OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

trust-el message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Notes from September 5th Call


Minutes for the meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee

September 5, 2013.

1. Call to Order and Welcome.

 

2. Roll Call

 

 

Attending (please notify me if you attended the meeting but are not on the list below)

 

Abbie Barbir, Bank of America - y

Anil Saldhana, Red Hat  

Bob Sunday

Brendan Peter, CA

Carl Mattocks, Bofa 

Cathy Tilton, Daon 

Charline Duccans, DHS

Duane DeCouteau

Colin Wallis, New Zealand Government  - y 

Dale Rickards, Verizon Business 

David Brossard, Axiomatics 

Dazza Greenwood 

Debbie Bucci, NIH 

Deborah Steckroth, RouteOne LLC

Detlef Huehnlein, Federal Office for Information

Diego Matute, Centrify

Don Thibeau, Open Identity Exchange   

Doron Cohen, SafeNet

Doron Grinstein, BiTKOO

Gershon Janssen  - y 

Ivonne Thomas, Hasso Plattner Institute

Jaap Kuipers, Amsterdam  

James Clark – Oasis

Jeff Broburg, CA

John Bradley 

John "Mike" Davis, Veteran's Affairs 

John Walsh, Sypris Electronics

Jonas Hogberg

Julian Hamersley, Adv Micro Devices

Kevin Mangold, NIST 

Lucy Lynch  ISOC

Marcus Streets, Thales e-Security

Marty Schleiff, The Boeing Company

Mary Ruddy, Identity Commons  - y

Massimiliano Masi, Tiani "Spirit" GmbH 

Mike Harrop

Mohammad Jafari, ESC

Peter Alterman, SAFE-BioPharma - y 

Rainer Hoerbe -

Rebecca Nielsen, Booz Allen Hamilton 

Rich Furr

Ronald Perez, Advanced Micro Devices

Scott Fitch Lockeed Martin

Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y 

Shahrokh Shahidzadeh (Intel Corp  - y

Suzanne Gonzales-Webb, VA  - y

Tony Rutkowski

Tony Nadlin

Thomas Hardjono, M.I.T.  

William Barnhill, Booz Allen Hamilton

Adrianne James, VA -y

Patrick, Axiomatics

Steve Olshansky  - y

 

90 percent of the voting members were present at the meeting.  We did have quorum.

 

 

2. Agenda review and approval

 

We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el   chat room text is included at the end of the minutes.

 

Peter explained that the goal for the meeting is a final review of the draft. Today’s discussion is a last shot before we send it out. Then we will discuss who we will send it out to.  Steve has some text questions. 

 

The agenda was approved.

 

3. Approval of the Minutes

 

Mary asked if there were any objections to approving the minutes from the last meeting on August 22, 2013.

 

Mary asked for a motion.

Peter made a motion to approve the August 22 minutes.

Shaheen seconded the motion.

There were no objections.

The minutes were approved. 

 

 

4.  Editors Update.

 

Steve began with a question about non-normative references, x.1254. We had both ISO and ITU-T references to x.1254.

 

Abbie said just reference the ITU-T one. They are almost identical, with the exception of a couple minor error changes at the very end.

 

Colin pointed out that if you can provide a reference to a document that is available for no charge it is preferable.

 

Abbie said we should say, from the perspective of our work, they are pretty much identical.  We should refer to it so the organizations that follow ISO can get comfort. We should add it in the text that though we are using the ITU-T document, from a technical perspective it is equivalent to the ISO doc.

 

Peter commented the language is “no substantive difference between the two exists”.

 

Adrianne asked are you looking for the ISO number?

 

Peter explained we are trying to express that they are almost the same but not quite.

 

Steve asked should I add the previous deliverables as non-normative references?

 

Mary said there is currently an issue of how to refer to the first two deliverables.  We had intended for them to be committee notes, but there were issues with the way they were approved, so we need to repeat the process.

 

Steve said they are referenced in the very first page. It has related work.

 

Mary explained the current administrative challenge of how to refer to the first two deliverables and asked Peter for his advice.

Peter commented this is just a procedural nit.  Point to URL and leave it at that. Include them as non-normative references.

 

Colin said we could put it in a bibliography.

Steve replied he will not include them as non-normative references as they are also listed as related work.

 

Peter said that will work.

 

Steve continued. He is stumped about how to blend a comment and new paragraph that we had

“What we are addressing…. we consider extended attributes to be outside the scope...”

 

Peter made a suggestion.

 

Colin commented good call Peter.

Steve said moving on to section 3.1, we had a placeholder for how to use the table.  So unless someone has a definitive suggestion, we could just change that. Do people really need instruction or can we just loose that?

Shahrokh asked for clarification about which text Steve was talking about.

Steve replied the place holder text about the legend.

Shahrokh prefers to have the legend.

Steve said the legend can stay. Maybe just remove the place holder text.

Peter said if we were going to add text on how to use the table, “Utilize the table to identity threat vectors that the initial credential does not mitigate and then employ one or more of the associated methods to raise the trust in the transaction.” But that should be sort of self-evident, or maybe not.

Shahrokh said then why not change the title of the section to be more consistent. Say what the table is, rather than how to use the tale.  Define the table value and what the reader is going to get out of the table.

Peter replied I got it.

Shahrokh continued the description of the table...

Peter said this table arrays threat vectors and mitigation methods for those particular threat vectors. Trust elevation is a process of mitigating unaddressed threat or substantially improving trust in a previously mitigated threat.

Colin commented he wants to change the sub heading.

