Minutes fron May 13 Trust-el call

["Mary Ruddy" <mary@meristic.com>]

Minutes for the meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee

June 13, 2013.

1. Call to Order and Welcome.

 

2. Roll Call

 

 

Attending (please notify me if you attended the meeting but are not on the list below)

 

Abbie Barbir, Bank of America - y

Anil Saldhana, Red Hat  

Bob Sunday

Brendan Peter, CA

Carl Mattocks, Bofa 

Cathy Tilton, Daon 

Charline Duccans, DHS

Duane DeCouteau

Colin Wallis, New Zealand Government  

Dale Rickards, Verizon Business 

David Brossard, Axiomatics 

Dazza Greenwood 

Debbie Bucci, NIH 

Deborah Steckroth, RouteOne LLC

Detlef Huehnlein, Federal Office for Information

Don Thibeau, Open Identity Exchange - y  

Doron Cohen, SafeNet

Doron Grinstein, BiTKOO

Gershon Janssen  

Ivonne Thomas, Hasso Plattner Institute

Jaap Kuipers, Amsterdam  

James Clark – Oasis

Jeff Broburg, CA

John Bradley 

John "Mike" Davis, Veteran's Affairs 

John Walsh, Sypris Electronics

Jonas Hogberg

Julian Hamersley, Adv Micro Devices

Kevin Mangold, NIST  - y

Lucy Lynch  ISOC

Marcus Streets, Thales e-Security

Marty Schleiff, The Boeing Company

Mary Ruddy, Identity Commons  - y

Massimiliano Masi, Tiani "Spirit" GmbH 

Mike Harrop

Mohammad Jafari, ESC - y

Peter Alterman, SAFE-BioPharma, 

Rainer Hoerbe -

Rebecca Nielsen, Booz Allen Hamilton - y 

Rich Furr

Ronald Perez, Advanced Micro Devices

Scott Fitch Lockeed Martin

Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y 

Shahrokh Shahidzadeh (Intel Corp - y

Suzanne Gonzales-Webb, VA 

Tony Rutkowski

Tony Nadlin

Thomas Hardjono, M.I.T.  

William Barnhill, Booz Allen Hamilton

Adrianne James, VA

Patrick, Axiomatics

Steve Olshansky  - y

 

77 percent of the voting members were present at the meeting.  We did have quorum.

 

 

2. Agenda review and approval

 

 

We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el   chat room text is included at the end of the minutes.

 

The item was approved.

 

3. Approval of the Minutes

 

Abbie asked if there were any objections to approving the minutes from the last meeting on May 30, 2013.

 

Abbie asked for a motion.

Rebecca made a motion to approve the May 30 minutes.

Mohammad seconded the motion.

There were no objections.

Minutes were approved. 

 

4. Vote again on approval of second deliverable.

 

 

Mary reported that we didn’t use the correct language when we previously approving the second deliverable. 

 

Mary posted an example of an acceptable motion format to the chat room, and read the text:  moves to approve “Analysis of Methods of Trust Elevation Version 1.0” Working Draft 06 and all associated artifacts packaged together at https://www.oasis-open.org/apps/org/workgroup/trust-el/download.php/49500 as a Committee Note and designate the Word version of the note as authoritative. "

 

Abbie asked someone to make such a motion.

 

Rebecca moved to approve “Analysis of Methods of Trust Elevation Version 1.0” Working Draft 06 and all associated artifacts packaged together at https://www.oasis-open.org/apps/org/workgroup/trust-el/download.php/49500 as a Committee Note and designate the Word version of the note as authoritative. "

 

Abbie seconded the motion

There were no objections.

The second deliverable was approved.

 

5.  Editors Update.

Steve began the discussion. This is the version uploaded into the document section of the TC. It is an assembly of the prose.

Shaheen asked that his email be updated.

Steve asked the question: how should we treat the table.

….

Abbie said that basically it is transactional.

Shaheen responded then let’s make that clear in the document.

Abbie said we need to walk thru this. This is just a working draft.  For now, Steve, you need to walk through this.

Steve read thru the draft. A lot of this is boiler plate. If the list is incorrect let me know.

Steve commented that the TOC will be done later in the process.

Steve said the introduction is boilerplate. The second introduction is the real start. He started with the draft.  He added the definition of credential and transaction trust.  He turned on track changes after the initial paste.  He is happy to change anything and everything.

Steve gave us a moment to thread thru it.

Shaheen asked Abbie if he wanted to provide  a reference to the Gartner (GAMES) model.

Abbie replied I think we should.

After discussion…..

Abbie assed to put in an editor note the TC needs to decide what to do.

Steve skipped to section 4. There was a reference he wasn’t familiar with.

Abbie said it is the same GAMES model.

Steve continued at section 2.1.

Steve continued to 2.2.  He duplicated some material from the second deliverable, for context and asked if we should keep it.

Steve took silence as assent.

Shaheen said it makes sense to have it there for context.

Steve said he wants to make this document standalone.

Shaheen said yes, the diagram helps.

Steve asked if there were any objections.

Hearing none, he continued.

Steve reported that for section 2.3, Abbie was volunteered to work on this more.

Abbie replied maybe by next meeting.  Put my name in big letters.

Steve began section 3, methodologies. Section 3.1, we should revisit this as we focus more on the table.

Steve continued with 3.1.1, controls, he has a note about 800.63 and 53 have both been revised. So there will be some work required to check and see if any changes affect the table.

