Minutes for May 2 Trust-el Call

["Mary Ruddy" <mary@meristic.com>]

Minutes for the meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee

May 2, 2013.

1. Call to Order and Welcome.

 

2. Roll Call

Attending (please notify me if you attended the meeting but are not on the list below)

 

Abbie Barbir, Bank of America - y

Anil Saldhana, Red Hat  

Bob Sunday

Brendan Peter, CA

Carl Mattocks, Bofa 

Cathy Tilton, Daon

Charline Duccans, DHS

Duane DeCouteau

Colin Wallis, New Zealand Government  

Dale Rickards, Verizon Business 

David Brossard, Axiomatics 

Dazza Greenwood 

Debbie Bucci, NIH 

Deborah Steckroth, RouteOne LLC

Detlef Huehnlein, Federal Office for Information

Don Thibeau, Open Identity Exchange  

Doron Cohen, SafeNet

Doron Grinstein, BiTKOO

Gershon Janssen 

Ivonne Thomas, Hasso Plattner Institute

Jaap Kuipers, Amsterdam  

James Clark – Oasis

Jeff Broburg, CA

John Bradley 

John "Mike" Davis, Veteran's Affairs 

John Walsh, Sypris Electronics

Jonas Hogberg

Julian Hamersley, Adv Micro Devices

Kevin Mangold, NIST  - y

Lucy Lynch  ISOC

Marcus Streets, Thales e-Security

Marty Schleiff, The Boeing Company

Mary Ruddy, Identity Commons  - y

Massimiliano Masi, Tiani "Spirit" GmbH 

Mike Harrop

Peter Alterman, SAFE-BioPharma,  - y

Rainer Hoerbe -

Rebecca Nielsen, Booz Allen Hamilton - y 

Rich Furr

Ronald Perez, Advanced Micro Devices

Scott Fitch Lockeed Martin

Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y 

Shahrokh Shahidzadeh (Intel Corp

Suzanne Gonzales-Webb, VA  - y

Tony Rutkowski

Tony Nadlin

Thomas Hardjono, M.I.T.  

William Barnhill, Booz Allen Hamilton

Adrianne James, VA

Patrick, Axiomatics

Steve Olshansky, observer, - y

 

71 percent of the voting members were present at the meeting.  We did have quorum.

 

 

2. Agenda review and approval

 

 

We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el   chat room text is included at the end of the minutes.

 

There were additions to the agenda. 

 

Abbie added an item to discuss changing the meeting date and time. There are a couple people with structural conflicts with a Kantara WG meeting. He wondered if maybe we should change the meeting date (not time) maybe we should have a doodle pole to see if it is possible to change. He would like to try.

 

Peter replied, sure we have to do that if there is sufficient conflict

 

*** Action item for Abbie to check if switching to alternative week would resolve the conflict. He noted that due to time zone issues we have a short window every morning when the meeting could be held.

 

There is a follow-up action item to have a Doodle pole.

 

*** Action item for Doodle to see if there is a better meeting time.

 

Abbie said the other update is that we have a new editor to work with us on third deliverable. The editor is Steve Olshansky. Abbie asked Peter to make the introduction.

 

Peter said he has worked with Steve for a number of years when he was on the Federal PKI project and Steve with Incommon.

 

Steve said he is an employee of Internet2. He has been Director of Federated Technologies for 12 years now. He has a master’s in telecom and experience in ebusiness consulting and online training and support systems, and is deeply interested in federated identity management. He has worked with Peter for a long time and has a great deal of respect for him.

 

Abbie welcomed Steve.  We are working on getting Steve access to the OASIS website.

 

Peter said he is working with Dee on that.

 

Abbie said by the next call, Steve will be more familiar with our work.  For now, for item 4 on the agenda, the editor’s update, Abbie has posted on the chatroom a link for the documents.

 

There are the refined TOC from Peter, the Excel worksheet (tables) draft from Peter and the 3rd deliverable working draft.  So we have three things to discuss.

 

 

 

3. Approval of the Minutes

 

Abbie asked if there were any objections to approving the minutes from the last meeting on April 4, 2013.

 

None heard. The minutes were approved.

   

 

4.  Editors Update.

Peter would like to proceed. We need to have more eyes on the document and get comments back to him or Mary. We are basically blind now.

Abbie asked can we look at the TOC first?

Mary said that she hadn’t yet heard back from Don about the draft introduction.

Abbie said he did add some text to Peter’s introduction.

Abbie asked shall we review the table with the extra edits?

Abbie said let’s start with revised draft TOC.  It is too bad we don’t have Webex. He will see if he can provide it in the future

*** Abbie took an action item to get a Webex for the TC if possible.

Abbie said the revised TOC is an introduction to the 3rd deliverable.

