Minutes for April 4 Trust-el call

Minutes for the meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee

April 4, 2013.

1. Call to Order and Welcome.

2. Roll Call

Attending (please notify me if you attended the meeting but are not on the list below)

Abbie Barbir, Bank of America - y

Anil Saldhana, Red Hat

Bob Sunday

Brendan Peter, CA

Carl Mattocks, Bofa

Cathy Tilton, Daon

Charline Duccans, DHS

Duane DeCouteau

Colin Wallis, New Zealand Government

Dale Rickards, Verizon Business

David Brossard, Axiomatics

Dazza Greenwood

Debbie Bucci, NIH

Deborah Steckroth, RouteOne LLC

Detlef Huehnlein, Federal Office for Information

Don Thibeau, Open Identity Exchange -y

Doron Cohen, SafeNet

Doron Grinstein, BiTKOO

Gershon Janssen

Ivonne Thomas, Hasso Plattner Institute

Jaap Kuipers, Amsterdam

James Clark – Oasis

Jeff Broburg, CA

John Bradley

John "Mike" Davis, Veteran's Affairs

John Walsh, Sypris Electronics

Jonas Hogberg

Julian Hamersley, Adv Micro Devices

Kevin Mangold, NIST

Lucy Lynch ISOC

Marcus Streets, Thales e-Security

Marty Schleiff, The Boeing Company

Mary Ruddy, Identity Commons - y

Massimiliano Masi, Tiani "Spirit" GmbH

Mike Harrop - y

Peter Alterman, SAFE-BioPharma, - y

Rainer Hoerbe - y

Rebecca Nielsen, Booz Allen Hamilton

Rich Furr

Ronald Perez, Advanced Micro Devices

Scott Fitch Lockeed Martin

Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y

Shahrokh Shahidzadeh (Intel Corp) -y

Suzanne Gonzales-Webb, VA - y

Tony Rutkowski

Tony Nadlin

Thomas Hardjono, M.I.T.

William Barnhill, Booz Allen Hamilton

Adrianne James, VA - y

Patrick, Axiomatics

67 percent of the voting members were present at the meeting. We did have quorum.

2. Agenda review and approval

We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el chat room text is included at the end of the minutes.

There were no additions to the agenda.

Agenda was approved.

We discussed whether we need to move the time slot at this time is now conflicting with another group.

***Action item for Abbie to see if the meeting time conflict can be addressed by switching weeks.

***Action item for Abbie to get complimentary associate membership for Mike as he is working with us as a member.

3. Approval of the Minutes

Abbie asked if here were any objections to approving the minutes from the last meeting on March 21, 2013.

None heard.

The minutes were approved.

3. Discussion of the Table of Contents draft. See https://www.oasis-open.org/apps/org/workgroup/trust-el/documents.php

This was based on work from Mike, Shaheen and Peter. Abbie asked if there was agreement on the approach.

Peter uploaded an alternative draft on the chat room.

Abbie said the objective today is to have a skeleton TOC and owners for the sections.

Peter’s version is now available at

https://www.oasis-open.org/committees/document.php?document_id=48742&wg_abbrev=trust-el

Shaheen said we want to minimize use of trust-el for credentials. If that is a goal, we need to emphasize that. Much of the first two deliverables talked about credentials.

Peters said this draft doesn’t have a strong enough goals statement.

Abbie commented so we have agreement on what Shaheen has stated as a goal.

Shaheen continued we didn’t get enough transaction (txn) trust elevation method examples.

Abbie asked what do you want to include as optional txn trust element examples?

Shaheen said again I’m looking to Peter and Abbie to give me the exact definition of trust-el for transactions. I have something in mind. The definition itself is not clear in the first deliverables.

Abbie said before an app can do something, how confident are you that the user is Peter? If this is transactional, the second level is more about rights: a $100 txn or a $1M txn. That is two separate things.

Shaheen said one is a value bearing txn, the other is authentication.

Abbie asked Peter do you agree with the distinction?

Peter replied I think the first thread, a precise definition of trust-el Shaheen has nailed. We need to put that in.

Mike said I’m not familiar with how OASIS does things. What we are doing now is filling in text when we haven’t yet agreed on the TOC. You are jumping into filling in text before you have agreed on the structure of the doc.

Abbie thanked Mike. So on the next call, we will debate definitions.

Shaheen said depending on the goal, that will change the target.

Abbie replied for Bofa, stronger authentication is a combo of trust-el methods. We call this course grained. Fine grained is at the app owner level. They also need to understand what they can do. Our table should give some way to correlate between access and txn labels. The overlapping should be consistent. The risk equation changes based on the app owner. If the app is relying on something, he should signal that in a meaningful way. If you finish it end-to-end, and he is the final consumer, it is out of scope. If he is relying on a subsequent process to use it, then need to package it up for consumption.

Peter said before we follow that into the weeds, we should first build the TOC.

