[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Notes from October 3 meeting
Minutes for the meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee October 3, 2013. 1. Call to Order and Welcome. 2. Roll Call Attending (please notify me if you attended the meeting but are not on the list below) Abbie Barbir, Bank of America - y Anil Saldhana, Red Hat Bob Sunday Brendan Peter, CA Carl Mattocks, Bofa Cathy Tilton, Daon Charline Duccans, DHS Duane DeCouteau Colin Wallis, New Zealand Government Dale Rickards, Verizon Business David Brossard, Axiomatics Dazza Greenwood Debbie Bucci, NIH Deborah Steckroth, RouteOne LLC Detlef Huehnlein, Federal Office for Information Diego Matute, Centrify Don Thibeau, Open Identity Exchange - y Doron Cohen, SafeNet Doron Grinstein, BiTKOO Gershon Janssen - y Ivonne Thomas, Hasso Plattner Institute Jaap Kuipers, Amsterdam James Clark – Oasis Jeff Broburg, CA John Bradley John "Mike" Davis, Veteran's Affairs John Walsh, Sypris Electronics Jonas Hogberg Julian Hamersley, Adv Micro Devices Kevin Mangold, NIST Lucy Lynch ISOC Marcus Streets, Thales e-Security Marty Schleiff, The Boeing Company Mary Ruddy, Identity Commons - y Massimiliano Masi, Tiani "Spirit" GmbH Mike Harrop Mohammad Jafari, ESC Peter Alterman, SAFE-BioPharma - y Rainer Hoerbe - Rebecca Nielsen, Booz Allen Hamilton - y Rich Furr Ronald Perez, Advanced Micro Devices Scott Fitch Lockeed Martin Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y Shahrokh Shahidzadeh (Intel Corp Suzanne Gonzales-Webb, VA - y Tony Rutkowski Tony Nadlin Thomas Hardjono, M.I.T. William Barnhill, Booz Allen Hamilton Adrianne James, VA Patrick, Axiomatics Steve Olshansky - y 67 percent of the voting members were present at the meeting. We did have quorum. 2. Agenda review and approval We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el chat room text is included at the end of the minutes. The agenda was approved. 3. Approval of the Minutes Mary asked if there were any objections to approving the minutes from the last meeting on September 19, 2013. Abbie asked for a motion. Peter made a motion to approve the September 19th minutes. Don seconded the motion. There were no objections. The minutes were approved. 4. Editors Update. Steve began the update. We had a slightly longer than 2 week comment period. We received feedback from three people. Comments closed as of EOD Monday. We received feedback with comments and have created an updated version of the document. We receive a request for clarification from Tony. Steve has sent a request for clarification. Ant Alan of Gartner also provided feedback. We are going to go back to him for some more clarification. We sent it to a couple dozen people. Peter made a presentation to BITS. It went very well. There want’ much feedback. We are hoping for more feedback from sending them a working draft and copy of the slides. So some feedback we received was helpful, but the number providing feedback was disappointing. Steve shared working draft 07 that included his response to the feedback received so far. The first changes are clarified that focus is trust-el not credential mgt. Second, language about a weak binding was changed. At the bottom he added intended audience for document; and that while using NIST, this could easily be extended Peter disagreed, the baseline is x1254. Abbie asked so how could it be labeled NIST centric? Peter said we need to make it less NIST visible. If there was a 27001 or 27002 column that was aligned, that would help. Don replied yes, because visibility could be seen as endorsement. Peter continued it isn’t too NIST centric, just too NIST visible. Don commented well said. Steve agreed. We are also using NIST LOA throughout. Peter suggested one thing that would mitigate that is to use the UK or Canadian Tscheme on which NIST LOA is based. Peter asked Don if he has access to the UK LOA documents. Abbie concluded let’s put an action item on getting a public reference to these two documents. Peter suggested because the LOA model is a UK gov model we should probably go to the UK folks. Maybe Don can do this. ***Action item to get public reference to mentioned documents. (Abbie thinks he can do this.) Peter asked do we have anyone who can put an ISO/IEC 27001, 27002 column on that? *** Action item to add 27001 and 27002 column. Steve said we can put request to the list. Steve continued in 3.1 he added a sentence about NIST LOA being one example Peter liked that. Steve continued with feedback on the table. He added more context to the header. The first change was in row 4, online guessing. Credential lockout isn’t really used any more. HTML 5 local store data is used increasing instead of cookies so it does bump up against EU privacy requirements. For the fishing treat, extended form certificate validation or SSL are not relevant there. NO one pays attention to the lock. Shaheen commented that is true for most, but some people do, Peter said checking SSO certificates is a best practice, whether consumers check them is different. Steve continued with row 7 replay attack. Channel binding is relevant, not physical security. Peter agreed. Steve continued with row 9 delete VPN, it is only marginally useful. Peter replied he is not sure about that. Abbie is not sure either. Peter said VPN is a form of TLS. Steve will keep it in. Abbie said it is a little bit stronger than TLS. Peter said it is encrypted point to point, what is the problem? Shaheen said it is far better than a one way SSL handshake. Peter concluded, we have to keep that. Steve continued with row 10 credential threat. Shaheen said keep cookies. There are a lot of applications that still use cookies. Steve also added HTML 5 local data. He cited an RFC as best current practice. Peter commented that we had a lot of good stuff. Peter stated we need to move on with what we have. Steve commented the landscape is moving quickly. Abbie suggested if we can send it quickly to Eve and get a response, then after Eve and Ant… Peter commented we have 3 targeted responses: Eve, Ant and BIT remaining; and we are also trying to get the UK LOA citation and 270010002 for maybe an additional column to the table. Next steps are to publish a deadline for the open action items. Then we need to send it to OASIS. Peter wondered if Mary, in her role as TC secretary, should follow-up with Ant. 5. Attendance Update We achieved quorum. 6. Adjournment Rebecca made a motion to adjourn the call. Peter seconded the motion. The meeting was adjourned. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> anonymous morphed into Diego Matute Gershon Janssen: +1 to the webinar; you can count me in for participation and willing to help prepare. anonymous morphed into Suzanne Gonzales-Webb |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]