Peter, though commenting that it isn’t fair for him to say, thinks this is good enough to go forward. The real work is in the tables. The question he asked Rebecca is if the underlying methodology is right.

Abbie said the revised TOC, A is ok.  We should discuss the B goals on this call today.  He doesn’t think it has been fully addressed yet.

Abbie continued, we could simplify B based on the Gartner GAMES work. Gartner looked at two things, masquerading and session hijacking, but to them these are the two big issues.

Abbie said so we need to look at false positives (masquerading) and, if the session is hijacked.

Peter summarized, so for the methodology, we should refine it and say we are concerned with a small number of threat vectors, not a broad spectrum?

Abbie said assuming ID proofing, etc., it you look at the risk …

Peter liked the idea of narrowing the threat vectors. He thinks that is what the data is telling us.

Abbie asked are we ok with this?  We can work more if need be.

Abbe commented on number 2 on B, we can put a set of controls there to mitigate the threats.

****Abbie took an action item to work on B.

Abbie told Steve, you can hold me hostage on that.

Abbie asked about section C on the TOC.

Shaheen said if we need to make that distinction clear, this is the time to do so.

Peter said wait, in the working draft he put in three paragraphs on credential based vs. transaction based trust.  He asked what is missing from that.

Abbie said what is missing is a definition in the terms and definition section. We need a working definition for transaction trust and credential trust as neither x.1252 nor x.1254 define it.

Peter said put me down for creating those one-liners.

*** Action item for Peter to create short definitions for transaction trust and credential trust.

Abbie said what we need is a figure that shows the interaction.  Peter you showed me figures at Phoenix.  I think you should put figures back in.

Peter said he will work on that. Steve, make a note to ping me early next week.

Abbie said on number two the methodology for the third deliverable is good.

Peter said if you have any thoughts or changes, get those into writing and into me or Mary. If you want to propose an alternative, let us know.

Abbie said he doesn’t have heartburn, but confidence isn’t an absolute term

Abbie said on the next call he will tell us experiences in the bank on what that means.

Peter said Abbie you and I need to talk about that a couple time between now and the TC editor’s call.

Peter said it is important that we get that section right.

Abbie said our discussion needs to talk about methods and improvement.  Risk and confidence levels will vary.

Shaheen said confidence level will vary between system and system. Maybe what we should do is pick a particular system and use cases and map back to LOA.

Abbe said the methodology doesn’t use LOA.

Shaheen explained that he meant the table Peter is coming up with.

Shaheen said confidence level will vary system to system and context to context.

Abbie said it is subjective.

Abbie said if you look at password breaches, some products have short passwords. If someone manages to come in, you can un-code up to 1 password every 3-4 minutes. This is unacceptable to some companies.

Abbie said confidence level is a summation of many things. If you look at all the detail, then you won’t be able to come up with a measure.

Shaheen said if we have a framework or model for organizations to use, it would really help.

Mary raised another editor’s issue. She reported that previously the TC had formally voted to approve the second deliverable. There were 9 votes for, and no votes against and no abstentions.  The next step is for the TC to formally acknowledge that we voted to approve the second deliverable in our minutes, so that OASIS can move forward with its next step in the process.

Abbie asked if we all agree for OASIS to move forward with the next step that the TC has voted to approve the second deliverable.

No objections were heard,

Abbie made a motion that we, as the TC, approved the second deliverable.

Suzanne seconded it.

Abbie asked if there were any objections.

None heard.

The motion was approved.

Shaheen asked what is next?

Abbie said it depends.  Our second deliverable is a committee draft. The third deliverable will be a standard. There is a different, more involved set of rules for standards.

Abbie said he would like the third deliverable to be an ITU-T deliverable. We can ask permission to do this later. That process is about a year long.  Abbie was in Geneva last week. He discussed the history of the ISO and ITU-T process on X.1254. Our TC can refer to X.1252 and x.1254 without any issues.

 

5. Attendance Update

We achieved quorum.

 

6. Adjournment

Abbie asked for a motion to adjourn.

Shaheen made a motion to adjourn.

Mary seconded it.

The meeting was adjourned.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 

Chat room contents:

abbie barbir: Passcode: 637 218 8139

 

US toll free 1-866-222-6652

 

Int'l Toll: 1-980-939-6928

 

abbie barbir bofa: 1. Roll call

 

2. agenda nashing

 

3. approve minutes

 

4. editors update

 

5. roll call

 

6. adjourn

 

abbie barbir bofa: https://www.oasis-open.org/apps/org/workgroup/trust-el/documents.php