Notes for February 21st call

["Mary Ruddy" <mary@meristic.com>]

Minutes for the meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee

February 21, 2013.

1. Call to Order and Welcome.

 

2. Roll Call

Attending (please notify me if you attended the meeting but are not on the list below)

 

Abbie Barbir, Bank of America - y

Anil Saldhana, Red Hat  

Bob Sunday

Brendan Peter, CA

Carl Mattocks, Bofa 

Cathy Tilton, Daon 

Charline Duccans, DHS

Duane DeCouteau

Colin Wallis, New Zealand Government  - y 

Dale Rickards, Verizon Business 

David Brossard, Axiomatics 

Dazza Greenwood 

Debbie Bucci, NIH 

Deborah Steckroth, RouteOne LLC

Detlef Huehnlein, Federal Office for Information

Don Thibeau, Open Identity Exchange

Doron Cohen, SafeNet

Doron Grinstein, BiTKOO

Gershon Janssen  -y

Ivonne Thomas, Hasso Plattner Institute

Jaap Kuipers, Amsterdam  

James Clark – Oasis

Jeff Broburg, CA

John Bradley 

John "Mike" Davis, Veteran's Affairs 

John Walsh, Sypris Electronics

Jonas Hogberg

Julian Hamersley, Adv Micro Devices

Kevin Mangold, NIST  - y

Lucy Lynch  ISOC

Marcus Streets, Thales e-Security

Marty Schleiff, The Boeing Company

Mary Ruddy, Identity Commons  - y

Massimiliano Masi, Tiani "Spirit" GmbH 

Nick Pope, Thales e-Security

Peter Alterman, SAFE-BioPharma,  - y

Rainer Hoerbe

Rebecca Nielsen, Booz Allen Hamilton  -y

Rich Furr

Ronald Perez, Advanced Micro Devices

Scott Fitch Lockeed Martin

Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y 

Shahrokh Shahidzadeh (Intel Corp)   

Suzanne Gonzales-Webb, VA  - y

Tony Rutkowski

Tony Nadlin

Thomas Hardjono, M.I.T.  

William Barnhill, Booz Allen Hamilton

Adrianne James, VA  - y

Patrick, Axiomatics

 

63 percent of the voting members were present at the meeting.  We did have quorum.

 

 

2. Agenda review and approval

 

We used the following chat room for the call:  chat room text is included at the end of the minutes.

 

There were no additions to the agenda.

Agenda was approved.

 

 

3. Approval of the Minutes

 

Abbie asked if here were any objections to approving the minutes from January 24 (there was no meeting on January 10 due to holidays.)

There were no objections. The minutes were approved.

   

 

3. Ballot for second deliverable

Abbie announced that the ballot for approving the second deliverable was opened, and thanked Mary,

 

Mary explained that it is a standard one week voting period.  Please review the document and vote.  It you find issue let me know. The editors update for this week is that we have a second deliverable and it is out for a vote.

 

 

 

4. RSA meeting

 

Mary confirmed that we are having an extended virtual/physical meeting on February 27th from 9:00 to 12:00 PT. Abbie is again providing our usual call bridge.  She took an action item for Don to provide physical location information for those who will be at RSA.

Peter agreed to produce a slide.

 

***Don to send out directions for attending the meeting in person.

***Peter will produce a slide for phase 3

 

 

5. Jump Start 3rd deliverable discussion see https://www.oasis-open.org/apps/org/workgroup/trust-el/documents.php

 

Abbie reviewed his slides and began a discussion of multi-factor authentication methods

 

Slide 2 - There is a taxonomy question: must the second factor be different factor? NIST allows them to be the same. We need to be clear about what it means to combine factors. Our overall objective is to elevate trust.  We need to define what 2FA means and measure the incremental improvement in authentication strength, if we can do this is a relative way, without putting it in concrete.   Can’t say it is an exact number.

 

Slide 3 - Is a “how to” from Gartner.  Need to look at authentication strength and cost of ownership and ease of use and other factors.  There is no silver bullet here.

Should we look at cost as part of our evaluation?  Not main focus, but this is to note that analysis is not in vacuum.

 

Mary agreed we can’t do a formal cost analysis.

 

Peter said that this is a risk mitigation strategy by definition.

 

Abbie said risk mitigation includes these factors. Just adding factor blindingly isn’t necessary helpful.

 

Abbie has some people who just say why not get smart cards and move on.

 

Slide 4 - look at 5 categories.  He referenced ITU-T. NIST looks at first 3.  The others are supporting to them.  Should we decide which are the major ones? According to NIST, biometric is not stand alone, it is public knowledge. One of the questions we need to answer is – is biometric acceptable as a second factor in remote transmissions? If the person is present in the room, it is second factor. So how can we decide?

 

Slide 5 - part of our discussion at RSA is to decide which factors are the main, and which are to be used as additional/supporting. Will we use the same concepts as NIST?

 

Peter replied, as we work it, we will see required refinements. This is a place to start.

 

Slide 6 - for those who have access to Gartner, I’ve asked Ant Allan to cover our TC. Have invited him to come and give an assessment on our third deliverable.  This is good news from the Gartner site. He has developed a method, a Gartner Authentication Method Evaluation Scorecard: GAMES. It looks at attributes and overlap. He uses standard methodology based on NIST. Abbie says there is an issue with efficiency of this solution. This is why he is willing to come to talk to us.