Abbie started talking about the goal.

Mike said remember the TOC isn’t cast in concrete. The first thing in filling out the text is to refine the definition.

Perhaps in the first chapter we should differentiate between transaction and credential trust.

Later on txn trust might be a good topic as part of overall platform trust.

Abbie said so we do the TOC now with credential and txn trust. So Shaheen is tasked with coming up with a definition.

Shaheen said no.

Abbie asked for an action item to do this.

*** Action item for Abbie to define transaction trust.

Peter said send that to me Abbie and I will put them together.

Abbie said we have an introduction and a goal.

Abbie said the goals are to identify a single set of criteria for evaluating credential and txn trust against.

Peter said wow. There is an ISO model, there is a US FICAM model, there is a FSI model and there are other models for determining trust in an identity assertion. We are creating a single baseline to align all of them into a single array.

Mike commented we are back in the weeds.

Peter replied Mike is right. The next section should be goals.

Abbie the step after that is description of the methodology.

Shaheen said we need to split that into methodologies considered, and those agreed upon. The TOC should contain that: a bulleted review of available methodologies, then which methodologies we are selecting and why.

Abbie asked what is next? We need the representation of mapping tables.

Peter replied elevation works in both the txn and credential models.

Abbie said we need to next say what the output will be.

Peter replied it is trust-el generically.

Shaheen said you can have purely credential-based trust. If you are talking txn trust, there will be some element of credential.

Peter explained for any txn, there has to be some sort of login.

Shaheen said moving forward we will see a kind of hybrid model.

Peter said in the mapping tables, they array the various methods that come out of 1 and 2 and array them against x.1254 and other risk vectors such as ISO 27002. Is doesn’t matter if in the txn trust relationship these trust-el methods work to mitigate risk as described in three related but different models. We don’t need to do anything which talks about different credentials and txn models.

Abbie replied you are right. You make a good point, it is a process.

Abbie said the third section needs to explain.

Peter said we need to explain what the tables are and how to use them, then provide the actual tables.

Shaheen there are two ways to go. Go with deliverable 2 methods, or come up with some combinations of use cases. Some in 2 are redundant, and some actual use cases are missing.

Peter said I’m good with that. The larger point is in number 4. It should be called use case examples.

Abbie said we have touch down. Section 5 is summary and conclusions and maybe future work. Part of our assumptions here is we aren’t considering how this could be incorporated into SAML. Should we say that is out of scope?

Mike commented that normally deliverables have a scope section.

Abbie agreed. We should have a scope section and an executive summary.

Shahrokh said one of the problems is if we just do the survey and explain the terms and don’t dive into details, I think it is just a survey. Don’t you want to actually provide the ingredients to meet some self-defined trust? Let’s create and brand it. This is The OASIS Trust-el for LOA1, 2, and 3; and define how to get there. If we don’t brand what we need and the requirements, than we are doing an academic survey.

There was concurrence.

Abbie agreed. If it is an elevation, it must have at least one of the following.

Peter said this is going to get us into the fundamental issue: what constitutes an adequate elevation to go from 1 to X. Are we going to use the LOA model?

Abbie said they are buckets, they are huge buckets. A lot of the LOA is self-assessment.

Peter said I see how hard it is.

Abbie replied, let’s see.

Peter suggested we could say the specific recommendations are what we will do in deliverable 4.

Shaheen suggested we introduce something that can be referenced and branded that classifies the levels of elevation. Let’s pick a name and brand it.

Don liked that approach. We should advance the conversation beyond the LOA rat holes.

Peter said don’t disparage the LOA.

Abbie said what we need to do then, is assign some owners. We need to know what we will discuss on the next call.

Abbie said Don has self-nominated to work in the intro.

Don agreed as long as he can work with Peter.

Abbie reminded the group that we need to make sure Mike is copied on everything.

Abbie acknowledged an action item to define transaction trust and credential elevation. He can work on that and the goals.

Peter commented that Shaheen has a real good handle on the transactional and transitive issues.

Shaheen will help with the use cases.

Abbie said that Shahrokh really jumped on the branding with two feet.

Shahrokh said depending on the table, he would be willing to create something once the table is available. He will take that on: what can we claim as our proposal for trust-el.

Peter said if you can do that, it clarifies the whole discussion.

Peter said he submitted a draft table a few weeks ago.

***Action item to upload Peter’s straw man table to the TC workspace. https://www.oasis-open.org/committees/document.php?document_id=48743&wg_abbrev=trust-el

Peter explained that the table was a first cut. It needs addition, deletions and work. Please rip that thing apart and make sure it is right. It is a staring place. We can’t allow it to stand as it is. That table needs a lot of work.

Mike said it is also based on an earlier version of 800-63.

Abbie reminded the group that we have an editor’s call next Thursday. He may not be able to attend.

