[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Notes for February 21st call
Minutes for the meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee
February 21, 2013.
1. Call to Order and Welcome.
2. Roll Call
Attending (please notify me if you attended the meeting but are not on the list below)
Abbie Barbir, Bank of America - y
Anil Saldhana, Red Hat
Brendan Peter, CA
Carl Mattocks, Bofa
Cathy Tilton, Daon
Charline Duccans, DHS
Colin Wallis, New Zealand Government - y
Dale Rickards, Verizon Business
David Brossard, Axiomatics
Debbie Bucci, NIH
Deborah Steckroth, RouteOne LLC
Detlef Huehnlein, Federal Office for Information
Don Thibeau, Open Identity Exchange
Doron Cohen, SafeNet
Doron Grinstein, BiTKOO
Gershon Janssen -y
Ivonne Thomas, Hasso Plattner Institute
Jaap Kuipers, Amsterdam
James Clark – Oasis
Jeff Broburg, CA
John "Mike" Davis, Veteran's Affairs
John Walsh, Sypris Electronics
Julian Hamersley, Adv Micro Devices
Kevin Mangold, NIST - y
Lucy Lynch ISOC
Marcus Streets, Thales e-Security
Marty Schleiff, The Boeing Company
Mary Ruddy, Identity Commons - y
Massimiliano Masi, Tiani "Spirit" GmbH
Nick Pope, Thales e-Security
Peter Alterman, SAFE-BioPharma, - y
Rebecca Nielsen, Booz Allen Hamilton -y
Ronald Perez, Advanced Micro Devices
Scott Fitch Lockeed Martin
Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y
Shahrokh Shahidzadeh (Intel Corp)
Suzanne Gonzales-Webb, VA - y
Thomas Hardjono, M.I.T.
William Barnhill, Booz Allen Hamilton
Adrianne James, VA - y
63 percent of the voting members were present at the meeting. We did have quorum.
2. Agenda review and approval
We used the following chat room for the call: chat room text is included at the end of the minutes.
There were no additions to the agenda.
Agenda was approved.
3. Approval of the Minutes
Abbie asked if here were any objections to approving the minutes from January 24 (there was no meeting on January 10 due to holidays.)
There were no objections. The minutes were approved.
3. Ballot for second deliverable
Abbie announced that the ballot for approving the second deliverable was opened, and thanked Mary,
Mary explained that it is a standard one week voting period. Please review the document and vote. It you find issue let me know. The editors update for this week is that we have a second deliverable and it is out for a vote.
4. RSA meeting
Mary confirmed that we are having an extended virtual/physical meeting on February 27th from 9:00 to 12:00 PT. Abbie is again providing our usual call bridge. She took an action item for Don to provide physical location information for those who will be at RSA.
Peter agreed to produce a slide.
***Don to send out directions for attending the meeting in person.
***Peter will produce a slide for phase 3
5. Jump Start 3rd deliverable discussion see https://www.oasis-open.org/apps/org/workgroup/trust-el/documents.php
Abbie reviewed his slides and began a discussion of multi-factor authentication methods
Slide 2 - There is a taxonomy question: must the second factor be different factor? NIST allows them to be the same. We need to be clear about what it means to combine factors. Our overall objective is to elevate trust. We need to define what 2FA means and measure the incremental improvement in authentication strength, if we can do this is a relative way, without putting it in concrete. Can’t say it is an exact number.
Slide 3 - Is a “how to” from Gartner. Need to look at authentication strength and cost of ownership and ease of use and other factors. There is no silver bullet here.
Should we look at cost as part of our evaluation? Not main focus, but this is to note that analysis is not in vacuum.
Mary agreed we can’t do a formal cost analysis.
Peter said that this is a risk mitigation strategy by definition.
Abbie said risk mitigation includes these factors. Just adding factor blindingly isn’t necessary helpful.
Abbie has some people who just say why not get smart cards and move on.
Slide 4 - look at 5 categories. He referenced ITU-T. NIST looks at first 3. The others are supporting to them. Should we decide which are the major ones? According to NIST, biometric is not stand alone, it is public knowledge. One of the questions we need to answer is – is biometric acceptable as a second factor in remote transmissions? If the person is present in the room, it is second factor. So how can we decide?
Slide 5 - part of our discussion at RSA is to decide which factors are the main, and which are to be used as additional/supporting. Will we use the same concepts as NIST?
Peter replied, as we work it, we will see required refinements. This is a place to start.
Slide 6 - for those who have access to Gartner, I’ve asked Ant Allan to cover our TC. Have invited him to come and give an assessment on our third deliverable. This is good news from the Gartner site. He has developed a method, a Gartner Authentication Method Evaluation Scorecard: GAMES. It looks at attributes and overlap. He uses standard methodology based on NIST. Abbie says there is an issue with efficiency of this solution. This is why he is willing to come to talk to us.