 

Slide7 - some of the measures are, is the method inherently resistant to attack and how easy is it for someone to misuse.  He told the story of a man who outsourced his RSA token secured job to China and the outsourcer did the man’s work and the man got good evaluations. Is a method resistant to willful misuse? We need to take this into consideration. If someone is willing to sell his credential, is the system able to detect that. So we should keep that in the back of our minds. We should look at life cycle that includes transport. Some authentication methods can have multiple flows. The LOA is a combination across the whole system.

 

Slide 8 - we should look at life cycle that includes transport. Some authentication methods can have multiple flows. The LOA is a combination across the whole system.

Slide 9-10 - from Gartner. It is available combinations that we need to keep in mind.

Slide 11 - LOA 3 example. This should be one of the issues. In 3rd deliverable, we should work though some examples so people know how to use it

 

Slide 12 - we need to identify what we mean by a token. A token can have multiple attributes.  There is a token model used by NIST. It should be one of the candidates for us to use.  Once you know the token profile, how they are used can be clear and put in a table.  We can have a transport model also.  Frequent authentication can mitigate session hijacking.

 

Slide13 -NIST does specify 9 types of tokens.

 

Slide 14 - cryptographic devices, the 9 types include most tokens. Are these sufficient, or do we need to add more. Nine types may to be too many to look at. So we need to look at token types.

 

Slide 15-16 - NIST has a general threat analysis per token and analysis of those threats, and how to do mitigation of those token threats. I think we will need to do that.  From his perspective, when we look at trust-el, we look at attributes in two categories. Of those categories, some are non-additive.  For example a system that uses a single password or two passwords, that second password won’t take you from 2 to 3. But if you do mitigation and the second password is OTP, where keyloging is not a vulnerability, this can take you to LOA 3.  We know the threats, vulnerabilities and controls.  Methods can be additive if we reduce vulnerabilities. So we need to review the whole credential life cycle. The source of the original credential is out of scope

 

Slide 17 - NIST does have a big table of threats and requires tokens to be at the second level.  A lot of the dirty work has been done by NIST.  If we are happy, there is no reason not to use it.

 

Slide 18 - this is where most of our deliverable will be. We need an improved version of slide 18. NIST took a very pragmatic approach, but they have the road map of what you need to combine to go to the second level. For his work at the bank, this level two work is too course. He looks at a level as being medium, high and low. If using a weak password and OTP entropy isn’t high enough, may not be a 3.0 may be at 2.5. NIST made a strong conclusion.  We might say, you can elevate using a method if you are also using these three controls.

.

Peter commented if you are going to accept the NIST conceptual model of LOA, then you have to work within that.  But that is not the only conceptual model.  As you address the strengths and limitations of the NIST model, the alternatives are really based more on local circumstance and risk mitigation. That is a more appropriate way to deal with it.

 

Abbie replied, I think we need that.  I did put an extra link on the chat room from Anil John.  He has food for thought. We need to look into attributes from the RP perspective. 

 

***Mary took an action item for Abbie – invite Anil to explain his blog. He has two points of view of the token identity credential.  He identifies a grey area of residual risk that needs to be managed. The objective of the RP is to minimize this risk. The objective of the IDP is not to be liable for this risk.

 

Peter commented that is why the baseline shouldn’t be comparing things to the model. The NIST model should be one of the models we compare to the risk mitigation model. X1254 is a better model of that.

 

Abbie wants phase 3 done in less than 3 months, and is trying to think about ways to do that quickly.

 

Peter said he will not be at RSA.

 

Abbie told Peter that on the next call, Peter can say the delta’s that Peter wants. Then in the RSA meeting maybe we can start putting together the outline of the third deliverable, then we can get the editors to start filling in.

 

Peter we also need to find someone to take the contract as editor

.

Abbie said he thinks he can get us an editor with ITU-T experience.

 

Abbie will take this off line. We need to get the structure of the document quickly. The devil is in the details. Let’s see how it goes at RSA.

 

Colin commented that it was a good set of slides. There are only two things that he would immediately look at 1) revised assumptions about NIST approach to biometrics, and 2) assumptions around enrollment and identify proofing behind it.

 

6. Attendance Update

We achieved quorum.

 

7. Adjournment

Abbie adjourned the meeting

>>>>>>>>>>>>>>>>>>>> Please change your name from 'anonymous' using the Settings button

 

abbie barbir: documents are at https://www.oasis-open.org/apps/org/workgroup/trust-el/documents.php

 

abbie barbir: 0. Agenda review

 

1. Roll Call and approval of minutes

 

2. Ballot for second deliverable

 

3. RSA meeting

 

4. Jump Start 3rd deliverable discussion see https://www.oasis-open.org/apps/org/workgroup/trust-el/documents.php

 

5.roll call  close meeting

 

abbie barbir: bridge 1 866 222 6652 Passcode: 637 218 8139

 

Gershon Janssen: My current meeting is running late; will join shortly.

 

anonymous morphed into Suzanne Gonzales-Webb

 

Mary Ruddy: Gershon, can you get on the phone line?  We need one more for quorum

 

Gershon Janssen: now...

 

Gershon Janssen: On the call now...

 

abbie barbir: http://blog.aniljohn.com/2013/02/these-are-not-the-loas-you-are-looking-for.html?utm_source=feedburner&utm_medium=twitter&utm_campaign=Feed%3A+AnilJohn+%28Anil+John+%7C+Blog%29