Steve explained that the table is a simple paste of the Excel table as of the last call.

Shaheen said we did talk about this table and the plan was to flag threat and trust-el.  What the mission is,  what level of trust…

Steve replied do you mean elevate LOA-1 to LOA-2?

Shaheen said we first need to map the controls and what is the acceptable methodology of elevating trust from one to another, what are the combinations, how many factors are needed, etc.  Should we key these to 800-63.2?  Should we say there is a threat, there is a mitigating control?

Don said intentionally noting that movement from one LOA to another is an important part of the work. For those that follow Anil John’s blog: why I will not ride the trust elevator.

Steve commented it makes sense to me to be more specific here. Mechanics are TBD.

Shaheen completely agreed.  Do we cover all kinds of trust methodologies?  Will we be able to cover all combinations in each trust-el?

Mary commented that was the original intent. Agree that though the method is TBD, it is important. 

Abbie said Peter would have thoughts.  We backed off because of the difficulty of this.

Steve asked for each methodology do we want to cover all the trust levels.

Abbie said we need to go to the use case section and show how it can be used.

Shahrokh said so we all agreed that we need to be specific about how trust will be elevated.

Abbie said it is very important. We should talk about how this trust-el will be used in the context of a transaction. Section 4 should say there isn’t a magic bullet. There are too many variables and risks. The way you agree on evaluation of trust is based on the end-to-end system.  This will mean that someone will need to come up with use cases.

Shaheen agreed with Abbie. Most of the use cases we have. We have many types of use cases. But we just documented two use cases.

Abbie said we can build on them or do more if we need to.  I think there is foundational trust on the device. The table should be able to demonstrate the use case.  Our table should be flexible enough to support a lot of use cases. We need to test the table against use cases. If the table doesn’t cover it, the table isn’t complete.

Steve asked Don do you have use cases to submit?  

*** Action item on Steve to get Cathy to provide her NSTIC user cases.

Don said let me take an action item to provide the GSMA mobile use cases.

*** Action item for Don to send the group a deck laying out these initiatives.

Abbie said the reason we went to x.1254 rather than NIST is that x.1254 is relative. It doesn’t restrict which controls you can use at which LOA. He would like Kevin to weigh in.  Is it consistent with 800-62? We can’t contradict NIST. If there is a conflict, we need to say why. We need to be focused more about quality. Everyone is invited to help us deliver a doc that can be used by everyone.

There was agreement.

Abbie said everyone needs to take a couple of days and do a critical analysis of this work.

Steve asked if these editor notes belong in a working draft.

Abbie replied from the ITU-T perspective, sometimes he puts in editor notes where you want contributions.

Steve replied excellent.  He will leave them in.

Steve isn’t familiar with Sigma(sp?) and its analyst.

Shaheen had the same question.  He is not sure what this is

Abbie responded go back to Peter on that.

Shaheen is not sure why the threat column was flagged in a different color.

Abbie replied it was just to make it easier to review.

Steve was not sure what the assumptions should be about the knowledge of the reader. 

Shaheen said if he promoted this it would be to an app developer. They may not understand some of this. It needs explaining.

Abbie said within JP you need to message this with your FFIEC compliance people.

Shaheen replied, I hear you, but this needs to be more generic for any app developer. It should be easy. It needs to be readable and understandable.

Abbie said your first customer will look at how it relates to FFIEC. Based on his discussion with the people who do this at the bank, there is overlap between this document and what they do to ensure compliance. They review how the techniques change the bank’s proprietary risk score. Let’s see if their controls are part of our document.  Abbie has checked with his bank’s approach. If Shaheen could do this, it would be very good validation.

Abbie said we need to use the same terminology across all documents.  The less technical the table, the better off we are.  It should work from CIO to developer.

Steve said for senior execs to fund efforts, they will want to see something.

Abbie said section 3 can be CIO level and section 4 developer level.

Steve said the x.1254 threats was repeated, so I deleted it

Abbie said we will repackage the table with the least number of columns.

Abbie asked what needs to be done by next meeting?

Steve replied what he hopes for is for people to spend time and really go thru this table - to ensure that it accomplishes what we need to accomplish.  He asked us to review the whole document, but especially the table.

Abbie said lets help Steve reflect what the group thinks.

Steve did sharing of word doc work for call.

Abbie commented that the Webex is working well.

Steve asked how often should he update and upload the draft document.

Abbie responded that we can discuss that.

 

6. Attendance Update

We achieved quorum.

 

7. Adjournment

Abbie asked for a motion to adjourn.

Don made a motion to adjourn.

Shahrokh seconded it.

The meeting was adjourned.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 

Abbie barbir bofa: https://www.oasis-open.org/apps/org/workgroup/trust-el/documents.php?folder_id=2575

abbie barbir bofa: 1. roll call

abbie barbir bofa: 2. agenda bbashing

abbie barbir bofa: 3 minutes approval

abbie barbir bofa: editor updtae

abbie barbir bofa: roll call

abbie barbir bofa: re-voting on the second details

abbie barbir bofa: adhurn

Mary Ruddy: Language for re-vote for approval of the second deliverable:

Mary Ruddy: "Abbie moves to approve Analysis of Methods of Trust Elevation Version 1.0 Working Draft 06 and all associated artifacts packaged together at https://www.oasis-open.org/apps/org/workgroup/trust-el/download.php/49500 as a Committee Note and designate the Word version of the note as authoritative. "

anonymous morphed into Adrianne James VA