Subject: Notes for April 16 call
Minutes for the meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee
April 16, 2014.
1. Call to Order and Welcome.
2. Roll Call
Attending (please notify me if you attended the meeting but are not on the list below)
We achieved quorum.
2. Agenda review and approval
We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el
The agenda was approved.
We have a request to move the meeting. We are considering moving. Abbie will put out a ballot.
3. Approval of the Minutes
Diana moved and Colin seconded approval of the minutes of the previous meeting April 2h.
There were no objections.
The minutes were approved.
4. Face to Face Meeting
Abbie explained that the Face to Face (F2F) meeting will be in New York. It is a nice room with a view. We have 2 days scheduled. The details are on the TC web page. If we know anyone from UMA, SAML and or OIDC at the meeting it would be great if they could attend on day two – either in person or by dial in. He asked for support to dedicate day two to options to work with relevant third parties.
Andrew commented that at IIW we had good strong support from other relevant standards people.
Abbie remarked that now, FIDO trust-el takes place at two points, the first at device enrollment. FIDO doesn’t support step-up at the FIDO level; it has a set of acceptable authenticators that can be selected. Now the alliance has just started working on FIDO 2. Unfortunately we are conflicting with the FIDO meeting in Europe
5. IIW update and Editors Update
Andrew reported that it was an interested session at IIW. Justin Richter and crew had a vectors of trust meeting one morning, and we arrange to have the trust-el session immediately after it in the same room. Mary did you take any notes?
Mary replied yes, I did take a few editors notes. [If formal notes were posted for the session, they would be posted at http://iiw.idcommons.net/Trust_Elevation]
Andrew shared his PowerPoint slides from the session. The first part was for people who weren’t familiar with the project. The audience included Eve M. of UMA was there and Mike S. of Gluu. He got to the wonderful diagram and then into the main discussion. The two biggest points were all about going from level A to level B. The group didn’t have anything concrete. They discussed the issue that the Assurance Level may or may not be the 800-63 levels of assurance. What is meant by the level should be predetermined by the trust framework. It could be the NIST standards.
Andrew next conducted a more detailed discussion of protocols. This started to get into variables of ACR and AMR. Within OAuth 2 and OIDC there are structures that exist whose values have not yet been defined fully that are pretty close to what we need for trust elevation. We also learned that one of the proposed structures was not appropriate.
Andrew said that UMA also has hooks for additional authenticators. Andrew took an action item to read the protocol specification and bring in the authors. He asked Mary for additional comments.
Mary explained that there was a lot of conversation about granularity because of the previous conversation in the room.
Abbie agreed that it is important. For example, take a phone. You use your fingerprint for authN. The finger print on its own has a value as an authenticator, but how much do you trust your fingerprint? There are a lot of variability in implementations.
Andrew said he has more homework. He got Mike S. to rejoin the TC.
Andrew said we need to follow up with OIDC folks.
Don volunteered that he is happy to do that.
Andrew said we need to confirm that our structures are still compatible.
Mary said there were 24 people in the room. It was a very engaged group, which is difficult to convey after the fact.
Abbie asked Andrew if we have a new group that is ready to receive the next version.
Andrew said Mike S. and Eve M. were very engaged. I think we can translate that to review and or contributions.
Abbie said lets quickly have a plan to invite them to the F2F, and invite them to come into the TC so that we can move forward while it is still hot.
Andrew agreed and is focusing on preparing for F2F.
Abbie said we will focus on this in next editor’s call.
Abbie has sent a note to ISO. They like what they see and appreciate it. We will send what we have to them in September or worse to worse in February. If we can do that we can get an ISO number. So we need to complete this in a short amount of time.
Andrew recommended we adjourn to have more material for F2F.
Diana wants to make sure group is aware that NIST is soliciting contributions /topics for updating NIST 800-63. One of the things they are looking at is Trust-el.
Abbie replied that he did tweet about that
Diane continued. May 29 is the deadline for comments about what needs to be put into an update. Does the TC want to comment?
Abbie replied yes, we should put comments back. Can we have an ad-hoc group meet to come-up with our response?
Diane said she is in a group putting together comments – she can invite us to those meetings.
Abbie replied pencil me in. and I will include the bank input. He will send an email to the list about the ad hoc group.
Diana moved to adjourn the meeting.
Peter seconded the motion.
Call-in toll-free number: +1-8667475167 (US)
Call-in number: +1-7046650860 (US)
Attendee access code: 792 879 64
Australia: 1800209726; 0280662408; +61 280662408
abbie : Agenda
1. roll call
2. Approve minutes
3. F2F info
4. IIW update
5. Editor Update
6. Roll call
Shaheen: Is there a way we can move this recurring meeting by an hour forward?
abbie : we can ask
abbie : on the call today
anonymous morphed into Rick Grow
anonymous morphed into Jeff S.
Shaheen: can we hae it at 11 or 12 PM EST?
Kevin Mangold (NIST): oops. i was using the old dial in
anonymous morphed into Peter
Jeff S.: Did everyone see the announcement about 800-63?
Peter: what does NIST expect?
Kevin Mangold (NIST): which announcement, Jeff?
Jeff S.: Summary:
NIST requests comments on SP 800-63-2, Electronic Authentication Guideline. This document describes the technical requirements necessary to meet the four Levels of Assurance (LOA) that are specified in the Office of Management and Budget (OMB) memorandum M-04-04, E-Authentication Guidance for Federal Agencies. Please send questions and comments by May 22, 2015 to firstname.lastname@example.org
Jeff S.: More information is available here: http://csrc.nist.gov/groups/ST/eauthentication/sp800-63-2_call-comments.html
Peter: What I mean is that the question(s) are so open-ended that it's hard to know how NIST can distill the spectrum of comments it's likely to receive. A little more information about what they're looking for would be helpful to all involved.
Andrew Hughes: they intend to take the comments, write a report or white paper, then conduct a workshop...
Jeff S.: Peter, I think the basis of this comment solicitation is meant to be just that: very open-ended.
Jeff S.: That much has not been made publically available at this time.
Jeff S.: At this point, we are soliciting comments on the topics listed in the announcement.