Minutes from May 30th call

["Mary Ruddy" <mary@meristic.com>]

Minutes for the meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee

May 30, 2013.

1. Call to Order and Welcome.

 

2. Roll Call

Attending (please notify me if you attended the meeting but are not on the list below)

 

Abbie Barbir, Bank of America - y

Anil Saldhana, Red Hat  

Bob Sunday

Brendan Peter, CA

Carl Mattocks, Bofa 

Cathy Tilton, Daon - y

Charline Duccans, DHS

Duane DeCouteau

Colin Wallis, New Zealand Government  - y

Dale Rickards, Verizon Business 

David Brossard, Axiomatics 

Dazza Greenwood 

Debbie Bucci, NIH 

Deborah Steckroth, RouteOne LLC

Detlef Huehnlein, Federal Office for Information

Don Thibeau, Open Identity Exchange - y  

Doron Cohen, SafeNet

Doron Grinstein, BiTKOO

Gershon Janssen  - y

Ivonne Thomas, Hasso Plattner Institute

Jaap Kuipers, Amsterdam  

James Clark – Oasis

Jeff Broburg, CA

John Bradley 

John "Mike" Davis, Veteran's Affairs 

John Walsh, Sypris Electronics

Jonas Hogberg

Julian Hamersley, Adv Micro Devices

Kevin Mangold, NIST 

Lucy Lynch  ISOC

Marcus Streets, Thales e-Security

Marty Schleiff, The Boeing Company

Mary Ruddy, Identity Commons  - y

Massimiliano Masi, Tiani "Spirit" GmbH 

Mike Harrop

Mohammad Jafari, ESC - y

Peter Alterman, SAFE-BioPharma,  - y

Rainer Hoerbe -

Rebecca Nielsen, Booz Allen Hamilton 

Rich Furr

Ronald Perez, Advanced Micro Devices

Scott Fitch Lockeed Martin

Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y 

Shahrokh Shahidzadeh (Intel Corp - y

Suzanne Gonzales-Webb, VA  - y

Tony Rutkowski

Tony Nadlin

Thomas Hardjono, M.I.T.  

William Barnhill, Booz Allen Hamilton

Adrianne James, VA

Patrick, Axiomatics

Steve Olshansky  - y

 

86 percent of the voting members were present at the meeting.  We did have quorum.

 

 

2. Agenda review and approval

 

 

We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el   chat room text is included at the end of the minutes.

 

Abbie added an agenda item. There is a request for a liaison relationship from the Biometric TC.  He would like to show an approval.  He asked if there were any objections.

None heard.

 

The item was approved.

 

3. Approval of the Minutes

 

Abbie asked if there were any objections to approving the minutes from the last meeting on May 16, 2013.

 

There were no objections.

Minutes were approved. 

 

4. - Request from biometric TC for a liaison from Kevin Mangold.

 

Abbie read in the request (see copy at end of minutes) and asked for feedback.

Should we accept the liaison offer?

 

Abbie recommended that we respond that we accept the liaison relationship. 

 

Peter commented that this is more about them providing input to us, rather than us relying on them.  A fresh pair of eyes is always helpful.

 

Don agreed with Peter.

 

There were no objections.

The TC agreed to the liaison request.

 

Abbie asked Don to put together a paragraph to respond to Kevin:   Thank him, for the request and agree to a relationship, and that our TC approved this.

 

*** Action for Abbie to upload the request document to the TC.

 

5.  Editors Update.

On the last call we began to discuss the table that Peter had drafted.  The last time we stopped at item 28, credential duplication.  We are restarting with phishing.

Abbie began with item 29, detecting phishing from messages. Abbie read the relevant columns.  Are you ok with me continuing?  Are we detecting phishing from email or a suspicious site? What does this line mean?

Peter said this doesn’t sound like an authorization threat in this context, but it is a threat to the RP.

Abbie replied it is a classical question: how can the user know that they are going to the right relying party and not to an imposter.

Peter said the real challenge is the context. Does the context fit?

Abbie asked Peter if he had heard of the CAB forum.

Peter had.

Abbie continued, the certificate of the site can tell the browser plug-in that the site is the site reflected on the certificate. This is one option. Not sure what other approaches exist. Another approach is the site always gets back to the users.  But this is not seen as practical

Peter asked is this a trust–el technique?

Abbie replied yes, at the protocol level.

Peter agreed that we should include it.

Shaheen commented it is not the typical trust-el method.

Peter responded it is interesting as it is not exactly mainstream.  It is the device elevating trust.

