Minuts for May 16 Trust-el Call

["Mary Ruddy" <mary@meristic.com>]

Minutes for the meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee

May 16, 2013.

1. Call to Order and Welcome.

 

2. Roll Call

Attending (please notify me if you attended the meeting but are not on the list below)

 

Abbie Barbir, Bank of America - y

Anil Saldhana, Red Hat  

Bob Sunday

Brendan Peter, CA

Carl Mattocks, Bofa 

Cathy Tilton, Daon

Charline Duccans, DHS

Duane DeCouteau

Colin Wallis, New Zealand Government  

Dale Rickards, Verizon Business 

David Brossard, Axiomatics 

Dazza Greenwood 

Debbie Bucci, NIH 

Deborah Steckroth, RouteOne LLC

Detlef Huehnlein, Federal Office for Information

Don Thibeau, Open Identity Exchange  

Doron Cohen, SafeNet

Doron Grinstein, BiTKOO

Gershon Janssen 

Ivonne Thomas, Hasso Plattner Institute

Jaap Kuipers, Amsterdam  

James Clark – Oasis

Jeff Broburg, CA

John Bradley 

John "Mike" Davis, Veteran's Affairs 

John Walsh, Sypris Electronics

Jonas Hogberg

Julian Hamersley, Adv Micro Devices

Kevin Mangold, NIST 

Lucy Lynch  ISOC

Marcus Streets, Thales e-Security

Marty Schleiff, The Boeing Company

Mary Ruddy, Identity Commons  - y

Massimiliano Masi, Tiani "Spirit" GmbH 

Mike Harrop

Mohammad Jafari, ESC - y

Peter Alterman, SAFE-BioPharma,  - y

Rainer Hoerbe -

Rebecca Nielsen, Booz Allen Hamilton - y 

Rich Furr

Ronald Perez, Advanced Micro Devices

Scott Fitch Lockeed Martin

Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y 

Shahrokh Shahidzadeh (Intel Corp - y

Suzanne Gonzales-Webb, VA  - y

Tony Rutkowski

Tony Nadlin

Thomas Hardjono, M.I.T.  

William Barnhill, Booz Allen Hamilton

Adrianne James, VA

Patrick, Axiomatics

Steve Olshansky, observer, - y

 

100 percent of the voting members were present at the meeting.  We did have quorum.

 

 

2. Agenda review and approval

 

 

We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el   chat room text is included at the end of the minutes.

 

 

3. Approval of the Minutes

 

Abbie asked if there were any objections to approving the minutes from the last meeting on May 2, 2013.

 

None heard.

Peter moved to approve the minutes.

Suzanne seconded.

There were no objections.

Minutes were approved. 

 

4.  Editors Update.

Abbie reviewed the results of the doodle pole.  Everyone agreed to the proposed alternative, but Cathy still has a contractual conflict.  Should we continue with the current time slot and loose Cathy in this time slot, or have a new pole?

Peter commented he would prefer not to make too much of a radical change as this slot has been working. We could make it a little earlier if that would help.

Abbie agreed we could move it to 9:30, but that will make it more difficult for Colin.  Abbie will talk with Cathy again.

Shaheen said if we are planning to change the time to 9 or 9:30, please do a pole again.

Abbie began the editor’s discussion. Steve is our new editor.  Based on our discussion last week, we will continue discussing the draft table Peter put forward.  Most of the work of the 3rd deliverable is about agreeing on table. So we will focus in this session on moving thru the table.

…the bulk of the meeting was spent going through the draft table……

Peter explained that we have different models to choose from: FICAM, ISO and NIST security, FISMA control model, the 7002 model and there are others.  So the question is what techniques mitigate threat. He doesn’t have any bias towards the current approach. It was his first shot.

Abbie agrees with using it as the starting point.  It combines 3 known methods including NIST 800-63-2 and X.1254 and left room for which control you use for a given LOA. Ant Allan of Gartner went down the same route.  Ant’s added constraint is that the addition of a control shouldn’t have overlapping vulnerabilities.

Abbie said the fifth column is impersonal.  I think we can beautify this by grouping it into credential creation.  With impersonation there is an assumption about how tightly bound a credential is to you.   Maybe Shaheen or Mary can help here with a technique from our second deliverable. 