Shahrokh said threat vectors and mitigating methods.

Shaheen said instead of mitigating trust elevation techniques.

Colin said where we have a sentence between the first and second, that indicates …. as described in ITU-T trust elevation techniques and controls from deliverable 2... we reference 800-63.1 and 800-63.2 is published for comment. I’m just wondering if we should describe those titles. We need a new sentence to just barely describe the headers of those columns.

Shahrokh asked is this table a reference table or something everyone can use. It is a standard or a reference table. Or should we say this table can be customized for corporate trust elevation techniques.

Peter said this table can be utilized. I wouldn’t want to say customized. It can be utilized for specific purposes by specific parties depending on their circumstance. It is just a generic table of processes and methods.

Steve asked shall we call this document a protocol?

Shaheen said we definitely have some good material.

Steve responded, Peter that sentence is correct, but it is not helpful to put it in the text.

Peter asked so what if we are silent on this point, as we haven’t come up with anything that makes this any clearer.

Colin said we have to normalize the column headings somewhere. We are so close to it; we know what x.1254 threats are.

Peter I agree with you Colin. I’m trying to get to clarity. We arrayed the threats based on those identified in x1254. We then arrayed the mitigations from x.1254 and other documents.

Shaheen said the techniques we listed are not specific to x.1254, so just say threats and controls, rather than x.1254.  We prepared this table based on x.1254 threats and controls. Than on the table, we say these are the trust elevation techniques from name of second deliverable. This would go for folks adopting x.1254, but what about the others?

Steve asked why would you want to remove the x.1254 reference from the column headings?

Peter commented I don’t thing we want to do that.

Shaheen said if we say it is x.1254, we are stuck, and limited to them.

Peter said that is correct and it is ok to be explicit with that. We decided x.1254 had a comprehensive list of the state of the art. We need to keep that in there as that documents that decision.

Shaheen said I’m fine with documenting that decision. If we want table adoption we should keep it generic. A threat is a threat. It is not specific to x.1254. It makes sense for anyone to start adopting it.

Mary commented that Steve talked about providing this information in the document, not the table.  The table is not big enough to document it right in the table anyway.  We decided to choose specific things. This is our product.  We need to document it for credibility.

Peter said makes sense to me.

Steve concluded just call them threats and controls.

Colin said …the TC arrayed the…add a sentence that says… against the trust elevation methods and information consultant Zygma LLC analysis of controls from 800.53-2 about information security…

Steve continued, though there were later revisions, we decided that they were not different enough to warrant starting over.

Shaheen said this stands alone.

Steve said the world moves on. We can’t get too caught up in everything that is changing.

Peter asked do we want to document this in section 3.1

Steve replied I take your point Peter, in the new sentence. Plus we also arrayed controls from 63-1.

Peter said … against mitigation methods …described in 800-63 and …..

Peter next you want to say, we know there are ongoing revisions of all these documents. We are aware of the fact that all of these documents we used are constantly being revised. And so, this table will need to be revised from time to time as substantive to the source documents

Shaheen asked is there a way to put a link to the updated table to make the document somewhat live, if it will change all the time? The latest and greatest table can be found – click here.

Colin said we do that in the OASIS Trans Government TC. We actually link to the oasis wiki that holds the latest version.

Shaheen said remember I said we need to coin something that it is trust-el that did this table and it can stay live all the time.

Steve continued, on rows 13 and 14 of the table, we split spoofing and masquerading. The comment assigned the issue to Abbie and Colin.

Colin said we did do some work, but we didn’t come to a conclusion.  The work that we did is that they are very similar.  One can do IP masquerading without malicious intent.  Spoofing is always malicious. So do we try to make that fine distinction here.

Abbie replied I think we should.

Shaheen asked why is masquerading not always malicious?

Colin replied I think that IP masquerading is not always malicious. There can be genuine reasons, especially using virtual machines.

Peter asked them to resolve this issue over email and fix that sentence before the end of this week.

Steve said we can talk about reviews on the mailing list.

Peter declared that as soon as the guys clear that issue, Steve will send this out first to all participants, and next to a list Steve has put together, an addition list of individuals and organizations. Steve, please send the proposed list to the list and ask for additions.

Peter said anyone can make recommendations themselves or email Steve.

Steve said we need a mechanism for receiving input.

Peter replied: email to you.

 

 

5. Attendance Update

We achieved quorum.

 

6. Adjournment

Peter adjourned the call.

The meeting was adjourned.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 

abbie barbir bofa: CHAT ROOM

 

http://webconf.soaphub.org/conf/room/trust-el

 

Passcode: 637 218 8139

 

US toll free 1-866-222-6652

 

Int'l Toll: 1-980-939-6928

 

- Australia, Sydney: +61 (0) 2 8064 4811

abbie barbir bofa: Webex: Meeting scheduled: Trust Elevation TC Bi-weekly

 

-------------------------------------------------------

To join the online meeting (Now from mobile devices!)

-------------------------------------------------------

1. Go to https://attend.webex.com/attend/j.php?ED=179798197&UID=1382908852&RT=MiMxMQ%3D%3D

2. If requested, enter your name and email address.

3. If a password is required, enter the meeting password: (This meeting does not require a password.)

4. Click "Join".

abbie barbir bofa: Peter will lead the discussion

abbie barbir bofa: Webex is open

abbie barbir bofa: Steve are you joining the webex?

Gershon Janssen: Will be there a couple of minutes after the hour.

abbie barbir bofa: i just made  Steve Olshansky presenter in Webex

abbie barbir bofa: lol

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]