Notes for November 13, 2014 call

["Mary Ruddy" <mary@meristic.com>]

Minutes for the meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee

November 13, 2014.

1. Call to Order and Welcome.

 

2. Roll Call

 

Attending (please notify me if you attended the meeting but are not on the list below)

 

Abbie Barbir, Bank of America  - y

Andrew Heath - y

Anil Saldhana, Red Hat  

Bob Sunday

Brendan Peter, CA

Carl Mattocks, Bofa 

Cathy Tilton, Daon  - y 

Charline Duccans, DHS

Duane DeCouteau

Calvin

Colin Wallis, New Zealand Government  - y

Dale Rickards, Verizon Business 

David Brossard, Axiomatics 

Dazza Greenwood 

Debbie Bucci, NIH 

Deborah Steckroth, RouteOne LLC

Detlef Huehnlein, Federal Office for Information

Diana Proud-Madruga - y    

Diego Matute, Centrify

Don Thibeau, Open Identity Exchange   

Doron Cohen, SafeNet

Doron Grinstein, BiTKOO

Gershon Janssen  - y  

Ilene Bridges 

Ivonne Thomas, Hasso Plattner Institute

Jaap Kuipers, Amsterdam  

James Clark – Oasis

Jeff Broburg, CA

Jim Macabe (Kaiser)

John Bradley 

John "Mike" Davis, Veteran's Affairs 

John Walsh, Sypris Electronics

Jonas Hogberg

Julian Hamersley, Adv Micro Devices

Kevin Mangold, NIST  

Lucy Lynch  ISOC

Marcus Streets, Thales e-Security

Marty Schleiff, The Boeing Company

Mary Ruddy, Identity Commons  - y

Massimiliano Masi, Tiani "Spirit" GmbH 

Mike Harrop

Mohammad Jafari, ESC - 

Peter Alterman, SAFE-BioPharma - y 

Peter Jones -

Rainer Hoerbe -

Rebecca Nielsen, Booz Allen Hamilton  

Rich Furr

Ronald Perez, Advanced Micro Devices

Scott Fitch Lockeed Martin

Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y  

Shahrokh Shahidzadeh (Intel Corp)  

Suzanne Gonzales-Webb, VA  

Tony Rutkowski

Tony Nadlin

Thomas Hardjono, M.I.T.  

William Barnhill, Booz Allen Hamilton

Adrianne James, VA 

Patrick, Axiomatics

Steve Olshansky

 

70 percent of the voting members were present at the meeting.  Abbie declared quorum.

 

2. Agenda review and approval

 

We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el

 

The agenda was approved.

 

 

3. Approval of the Minutes

 

Approval of the minutes was deferred until the next meeting.

 

4. Next Steps for the Next Deliverable

 

Abbie said that the last meeting in December and the first January meeting we will cancel. We may have a face to face (F2F) meeting next year. He has a little budget. Is there another event we could combine with in January, February or March? Start thinking about it.  If someone can host let us know.  The city is dependent on the host.  We need a room for 6-10 people. Worst case we will host the meeting in Charlotte, NC.  Is that a good plan?

 

Cathy replied yes, but not the last week in January.  Maybe the first week of March, just before or after Spring break.

 

Peter asked where? 

 

Abbie replied a two day F2F to work on the 4th deliverable.  Maybe in NYC or Charlotte or DC.

 

Peter said he will explore options.

 

4. Editors Update

 

Andrew posted the OASIS template with all the material to date to the document section of portal.  This includes the current sequence diagram and story, and that is it. They discussed getting some of the flows from the previous week’s presentation so he is looking for direction on where to go next.

 

Abbie replied that is fair. Send an email to the list and ask for contributions to sections. You can task me with a couple of use cases to submit.  Do we consider machine to machine (M2M) setups to be in scope or out of scope?

 

Mary indicated that yes, it is important because increasingly the first service a human accesses, itself needs to call multiple other services.

 

Abbie said that is good to know, so let’s note that.

 

Shaheen said he can come up with use cases, but not real time use cases.

 

Peter said ping Eve and ask her for a use case.

 

Abbie asked do we have threats and balances for M2M interactions?  Do we need to add that?

 

Peter said we are excluding M2M encryption.  We are talked about M2M auth.

 

Abbie asked do you have multiple apps on a device and need to access a proxy to talk to a database?

 

Peter replied I’ve seen that. What I’m asking is one device performing AuthN to another device.

 

Abbie answered yes, but device to back end server i.e. his app running on this device talking to me.

 

Shaheen said for the use case of a mobile device with an app and the user using one of the apps, the service needs to know if the request is coming from a verified app action on behalf of the user.

 

Abbie said the app authenticates to the back end server, usually a container or app. The device has a certificate and talks to the other server.

 

Peter asked are you presuming signed code?

 

Abbie replied that could be. The actual request coming …

 

Peter asked what protocol is expected on the receiving end?

 

Abbie said make it simple RESTful services.

 

Peter replied ok. That makes it an easy case.

 

Abbie commented with the IoT coming, we should at least be thinking of that.

 

Peter agreed. It is not out of scope.  Maybe we should finish deliverable four before addressing the

IoT (Internet of things.)

 

Peter said this is a real need. He underscored what Mary said. But don’t we need to finish the work on our plate before we expand it?

 

Abbie agreed.  We need to note it.  Andrew we need a section for roadmaps for future deliverables, or a parking lot.

 

Peter said we need to put this on Mary’s plate.

Abbie said we need to have a future work, matrix.

 

Mary said that makes sense.

 

Colin said since that is covered in previous deliverables, it is out of scope for the 4th deliverable.

 

Abbie said increasingly the IoT will be a key issue.

 

Peter said it is a key environment that all deliverables will have to address.

 

Cathy asked can we talk about the 1st and 2nd deliverables and something confusing? When I went to the website, there is nothing there. The only place to find these is to go to the document register. Can we put links to the final version on the website so people can find them?

 

Abbie replied you are right.

 

Suzanne said that would be good.

 

Cathy commented it would help her too.

 

Abbie said it is a mistake. The public page should have a link to what has been delivered.  The approved version should be public.

 

***Action item: Abbie to talk to OASIS on this.

 

Andrew said the 2nd and 3rd deliverables should be tagged. Somehow, somewhere we need to fix it.

 

Abbie said he is getting a lot of interest. Our spreadsheets are becoming valuable. Part of the FIDO engagement is that FIDO is really a step up. The actual verification and authentication is a step-up and now there is big demand to come-up with the step-up matrix. Not all devices have the same capabilities. The device could receive a get pin or voiceprint or fingerprint. The trust in any FIDO attestation varies depending on the trust certification and accuracy of the device. So step-up is very important. He gets questions about the documents.

 

Cathy asked is there a recent presentation on the progress?  That would also be useful to have easily available from the home page.

 

Abbie replied yes, he presented in Belgium a couple of weeks ago.  He will post the PPT.

 

*** Action item: Abbie to post the slides.

 

 

6. Adjourn

 

Abbie asked for a motion to adjourn.

Colin made the motion.

                               

The meeting was adjourned.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 

Shaheen Abdul Jabbar (JPMC): joining soon

 

Gershon Janssen: Joined the call; apologies for being late...