Shaheen asked Abbie for the link to the second deliverable so he can open it up and check.

Peter said remember KBA and biometric are good techniques for elevating trust after an initial login or connections. These two elements do provide authoritative information. The challenge will be to keep the context as we walk thru this.

Abbie said identity proofing in-person has been red boxed.

Peter sees KBA and biometric.

Abbie would add geolocation

Shahrokh said he would add device fingerprints.  This is not exactly static device ID.  Sometimes need to alias static device ID to different service. 

Abbie said this is becoming a big issue for SSO for mobile devices.

Peter and yes it will be more and more as we move to those platforms.

Abbie said we are keeping KBA separate from biometric KBA.  We will come back to this and refine.

Shahrokh said we can add more data KBA, geo-location and time of day. 

Peter said let’s continue.

Abbie said we know how to fill this.

Peter asked if we are concerned about credential tampering during creation in trust elevation. He doesn’t think we are concerned with this in the context of this project.

Abbie agreed with him. If the credential is invalid, it is out of scope.

Abbie said the credential issue is handled in credentialing, not trust-el.

Peter said the next section would be about general auth phase threats.

Abbie said credential disclosure is applicable.

Peter agreed.

Abbie said we need to deal with friendly fraud or credential sharing.

Peter said if you look at credential storage disclosure by entity, the control is secure storage. That is not something the RP does.

Abbie said this is storage. It is not applicable.

Abbie went thru several more items that are not applicable as they relate to credential issuance.

Peter said the next item we need to address is general authentication phase threats.

Shaheen said row 22.

Abbie commented we can in the document reference x.1254, etc. for implementation details.

Abbie continued in row 22 – we have multi-factor auth. Is that a category?

Peter replied the problem is that everything fits in here.

Abbie said he didn’t think we want to be that general. It is multiple threats.

Mary asked can we jump from a high level initial model to a more detailed model later.

Peter said this is just finding something to put in the cell, then we can discuss and expand it.

Peter said we can say any one of the techniques listed in deliverable 2 can serve as a second factor, not all provide the same degree of threat mitigation.

Abbie said that is what we have agreed to do.  We need a guiding principle to choose the multi-factor.

Shaheen said he was talking about row 22. He doesn’t think multi should be there. It should be any factors.  

Mary clarified you are saying it could be single factor or multi?

Shaheen replied it could be any factor or any combination of factors.

Peter posed some language for cell 22 to the chat room.

Abbie said we will keep this for now.  We have cookies in the column.

Shaheen said I think we should take this out

Abbie said we should delete cookie from the text, and have a more general answer.

Peter said the US government got away from cookies a long time ago. Cookies were banned, agencies can request a waiver.  So everyone has a waiver.

Shahrokh wants to take us back, when we talk about multi-factor, can we use the term contextual factors. That can cover many things.

Peter replied there are credential factors and transactional factors and both work.

Abbie said our auth step is in the context of a transaction.

Abbie asked what is the control for online guessing?

Shaheen said session management.

Peter said what is in that cell is physical and behavioral biometric, password with high entropy (strong passwords), IP address, router….….OTP, browsing patterns and context.

Peter just copied these from the second deliverable.

Abbie commented, so far so good.  Do you want to stay with online guessing, binding the credential to the user?

Peter replied I don’t think so. This is clearly about a transactional threat. Someone else is posing as you and guessing your password. The only real threat that online guessing poses is to weak passwords.

Mary commented – and poor KBA.

Peter asked is credential lockout relevant?

Abbie replied yes.  Some systems lock the user out after 3 attempts.

Peter asked is it relevant to trust-el?

Shaheen said it is related to prevention.

Abbie said it is not trust–elevation. With credential lockout, some only block for a period.

Abbie asked what about account choose?

Peter said it is not applicable.

Abbie asked about audit and analyze?

Shaheen said it is not trust-el unless combine with KBA.

Peter asked what does audit and analyze mean?

Abbie responded should quickly audit for anomalies.

Peter said this is reviewing credential issuer’s practice, so it is NA and we should move on.

Abbie said for offline guessing, hashed password is a mitigation.

Shaheen asked is this trust elevation?

Abbie asked if sending it in the clear, is this trust-el?  Is this applicable?

