Subject: Minutes for June 27th call
Minutes for the meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee
June 27, 2013.
1. Call to Order and Welcome.
2. Roll Call
Attending (please notify me if you attended the meeting but are not on the list below)
Abbie Barbir, Bank of America - y
Anil Saldhana, Red Hat
Brendan Peter, CA
Carl Mattocks, Bofa
Cathy Tilton, Daon
Charline Duccans, DHS
Colin Wallis, New Zealand Government - y
Dale Rickards, Verizon Business
David Brossard, Axiomatics
Debbie Bucci, NIH
Deborah Steckroth, RouteOne LLC
Detlef Huehnlein, Federal Office for Information
Don Thibeau, Open Identity Exchange - y
Doron Cohen, SafeNet
Doron Grinstein, BiTKOO
Gershon Janssen - y
Ivonne Thomas, Hasso Plattner Institute
Jaap Kuipers, Amsterdam
James Clark – Oasis
Jeff Broburg, CA
John "Mike" Davis, Veteran's Affairs
John Walsh, Sypris Electronics
Julian Hamersley, Adv Micro Devices
Kevin Mangold, NIST
Lucy Lynch ISOC
Marcus Streets, Thales e-Security
Marty Schleiff, The Boeing Company
Mary Ruddy, Identity Commons - y
Massimiliano Masi, Tiani "Spirit" GmbH
Mohammad Jafari, ESC
Peter Alterman, SAFE-BioPharma,
Rainer Hoerbe -
Rebecca Nielsen, Booz Allen Hamilton
Ronald Perez, Advanced Micro Devices
Scott Fitch Lockeed Martin
Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y
Shahrokh Shahidzadeh (Intel Corp - y
Suzanne Gonzales-Webb, VA - y
Thomas Hardjono, M.I.T.
William Barnhill, Booz Allen Hamilton
Adrianne James, VA
Steve Olshansky - y
86 percent of the voting members were present at the meeting. We did have quorum.
2. Agenda review and approval
We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el chat room text is included at the end of the minutes.
The agenda was approved.
3. Approval of the Minutes
Don asked if there were any objections to approving the minutes from the last meeting on June 13, 2013.
Don asked for a motion.
Colin made a motion to approve the June 13 minutes.
Shahrokh seconded the motion.
There were no objections.
The minutes were approved.
4. Editors Update.
Steve introduced the latest draft. He removed the philosophical approach and diagram section that was carried over. He will follow-up on the note in section 2.2. In section 3.1.1, he deleted the editor's note. This is something that we need to address.
Steve continued that the first material change is the Venn diagram created after the last editor’s call. This is not a finalized graphic. It is a draft for discussion purposes. Does it convey the message appropriately?
Mary commented that she liked it.
Don seconded that
Steve asked for additional feedback.
Colin reported that the text is hard to read against the blue.
Steve said the next new bit summarizes changes from the editor’s call: how to achieve LOA-1.
Colin commented it is fine, but we should mention the example of the technique.
Steve said that would be KBA.
Colin talked about adaptive authentication. He asked if people had heard of it.
Mary has heard of it.
Colin discussed adaptive authentication and asked is the term well enough known.
Mary said there are currently many related terms. Gartner is using the phrase “adaptive access control.”
Steve commented that he considered this KBA.
Mary continued further that dynamic KBA can be used for adaptive access control.
Colin asked so where does this leave us for terms on paper.
Mary said she would have stayed with KBA as it is more specific. Much trust elevation is an example of adaptive access control.
Steve said that is what he was trying to achieve, to be more specific. He welcomes feedback on more wordsmithing.
Don said it provides valuable context.
Steve continued, one big question is should we move the table to an appendix. Should we augment it with a simplified version in the document? The table is the guts of the document.
Colin asked when you say simplify, what might that entail?
Steve said that is a good question.
Shaheen said let me give it a try. The table talks about 800-63, do we all use the same LOA’s within our companies? I don’t think so. We may need to come up with a more generic term. Maybe in the next call we can come up with a simplified version. Right now, if I don’t know about 800-63-2, I don’t know what is in this table. Does that make sense? The content pretty much will be LOA threats and mitigation.
Colin asked how would the table actually change then.
Shaheen said some of the context might be simplified. From an engineer’s point of view, you don’t know what these references are.
Colin said you would need all these documents to understand this.
Steve said we can provide document links, and he is still a little unsure about the Zygma reference. He will check with Peter, at minimum we need to check that it is public and easily available.
Colin said he could sense where Peter might want to go. It is in here because we have x.1254 and it is a reference. It looks like an attempt to make an alternative. So it does two things. If you couldn’t use x.1254, you have this document. Since this TC has hopefully put both together. It depends when we think 800-53 will get traction and adoption.
Colin said there are ways to make is more readable. There could be a legend in the beginning that explained what the acronyms stood for.
