Notes from October 3 meeting

["Mary Ruddy" <mary@meristic.com>]

 

Minutes for the meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee

October 3, 2013.

1. Call to Order and Welcome.

 

2. Roll Call

 

 

Attending (please notify me if you attended the meeting but are not on the list below)

 

Abbie Barbir, Bank of America  - y

Anil Saldhana, Red Hat  

Bob Sunday

Brendan Peter, CA

Carl Mattocks, Bofa 

Cathy Tilton, Daon 

Charline Duccans, DHS

Duane DeCouteau

Colin Wallis, New Zealand Government 

Dale Rickards, Verizon Business 

David Brossard, Axiomatics 

Dazza Greenwood 

Debbie Bucci, NIH 

Deborah Steckroth, RouteOne LLC

Detlef Huehnlein, Federal Office for Information

Diego Matute, Centrify

Don Thibeau, Open Identity Exchange  - y  

Doron Cohen, SafeNet

Doron Grinstein, BiTKOO

Gershon Janssen  - y

Ivonne Thomas, Hasso Plattner Institute

Jaap Kuipers, Amsterdam  

James Clark – Oasis

Jeff Broburg, CA

John Bradley 

John "Mike" Davis, Veteran's Affairs 

John Walsh, Sypris Electronics

Jonas Hogberg

Julian Hamersley, Adv Micro Devices

Kevin Mangold, NIST 

Lucy Lynch  ISOC

Marcus Streets, Thales e-Security

Marty Schleiff, The Boeing Company

Mary Ruddy, Identity Commons  - y

Massimiliano Masi, Tiani "Spirit" GmbH 

Mike Harrop

Mohammad Jafari, ESC 

Peter Alterman, SAFE-BioPharma - y 

Rainer Hoerbe -

Rebecca Nielsen, Booz Allen Hamilton  - y

Rich Furr

Ronald Perez, Advanced Micro Devices

Scott Fitch Lockeed Martin

Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y 

Shahrokh Shahidzadeh (Intel Corp 

Suzanne Gonzales-Webb, VA  - y

Tony Rutkowski

Tony Nadlin

Thomas Hardjono, M.I.T.  

William Barnhill, Booz Allen Hamilton

Adrianne James, VA 

Patrick, Axiomatics

Steve Olshansky  - y

 

67 percent of the voting members were present at the meeting.  We did have quorum.

 

 

2. Agenda review and approval

 

We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el   chat room text is included at the end of the minutes.

               

 

The agenda was approved.

 

3. Approval of the Minutes

 

Mary asked if there were any objections to approving the minutes from the last meeting on September 19, 2013.

 

Abbie asked for a motion.

Peter made a motion to approve the September 19th minutes.

Don seconded the motion.

There were no objections.

The minutes were approved. 

 

 

4.  Editors Update.

 

Steve began the update.  We had a slightly longer than 2 week comment period. We received feedback from three people.  Comments closed as of EOD Monday. We received feedback with comments and have created an updated version of the document. We receive a request for clarification from Tony. Steve has sent a request for clarification.  Ant Alan of Gartner also provided feedback. We are going to go back to him for some more clarification. We sent it to a couple dozen people.

 

Peter made a presentation to BITS. It went very well. There want’ much feedback.  We are hoping for more feedback from sending them a working draft and copy of the slides. So some feedback we received was helpful, but the number providing feedback was disappointing.

 

Steve shared working draft 07 that included his response to the feedback received so far. The first changes are clarified that focus is trust-el not credential mgt. Second, language about a weak binding was changed.  At the bottom he added intended audience for document; and that while using NIST, this could easily be extended

 

Peter disagreed, the baseline is x1254. 

 

Abbie asked so how could it be labeled NIST centric?

 

Peter said we need to make it less NIST visible. If there was a 27001 or 27002 column that was aligned, that would help.

 

Don replied yes, because visibility could be seen as endorsement.

 

Peter continued it isn’t too NIST centric, just too NIST visible.

 

Don commented well said.

 

Steve agreed. We are also using NIST LOA throughout.

 

Peter suggested one thing that would mitigate that is to use the UK or Canadian Tscheme on which NIST LOA is based.

 

Peter asked Don if he has access to the UK LOA documents.

 

Abbie concluded let’s put an action item on getting a public reference to these two documents.

 

Peter suggested because the LOA model is a UK gov model we should probably go to the UK folks. Maybe Don can do this.

 

***Action item to get public reference to mentioned documents. (Abbie thinks he can do this.)

 

Peter asked do we have anyone who can put an ISO/IEC 27001, 27002 column on that? 

 

*** Action item to add 27001 and 27002 column.

 

Steve said we can put request to the list.

 

Steve continued in 3.1 he added a sentence about NIST LOA being one example

 

Peter liked that.

Steve continued with feedback on the table. He added more context to the header. The first change was in row 4, online guessing.  Credential lockout isn’t really used any more.  HTML 5 local store data is used increasing instead of cookies so it does bump up against EU privacy requirements.

 

For the fishing treat, extended form certificate validation or SSL are not relevant there. NO one pays attention to the lock.

 

Shaheen commented that is true for most, but some people do,

 

Peter said checking SSO certificates is a best practice, whether consumers check them is different.

 

Steve continued with row 7 replay attack. Channel binding is relevant, not physical security.

 

Peter agreed.

 

Steve continued with row 9 delete VPN, it is only marginally useful.

 

Peter replied he is not sure about that.

 

Abbie is not sure either.

 

Peter said VPN is a form of TLS.

 

Steve will keep it in.

 

Abbie said it is a little bit stronger than TLS.

 

Peter said it is encrypted point to point, what is the problem?

 

Shaheen said it is far better than a one way SSL handshake.

 

Peter concluded, we have to keep that.

 

Steve continued with row 10 credential threat.

 

Shaheen said keep cookies. There are a lot of applications that still use cookies.

 

Steve also added HTML 5 local data. He cited an RFC as best current practice.

 

Peter commented that we had a lot of good stuff.

 

Peter stated we need to move on with what we have.

 

Steve commented the landscape is moving quickly.

 

Abbie suggested if we can send it quickly to Eve and get a response, then after Eve and Ant…

 

Peter commented we have 3 targeted responses: Eve, Ant and BIT remaining; and we are also trying to get the UK LOA citation and 270010002 for maybe an additional column to the table.

 

Next steps are to publish a deadline for the open action items. Then we need to send it to OASIS.

 

Peter wondered if Mary, in her role as TC secretary, should follow-up with Ant.

 

5. Attendance Update

We achieved quorum.

 

6. Adjournment

Rebecca made a motion to adjourn the call.

Peter seconded the motion.

The meeting was adjourned.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 

 

anonymous morphed into Diego Matute

 

Gershon Janssen: +1 to the webinar; you can count me in for participation and willing to help prepare.

 

anonymous morphed into Suzanne Gonzales-Webb