Abbie said you are using it today. With IE and Chrome, the browser changes color. Green is good. It means the site passed extended certificate validation.  If there is no green, it is broken. 

Peter explained that what he meant is it is done without action by the user.

Shahrokh had a question. There is no recovery.  By the time you get a color, you have already gone to the website. The fact that you get a color means you are already on the site. Is the damage already done?

Shaheen said that is true to a certain extent. Some newer browsers actually prevent you from going to the site. They ask the user: do you trust the site? I don’t trust this site.

Shahrokh said consumers usually don’t have that prevention.  His work machine always asks him.

Abbie said you are raising a point. This is transparent, but with proper education it can help. As long as you don’t enter un/pw, etc. [on the bad site] you are ok.

Shaheen said he was thinking that once you go to the web, the cookies are already exposed, so they already profiled you.

Abbie said that is the best we can do here. We can’t prevent them from going to a site, but there is extended validation

Abbie said the next is eavesdropping. We are still on phishing. Should we say to use SSL?

Yes.

There was a discussion of mutual SSL.

Abbie ask asked no transmit password, that is correct?  We can say encrypt or hash password.

Shaheen said but a hash of a password is still a password if someone is eavesdropping.

Abbie continued to physical biometric. This came from our TC?  Is that a device?

Peter gave the example of an iris scan.

Shaheen asked are we talking about a second factor?

Abbie said the eavesdropping assumption is an open communication channel. So how does a biometric protect us?

Shaheen said it is the same scenario as a hash of the password.   The physical coordinates are sent to the server, it is still the “password”.

Abbe said if I intercept the biometric, I can reuse it. 

Peter said the discussion is relevant.  Eavesdropping is not relevant. Trust-el techniques to mitigate, encryption for example, helps.

Shaheen commented just say use encryption (encrypted channel).

Abbie said physical biometric needs to go for the same reason.

Peter would delete the examples of encryption.

Abbie said now we are at item 35, replay attack.

Shaheen said you are looking at a one-time factor (varies) that can’t be reused again.

Peter said we should say any additional one-time factor.

Shahrokh said it is a good idea to put in examples, 

Abbie said OTP.  He will let Steve wordsmith this.

Abbie said for session hijacking, KBA won’t help.

Peter asked is session hijacking something we should be worrying about?

Abbie replied Gartner says yes. Whoever controls the session is in charge

Peter said so once you authenticate to the transaction to elevate the trust, unless you are in an encrypted environment, you are still vulnerable.

Shaheen said even if it is encrypted, you are still vulnerable.  You can have a man in the middle that de-encrypts and re-encrypts.

Abbie said session hijacking is a threat. Encryption won’t do it. They have to do a series of things to succeed. It is a threat we need to take into consideration, but it is difficult to mitigate.

Abbie asked Peter if that was what he meant.

Peter replied he is still struggling to see if session hijacking is relevant.

Abbie said it is relevant but don’t know how to mitigate it. It is out of scope. We can mention it.

Shaheen said let’s take a step back. If I am a server and…, I give you a random key and make sure I get it back over SSL.

Abbie replied only way is something like Kerberos, an out-of- band secret known to both so even if something hijacks the session that isn’t sufficient.

Shaheen said this is related to eavesdropping.

Abbie said eavesdropping you can just record.

Abbie said once you take over a session, this is not MIM. We have to be careful here.

Shaheen said I have to see if there is any trust-el involved.

Abbie said part of the redemption is a known secret sent off line – so can do challenge response.

Shaheen said it goes back to using public/private key.

Abbie said maybe we should change it to say challenge response.

Shaheen said yes, challenge response factor.

Abbie said next, mutual handshake will work. Now MIM and mutual authorization and out of band, will work, though they can be broken.

Peter commented you might want to say digital certificates of sufficient strength.

Abbie said mutual authentication is ok.

Shaheen commended about the need for an encrypted session.

Peter said the point is an end-to-end encrypted session is VPN and you have already said it so this can be deleted.

Abbie continued to spoofing and masquerading.

Shaheen said line 43.

Peter said once this is done, we need to ask: are these the right columns, too many, too few. We need to do a reality check on the matrix.

Abbie said item 42 is credential theft after assurance…

Abbie asked what about willful credential theft?

Peter asked as opposed to inadvertent?

Abbie clarified if I give you my credential.

Peter replied then that is proxying, not theft.

Abbie gave a fraud example.

Peter replied that is not in scope.