Peter said that is a good question. This is offline. I think it is NA.

Abbie asked about credential duplication.

Shaheen said this is again credential management.

Peter said this is NA.

Abbie reported that we stopped the review process at number 28. Next time we will start with 29.  He will ship the updated document to Steve and Mary and the editors.

 

5. Attendance Update

We achieved quorum.

 

6. Adjournment

Abbie asked for a motion to adjourn.

Peter made a motion to adjourn.

Mohammad seconded it.

The meeting was adjourned.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 

abbie barbir (BofA): CHAT ROOM

http://webconf.soaphub.org/conf/room/trust-el

Passcode: 637 218 8139

US toll free 1-866-222-6652

Int'l Toll: 1-980-939-6928

- Australia, Sydney: +61 (0) 2 8064 4811

Webex: Meeting scheduled: Trust Elevation TC Bi-weekly

-------------------------------------------------------

To join the online meeting (Now from mobile devices!)

-------------------------------------------------------

1. Go to https://attend.webex.com/attend/j.php?ED=179798197&UID=1382908852&RT=MiMxMQ%3D%3D

2. If requested, enter your name and email address.

3. If a password is required, enter the meeting password: (This meeting does not require a password.)

4. Click "Join".

-------------------------------------------------------

To join the teleconference only

-------------------------------------------------------

Call-in toll-free number (Premiere): 1-8662226652  (US)

Call-in number (Premiere): 1-9809396928  (US)

Show global numbers: https://www.myrcplus.com/cnums.asp?bwebid=8369444&ppc=6372188139&num=18662226652&num2=19809396928

Attendee access code: 637 218 8139

llo Abbie Barbir,

Abbie Barbir invites you to attend this online meeting.

To add this meeting to your calendar program (for example Microsoft Outlook), click this link:

https://attend.webex.com/attend/j.php?ED=179798197&UID=1382908852&ICS=MI&LD=1&RD=2&ST=1&SHA2=AAAAAtapz2sHbtNOvgC9EX9jv/KIGmykVn/obGi/21Vs6kKu&RT=MiMxMQ%3D%3D

Topic: Trust Elevation TC Bi-weekly

Date: Every 2 weeks on Thursday, from Thursday, May 16, 2013 to Thursday, February 6, 2014

Time: 10:00 am, Eastern Daylight Time (New York, GMT-04:00)

Meeting Number: 643 187 903

Meeting Password: (This meeting does not require a password.)

To view in other time zones or languages, please click the link:

https://attend.webex.com/attend/j.php?ED=179798197&UID=1382908852&ORT=MiMxMQ%3D%3D

The playback of UCF (Universal Communications Format) rich media files requires appropriate players. To view this type of rich media files in the meeting, please check whether you have the players installed on your computer by going to https://attend.webex.com/attend/systemdiagnosis.php.

CCP:+19809396928x6372188139#

-------------------------------------------------------

** If you setup PGi Teleconferencing within WebEx and encounter dial back issues, contact PGi at https://bofa.pgimeet.com/.

-----------------------------------------------------

To learn more about WebEx visit the ProductBuzz site.

http://productbuzz.bankofamerica.com/Pages/Products/WebEx.aspx

-------------------------------------------------------

abbie barbir (BofA): agenda

abbie barbir (BofA): 1. roll call

2. agenda bashing

3. approve minutes

4. editors update

5. roll call

6. adjourn

 

anonymous morphed into Suzanne Gonzales-Webb

anonymous morphed into Don Thibeau

Don Thibeau: forgive me trying to sort out audio issues

abbie barbir (BofA): https://www.oasis-open.org/apps/org/workgroup/trust-el/documents.php

Mary Ruddy: https://www.oasis-open.org/apps/org/workgroup/trust-el/download.php/48768/AnalysisMethods-v1%200-wd01%20v0.6.docx

Shaheen: https://www.oasis-open.org/apps/org/workgroup/trust-el/download.php/46276/trust-el-survey-v1.0-cnprd01.zip

Shaheen: committee draft is a zip file

Peter Alterman: this is what I've got for the multifactor cell: All the methods identified in the second deliverable can serve as a second factor. Not all provide the same degree of threat mitigation.