** Action item to post a copy of x1254 to the TC work space. https://www.oasis-open.org/committees/document.php?document_id=48746&wg_abbrev=trust-el

** Action item to publish the minutes today with links to the relevant docs.

4. Attendance Update

We achieved quorum.

5. Adjournment

Abbie asked for a motion to adjourn.

Don made a motion to adjourn.

Mary seconded it.

The meeting was adjourned.

>>>>>>>>>>>>>>>>>>>>

abbie barbir bofa: CHAT ROOM

http://webconf.soaphub.org/conf/room/trust-el

Passcode: 637 218 8139

US toll free 1-866-222-6652

Int'l Toll: 1-980-939-6928

abbie barbir bofa: 1. roll call

2. agenda bashing

3. minutes approval

4. review and debate table of content for third deliverable

5.assign sections to contributors

6. roll call

7. close meeting

abbie barbir bofa: table of content

abbie barbir bofa: https://www.oasis-open.org/apps/org/workgroup/trust-el/documents.php

abbie barbir bofa: TOC for 3rd Deliverable

1.Introduction

a.Objectives

b.Relationship to first two deliverables

c.Reiteration of the distinction between transactional trust and credential-based trust

2.Scope

3.Overview of methodology used in this standard

-Discuss the importance of the relationship between trust elevation and risk mitigation

-Trust Elevation Methods

oCredential Assurance Evaluation Method

oCredentials for each Trust Elevation Method

-Explain rationale for using X.1254 as baseline against which other modes are compared

-Discus process/methods for adding future trust elevation modes

4.Identity Assurance imperatives

-Levels of Assurance

oIdentity Assurance Levels

oCredential Assurance Levels

-Identity Credential Requirements

oStrength

oContext

5.Presentation of Mapping Tables

6.Examples of crosswalks and trust elevations

(Im not sure what goes in here and I dont know what a crosswalk is in this context MH)

7.Summary and Conclusions

(Its not clear to me that conclusions (or even a summary) are appropriate in a standard but Im not familiar with the OASIS way of doing things MH)

Peter Alterman: Here's the alternate I put together:

Peter Alterman: 1.Introduction to 3rd Deliverable

a.Relationship to first two: This document, the third deliverable of the OASIS Trust Elevation Technical Committee, builds on the work of the first two. To recap: the first deliverable [insert link] consists of a broad overview of current and near-future online trust elevation techniques used to (or capable of) raising a relying partys assurance that the user requesting access to its resources is actually the person he or she claims to be. The second deliverable [insert link] evaluated how each of the identified trust elevation mechanisms operated and what threats it mitigated that added to the relying partys confidence in the identity asserted. A discussion of the methodology used to analyze the mechanisms is included in that deliverable. As has been the pattern for this TCs deliverables, this third one builds on the work of the first two and seeks to formulate a useful approach for enabling relying parties to implement one or more trust elevation methods in order to raise their confidence in the identity of the users requesting access to their online systems and resources to the extent necessary to mitigate their risk exposures.

b.Goals: The two primary goals of this third deliverable are: 1) to identify a single set of criteria that the several most frequently referenced risk and risk mitigation models could be evaluated against, and 2) to array each of the models against the criteria in such a way that they could be compared to each other. This second goal can lead to viable crosswalks between models as there will now be an apples-to-apples comparison possible. Another benefit of achieving this goal is that it makes possible a two-way translation between credential-based trust models and transaction-based trust models, which can make possible interoperability and trust between two differing domains.

c.Reiteration of the distinction between transactional trust and credential-based trust

2.Description of Methodology for 3rd Deliverable

a.Rationale for using X.1254 as baseline against which other modes are compared: TBW, but remember that the identified risks of interest are a small subset of the domain of risks as the focus of trust elevation is on authentication of identity.

b.Methods for adding future trust elevation modes: When new trust elevation methods emerge, the approach of this deliverable makes it a straightforward task to insert them into the matrix and allow them to find natural alignment with the methods that have come before. Should new risk vectors be identified, there is a place for them to be inserted, though all the methods would be required to establish their relationship to the new vectors.

3.Presentation of Mapping Tables

4.Examples of crosswalks and trust elevations

5.Summary and Conclusions

Peter Alterman: 1.Introduction to 3rd Deliverable

c.Reiteration of the distinction between transactional trust and credential-based trust

2.Description of Methodology for 3rd Deliverable

3.Presentation of Mapping Tables

4.Examples of crosswalks and trust elevations

5.Summary and Conclusions

abbie barbir bofa: peter r u on the call

Peter Alterman: dialing now

Don Thibeau: I can work with Peter to reconcile drafts intros

Don Thibeau: Peter lets confirm a time offline to work on this -mon ot tues next week

anonymous morphed into Suzanne Gonzales-Webb

Peter Alterman: Monday works better -

Peter Alterman: 11 - 3 Monday is open

trust-el message