Steve agreed. He will work on that.
Shahrokh asked should we repeat all the “non-applicable” entries. If we remove them, maybe that would simplify the document. There are a lot of them.
Steve recalls that Pete developed the first draft of table.
Mary replied yes, first draft was Peter’s.
Steve asked who else was involved.
Shaheen said there was input from others. But Peter really did a good job of drafting this.
Steve said then we will table the question of moving this to the appendix, and we will take this up on the editor’s call.
Shaheen commented or it could be the other way around, and put a simplified version in the appendix.
Steve asked for other questions.
Shaheen said each use case has its own situation, and each entity would have its own context and the type of elevation may vary entity to entity. I’m curious, maybe we should provide a worksheet and people can use this table as a reference to come up with their own method. They could use the worksheet to elevate from one load to the next. I’m trying to see how this [document] will be adopted.
Steve concurs that this table can be somewhat dense. Mapping it to use cases may be a good approach to bringing it to a concrete form. We can present a framework to develop your own use cases, and then the reader can map their use cases onto it.
Shaheen said correct me if I’m wrong, the goal of the TC is to come up with a protocol that can be used by everyone and adopted by everyone. So I think it makes sense to come up with those tables.
Mary replied, we hope ultimately to do that, but I don’t believe we are quite ready to do it.
Steve said that is not in scope for the 3rd document. The third is laying the ground work. Steve likes concrete use cases. Likely this will be passed up to senior management. Use cases will help bring the message home.
Colin said we have use cases in the first deliverable.
Shaheen said we did a survey. We announced it today. We need to apply it to this table.
Colin commented so they are hypothetical.
Shaheen said on last week’s call we had a use case for online banking. We would like to clean it up more before presenting it to the TC.
Steve continued, so the action item for me is to develop a legend for this table.
Shaheen commented, you see those in the third column? Those need to be more cleaned up.
Steve asked for more detail.
Shaheen said we can discuss it. It goes back to making it presentable to senior mgt.
Steve asked is it correct that this deliverable may be shown to senior management?
……discussion… (People will need something to show senior management.)
Don commented this could be the basis for a white paper that may accomplish this purpose.
Steve continued with the content below the table. Here are a couple of editor’s notes. He will follow up with Mary offline. Section 4.1 is unchanged. As he moves from draft to draft version, should he accept the changes each time? Barring objections, that is what he continues to do. In section 4.3.1 there is a highlighted section. That is the end of the changes.
Colin asked please confirm in 4.3.1, is it authentication strength or authentication technique?
Steve replied technique makes it clearer.
Shahrokh said at some point in 4.3.1 we were going to create a brand name for us.
Shahrokh said what NIST has defined is generic. Sometime ago we discussed the possibility of creating our own assurance level brand on top of NIST. We can say what is the minimum required to dial into the good, better, best for each level. You can’t give a single recipe. Right now we call it authentication strength. Is that a good term? Everyone uses LOA, right?
Shaheen commented that some don’t. We have to come up with a term. LOA is too broad.
Shahrokh said because we consider context, each will vary by context.
Colin said section 5 is the performance clauses. What we say will have direct bearing.
Don commented that we close this call with some ambivalence on how we relate to the NIST LOA.
5. Attendance Update
We achieved quorum.
Don asked for a motion to adjourn.
Mary made a motion to adjourn.
Colin seconded it.
The meeting was adjourned.
abbie barbir bofa: Passcode: 637 218 8139
US toll free 1-866-222-6652
Int'l Toll: 1-980-939-6928
- Australia, Sydney: +61 (0) 2 8064 4811
abbie barbir bofa: Webex: Meeting scheduled: Trust Elevation TC Bi-weekly
To join the online meeting (Now from mobile devices!)
1. Go to https://attend.webex.com/attend/j.php?ED=179798197&UID=1382908852&RT=MiMxMQ%3D%3D
2. If requested, enter your name and email address.
3. If a password is required, enter the meeting password: (This meeting does not require a password.)
4. Click "Join".
To join the teleconference only
Call-in toll-free number (Premiere): 1-8662226652 (US)
Call-in number (Premiere): 1-9809396928 (US)
Show global numbers: https://www.myrcplus.com/cnums.asp?bwebid=8369444&ppc=6372188139&num=18662226652&num2=19809396928
Attendee access code: 637 218 8139
abbie barbir bofa: Agenda
Abbie barbir bofa: 1. roll call
2. agenda bashing
3. approve minutes
4. editors update
5. roll call
abbie barbir bofa: webex is on and opneded please try to get on it so you can see the documents
abbie barbir bofa: https://attend.webex.com/attend/j.php?ED=179798197&UID=1382908852&RT=MiMxMQ%3D%3D
Jershon Janssen: Hi all, I just joined the meeting.