Notes for October 17th Call

["Mary Ruddy" <mary@meristic.com>]

Minutes for the meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee

October 17, 2013.

1. Call to Order and Welcome.

 

2. Roll Call

 

 

Attending (please notify me if you attended the meeting but are not on the list below)

 

Abbie Barbir, Bank of America  - y

Anil Saldhana, Red Hat  

Bob Sunday

Brendan Peter, CA

Carl Mattocks, Bofa 

Cathy Tilton, Daon 

Charline Duccans, DHS

Duane DeCouteau

Colin Wallis, New Zealand Government 

Dale Rickards, Verizon Business 

David Brossard, Axiomatics 

Dazza Greenwood 

Debbie Bucci, NIH 

Deborah Steckroth, RouteOne LLC

Detlef Huehnlein, Federal Office for Information

Diana Proud-Madruga - y

Diego Matute, Centrify

Don Thibeau, Open Identity Exchange  - y  

Doron Cohen, SafeNet

Doron Grinstein, BiTKOO

Gershon Janssen  - y

Ivonne Thomas, Hasso Plattner Institute

Jaap Kuipers, Amsterdam  

James Clark – Oasis

Jeff Broburg, CA

John Bradley 

John "Mike" Davis, Veteran's Affairs 

John Walsh, Sypris Electronics

Jonas Hogberg

Julian Hamersley, Adv Micro Devices

Kevin Mangold, NIST 

Lucy Lynch  ISOC

Marcus Streets, Thales e-Security

Marty Schleiff, The Boeing Company

Mary Ruddy, Identity Commons  - y

Massimiliano Masi, Tiani "Spirit" GmbH 

Mike Harrop

Mohammad Jafari, ESC  - y

Peter Alterman, SAFE-BioPharma  

Rainer Hoerbe -

Rebecca Nielsen, Booz Allen Hamilton 

Rich Furr

Ronald Perez, Advanced Micro Devices

Scott Fitch Lockeed Martin

Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A.  

Shahrokh Shahidzadeh (Intel Corp  - y

Suzanne Gonzales-Webb, VA  - y

Tony Rutkowski

Tony Nadlin

Thomas Hardjono, M.I.T.  

William Barnhill, Booz Allen Hamilton

Adrianne James, VA 

Patrick, Axiomatics

Steve Olshansky  - y

 

55 percent of the voting members were present at the meeting.  We did have quorum.

 

 

2. Agenda review and approval

 

We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el   chat room text is included at the end of the minutes.

               

 

The agenda was approved.

 

3. Approval of the Minutes

 

Don asked for a motion to approve the minutes from the last meeting on October 3, 2013.

Gershon made a motion to approve the October 3rd minutes.

Suzanne seconded the motion.

There were no objections.

The minutes were approved. 

 

 

4.  Editors Update.

 

Abbie began by explaining that this deliverable (and Trust-el) is more about the RP trying to know more and more about the client.  Do we need to have something in the stack so the client needs to trust-el the RP. I think we should say somewhere that we have not done it.

 

Mary agreed

 

Don said the Zero trust approach seems appropriate.

 

Abbie said this could connect to the NSTIC trust mark work, if it worked.

 

Don said if this trend to hub models continues it could be part of the hub.

 

Shahrokh has more written feedback for the document.

 

Don sees an opportunity to share our results to date with organizations such as the UK government and FCCX that are pursuing a hub architecture.

 

Shahrokh asked can you aggregate the links to these and have an agenda item for an action item.

 

Don will take that action item. We should do a webinar with some subset of those folks. Perhaps target the FCCX as they start to architect their hub, and IDAP and maybe GSMA.  I will suggest that maybe something in early December we might be able to schedule those interactions.

 

Shahrokh thanked Don.

 

*** Action item for Don to schedule an update with FCCX, IDAP and maybe GSMA.

 

Steve began to walk thru the latest draft posted to the TC. He responded to some comments that we weren’t being international enough. He added a column to the table for ISO 27001. Unfortunately the ISO standards aren’t freely available so the best we can do is link to where they can be purchased.  In section 2 he added a diagram that was derived from the one Peter used in his BITS presentation, to give readers some grounding in the basic process. He also did some context refinement and text refinement. He also modified the audience description

 

Steve continued, in Section 3.1 he added a sentence about NIST LOA being an example.

In the table he added a column for ISO 27001. The references are obtuse. He also added appendix B, a paper Peter wrote.

 

Steve asked for additional comments or suggestion. (silence)

 

Steve continued. Based on email on the next steps on deliverable, there are a few things for the TC to consider.  Should we wait on input from Eve and Ant?  Eve has been provided an updated draft.  We have scheduled time to talk with Ant. Should we keep Eve on critical path?

 

Don suggested that we do to get leverage on her report on bio diversity.  Don will follow-up.

Steve said Abbie obtained a link to the UK documents.  He reviewed and compared them to 800-63 at a high level.  800-63 seemed more focused on specific technologies of second factors, while the UK best practice guide focused more on confidence than technology. He welcomes more comments.

 

Steve asked should we add these as a non-normative reference?

 

Don replied as a minimum.

 

Steve continued, so it is probably premature to trigger the two week waiting period. So by the next call we should have all the input we are expecting, and be able to trigger the two week waiting period.  Unfortunately that puts us in the holiday timeframe. We need to move forward and draw a line in the sand. This is a snap shot.  Should the conversation with the UK folks be accommodated in this version of the document?

 

Don replied I don’t want to slow down this draft. Holding it for a future version is a prudent way to go.

 

Shahrokh asked so what does that mean release date?

 

Steve replied Nov 14th. At which point we would work with OASIS to move it on to the formal approval process.

 

Mary commented that seems reasonable.

 

There was agreement.

 

Shahrokh said there was a question of branding.

 

Mary said we need a clever handle.

 

Don said that is a big ask…

 

Mary said we need something short to call it and to refer to it.  We can’t say the OASIS Electronic Identity Credential Trust Elevation Methods Technical Committee’s third deliverable approach to trust elevation every time we want to refer to it.  There doesn’t need to be any certification process associated with it, just a “handle”.

 

Shahrokh asked if OTrust or IDTrust were taken. We should pick one.

 

Mary replied that there is an IDTrust and iTrust. Those are taken.

 

Shahrokh continued then if those names are taken, just modify the name: O Identity or OTrust, or CTrust and consumer id or trust broker or trust hub.

 

Mary replied something such as the OTrust or CTrust Model could work.

Don commented that this is not to be confused with a trademark.

 

Mary asked what about OASIS Trust Model?

 

Steve suggested using hyphenation…OITrust or O-ITrust.

 

Steve asked does anyone know the OASIS position on branding.  Is there an OASIS mechanism to thwart someone trademarking this?

 

Gershon replied I ‘m not sure of exactly. OAISIS does have some registered trademarks. I think the best route is to check with legal counsel, Jamie Clark,

 

Steve confirmed the schedule.

 

Shahrokh seconded that.

 

Shahrokh asked should we schedule a final team review in early November?

 

5. Attendance Update

We achieved quorum.

 

6. Adjournment

Mary made a motion to adjourn the call.

Mohammad seconded the motion.

The meeting was adjourned.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 

anonymous morphed into Suzanne Gonzales-Webb

 

anonymous morphed into abbie

 

Gershon Janssen: Joining in a few minutes...

 

anonymous morphed into Diana Proud-Madruga

 

Mary Ruddy: Gershon, can you join the call bridge?  We  need you for quorum

 

abbie: will be back in 10 minutes

 

Gershon Janssen: dailing in now...