood

Debbie Bucci, NIH

Deborah Steckroth, RouteOne LLC

Detlef Huehnlein, Federal Office for Information

Don Thibeau, Open Identity Exchange

Doron Cohen, SafeNet

Doron Grinstein, BiTKOO

Gershon Janssen - y

Ivonne Thomas, Hasso Plattner Institute

Jaap Kuipers, Amsterdam

Jeff Broburg, CA

John Bradley

John "Mike" Davis, Veteran's Affairs - y

John Walsh, Sypris Electronics

Jonas Hogberg

Julian Hamersley, Adv Micro Devices

Kevin Mangold, NIST - y

Lucy Lynch ISOC

Marcus Streets, Thales e-Security

Marty Schleiff, The Boeing Company

Mary Ruddy, Identity Commons – y

Massimiliano Masi, Tiani "Spirit" GmbH - y

Nick Pope, Thales e-Security

Peter Alterman, NIST - y

Rainer Hoerbe

Rebecca Nielsen, Booz Allen Hamilton

Rich Furr, SAFE-BioPharma Assn

Ronald Perez, Advanced Micro Devices

Scott Fitch Lockeed Martin

Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y

Shahrokh Shahidzadeh (Intel Corp)

Suzanne Gonzales-Webb, VA

Tony Rutkowski

Tony Nadlin

Thomas Hardjono, M.I.T.

William Barnhill, Booz Allen Hamilton

67 percent of the voting members were present at the meeting. We did have quorum.

2. Agenda review and approval

We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el chat room text is included at the end of the minutes.

Mary asked for additions.

There being no additions, the agenda was approved.

3. Approve Minutes

Mary asked the TC approval to approve the minutes from the last meeting.

Gershon moved to approve the minutes.

Cathy seconded the motion to approve the minutes of August 23.  There were no objections. The minutes were approved.

The next F2F is confirmed for October 9 in Washington DC.

The event will be from 8:30 AM to 5:00 PM.  (The official start is 9:00, doors open at 7:30).

The location is CA’s new office at 607 14^th street (between F and G streets.) Thanks again to CA for hosting.

4. Editors update on Second Deliverable (Analysis phase)

For this call we reviewed a new analysis: Behavior habits – browsing methods, which is now available at   https://www.oasis-open.org/apps/org/workgroup/trust-el/documents.php?folder_id=0

Mary walked thru the document.

Mike commented that he viewed privacy invasion as an issue in this particular method.

Mary replied that it could be possible to design this method so that it didn’t collect information that would be valuable outside of the context of the website using the method.

Mike replied that there is huge potential for using the information for marketing purposes and sharing it.  There is an incentive to collect information to sell and they are likely to sell it.

Peter considers it offensive and undesirable and widely in use.

Jaap says Forrester summed up some of the packages in a report and addresses some of these things.  See Forrester Wave report from February on risk based auth.

Cathy said she is also interested in that.

Mary commented that a few years ago there was a company that claimed it could determine a user’s age cohort by the way the user moused over links.

Shaheen commented that false positives are an issue.

Jaap agreed that the concept is squishy.

Peter commented that he liked the conversation

Shaheen asked do we know what kind of tools can be used to capture this information. From a usability point of view, _javascript_ depends on browser compatibility issues.

Peter commented that we need more research

Mary said she would look for information on specific vendor implementations

Cathy asked a question about the template.  There is a question about which party is performing the method. It seems vague. In many protocols there are different components: the person responding to the challenge and the verifier.

Mary replied the original intention was to differentiate between methods implemented by the RP and methods that used a third party.  We have repeatedly changed this question as we learn more from performing the sample analyses.

Cathy commented that many of the other methods could be used in multiple configurations.  So often, it could be either.

Mary replied that we need to continue to evolve this question.

Cathy asked do you mean who is performing the method.

Mary replied yes.

Shaheen asked about his analysis about the context method.

Mary said that it had been discussed in a previous session.  She thanked him for being a guinea pig.

Mary asked if there were any more questions.  Since there were none, we gave the TC their time back to work on the analyses. For the next call we will review two additional new analyses.

>>>>>>>>>>>>>>>>>>

6. Attendance Update

We achieved quorum.

9. Adjournment

Mary moved to adjourn.

Peter seconded the motion.

The meeting was adjourned.

>>>>>>>>>>>>>>>>>>>>

anonymous morphed into Jaap Kuipers (Id Network)

anonymous1 morphed into Cathy Tilton (Daon)

anonymous1 morphed into Massimiliano Masi (Tiani Spirit)

Mike Davis: The tracking of behavioral and browsing patterns raises potential privacy issues.

trust-el message