Slide7 - some of the measures are, is the method inherently resistant to attack and how easy is it for someone to misuse. He told the story of a man who outsourced his RSA token secured job to China and the outsourcer did the man’s work and the man got good evaluations. Is a method resistant to willful misuse? We need to take this into consideration. If someone is willing to sell his credential, is the system able to detect that. So we should keep that in the back of our minds. We should look at life cycle that includes transport. Some authentication methods can have multiple flows. The LOA is a combination across the whole system.
Slide 8 - we should look at life cycle that includes transport. Some authentication methods can have multiple flows. The LOA is a combination across the whole system.
Slide 9-10 - from Gartner. It is available combinations that we need to keep in mind.
Slide 11 - LOA 3 example. This should be one of the issues. In 3rd deliverable, we should work though some examples so people know how to use it
Slide 12 - we need to identify what we mean by a token. A token can have multiple attributes. There is a token model used by NIST. It should be one of the candidates for us to use. Once you know the token profile, how they are used can be clear and put in a table. We can have a transport model also. Frequent authentication can mitigate session hijacking.
Slide13 -NIST does specify 9 types of tokens.
Slide 14 - cryptographic devices, the 9 types include most tokens. Are these sufficient, or do we need to add more. Nine types may to be too many to look at. So we need to look at token types.
Slide 15-16 - NIST has a general threat analysis per token and analysis of those threats, and how to do mitigation of those token threats. I think we will need to do that. From his perspective, when we look at trust-el, we look at attributes in two categories. Of those categories, some are non-additive. For example a system that uses a single password or two passwords, that second password won’t take you from 2 to 3. But if you do mitigation and the second password is OTP, where keyloging is not a vulnerability, this can take you to LOA 3. We know the threats, vulnerabilities and controls. Methods can be additive if we reduce vulnerabilities. So we need to review the whole credential life cycle. The source of the original credential is out of scope
Slide 17 - NIST does have a big table of threats and requires tokens to be at the second level. A lot of the dirty work has been done by NIST. If we are happy, there is no reason not to use it.
Slide 18 - this is where most of our deliverable will be. We need an improved version of slide 18. NIST took a very pragmatic approach, but they have the road map of what you need to combine to go to the second level. For his work at the bank, this level two work is too course. He looks at a level as being medium, high and low. If using a weak password and OTP entropy isn’t high enough, may not be a 3.0 may be at 2.5. NIST made a strong conclusion. We might say, you can elevate using a method if you are also using these three controls.
Peter commented if you are going to accept the NIST conceptual model of LOA, then you have to work within that. But that is not the only conceptual model. As you address the strengths and limitations of the NIST model, the alternatives are really based more on local circumstance and risk mitigation. That is a more appropriate way to deal with it.
Abbie replied, I think we need that. I did put an extra link on the chat room from Anil John. He has food for thought. We need to look into attributes from the RP perspective.
***Mary took an action item for Abbie – invite Anil to explain his blog. He has two points of view of the token identity credential. He identifies a grey area of residual risk that needs to be managed. The objective of the RP is to minimize this risk. The objective of the IDP is not to be liable for this risk.
Peter commented that is why the baseline shouldn’t be comparing things to the model. The NIST model should be one of the models we compare to the risk mitigation model. X1254 is a better model of that.
Abbie wants phase 3 done in less than 3 months, and is trying to think about ways to do that quickly.
Peter said he will not be at RSA.
Abbie told Peter that on the next call, Peter can say the delta’s that Peter wants. Then in the RSA meeting maybe we can start putting together the outline of the third deliverable, then we can get the editors to start filling in.
Peter we also need to find someone to take the contract as editor
Abbie said he thinks he can get us an editor with ITU-T experience.
Abbie will take this off line. We need to get the structure of the document quickly. The devil is in the details. Let’s see how it goes at RSA.
Colin commented that it was a good set of slides. There are only two things that he would immediately look at 1) revised assumptions about NIST approach to biometrics, and 2) assumptions around enrollment and identify proofing behind it.
6. Attendance Update
We achieved quorum.
Abbie adjourned the meeting
>>>>>>>>>>>>>>>>>>>> Please change your name from 'anonymous' using the Settings button
abbie barbir: documents are at https://www.oasis-open.org/apps/org/workgroup/trust-el/documents.php
abbie barbir: 0. Agenda review
1. Roll Call and approval of minutes
2. Ballot for second deliverable
3. RSA meeting
4. Jump Start 3rd deliverable discussion see https://www.oasis-open.org/apps/org/workgroup/trust-el/documents.php
5.roll call close meeting
abbie barbir: bridge 1 866 222 6652 Passcode: 637 218 8139
Gershon Janssen: My current meeting is running late; will join shortly.
anonymous morphed into Suzanne Gonzales-Webb
Mary Ruddy: Gershon, can you get on the phone line? We need one more for quorum
Gershon Janssen: now...
Gershon Janssen: On the call now...
abbie barbir: http://blog.aniljohn.com/2013/02/these-are-not-the-loas-you-are-looking-for.html?utm_source=feedburner&utm_medium=twitter&utm_campaign=Feed%3A+AnilJohn+%28Anil+John+%7C+Blog%29