Mary said isn’t validating that the user of the credential is the owner of the credential in scope?

Abbie said that is why I want that start-up to present to the TC.

Peter said that is an interesting thought Mary.

Abbie made a note on fraud mitigation

Shaheen commented that Mary raised a valid use case where a credential is stolen or compromised. It goes back to credential theft.

***Abbie took an action item to check with Mary afterwards.

Abbie asked spoofing and masquerading, why is this one entry?

Peter said that is the way it was presented in the original.

Abbie asked do we want to keep them together?

Peter replied I think we have covered this already.  In column g, see above, number 4.

Abbie said what we need now is to send this to Steve and the rest of the editors.

Abbie said we need a plan for the next call. The editors need to give it a read. The TC needs to say if it is compete or missing something.  This is an action item for all.

Abbie said for the next call, the editors will give an updated version, and for the following call he would like a vendor presentation in this area and a critique of our work.

Abbie asked Mary, can you get Ant Allen to review it?

Mary said she can ask him.

Abbie asked Don if he could do this with the UK engagement.

Don replied it is a good test bed.

Abbie identified other groups that we might get to review the draft: ITU-T, Colin,  Kantara IAF working group, and maybe Bob Blakley and IDESG.

Abbie said he also wants to present it to one of Cathy’s standards meetings. So I think we have a plan.

 

6. Attendance Update

We achieved quorum.

 

7. Adjournment

Abbie asked for a motion to adjourn.

Peter made a motion to adjourn.

Don seconded it.

The meeting was adjourned.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 

 

OASIS Biometrics TC

c/o Kevin Mangold, NIST

100 Bureau Drive Stop 8940

Gaithersburg, MD 20899 USA

 

24 May 2013

 

Dr. Abbie Barbir

Chair, OASIS Electronic Credential Trust Elevation Methods (Trust Elevation) TC

c/o Bank of America

 

Mr. Don Thibeau

Chair, OASIS Electronic Credential Trust Elevation Methods (Trust Elevation) TC

c/o Open Identity Exchange

 

 

 

Subject: Establishment of Liaison Relationship

 

 

 

 

Dr. Barbir and Mr. Thibeau:

 

The OASIS Biometrics TC would like to request the establishment of a liaison relationship between

ourselves and the OASIS Electronic Credential Trust Elevation Methods (Trust Elevation) TC.

 

We would like to start off by providing some background on the Biometrics TC and its goals. In

2005, a collaborative project between INCITS and OASIS was initiated to develop a standard in the

area of Biometric Identity Assurance Services (BIAS).  The intent of BIAS is to provide a common

method of remotely invoking biometric operations over a services-based framework. BIAS is meant to

be biometric modality/technology and application/domain independent.  It defines generic biometric

services and does not define a mechanism for their integration into authentication protocols. The

OASIS BIAS project became an official OASIS Standard in May of 2012.

 

To broaden the scope of the biometrics work being performed in OASIS, it was decided to create a

new TC which acted as a venue for projects that synergize web services a biometrics. This TC will

start off by developing WS-Biometric Devices, a specification for command and control of biometric

sensors through RESTful web services. Also, any further development or related projects to the

OASIS BIAS Standard will be done so in the OASIS Biometrics TC.

 

It is not the TC’s intention to duplicate any work being performed in related committees of other

standards development organizations, but rather leverage and reuse such work. This liaison

relationship between ourselves and the Trust Elevation TC will allow for communication between

committees to ensure adequate knowledge transfer and conversations/discussions as well as providing

the opportunity for us to offer our expertise, which may be of value to ongoing projects.

We are nominating Anne Wang from 3M Cogent to act as our liaison. She is very active in other

standards development organizations: ISO/IEC JTC 1 SC 37 and INCITS M1 (both biometrics focused).

 

We appreciate your favorable consideration of our request. Sincerely,

 

Kevin Mangold

Chair, OASIS Biometrics TC

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 

Contents of chat room

anonymous morphed into Gershon Janssen

anonymous morphed into Suzanne Gonzales-Webb

anonymous morphed into Colin_NZ

Peter Alterman: anyone else having trouble hearing Abbie over the static?

Shaheen: yes

Peter Alterman: Colin, there is an NZ-local call-in number you can use.

Colin_NZ: Sorry..that may be me..we live in the country and on cold winters we get problems with the phone line..either water in the line or sometimes mice eating the plastic conduit.. . I'll try Skype

Colin_NZ: ..and yea, I was on a local number..

anonymous morphed into Cathy Tilton