OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

trust-el message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes from May 28th call

Minutes for the meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee

May 28, 2015.

1. Call to Order and Welcome.


2. Roll Call


Attending (please notify me if you attended the meeting but are not on the list below)


Abbie Barbir, Bank of America

Andrew Hughes - y

Anil Saldhana, Red Hat  

Bob Sunday

Brendan Peter, CA

Carl Mattocks, Bofa 

Cathy Tilton, Daon - y   

Charline Duccans, DHS

Duane DeCouteau


Colin Wallis, New Zealand Government  - y  

Dale Rickards, Verizon Business 

David Brossard, Axiomatics 

Dazza Greenwood 

Debbie Bucci, NIH 

Deborah Steckroth, RouteOne LLC

Detlef Huehnlein, Federal Office for Information

Diana Proud-Madruga - y    

Diego Matute, Centrify

Don Thibeau, Open Identity Exchange     

Doron Cohen, SafeNet

Doron Grinstein, BiTKOO

Gershon Janssen  - y

Ilene Bridges 

Ivonne Thomas, Hasso Plattner Institute

Jaap Kuipers, Amsterdam  

James Clark – Oasis

Jeff Broburg, CA

Jeff Shultz , NIST - y

Jim Macabe (Kaiser)

John Bradley 

John "Mike" Davis, Veteran's Affairs 

John Tolbert - y

John Walsh, Sypris Electronics

Jonas Hogberg

Julian Hamersley, Adv Micro Devices

Kevin Mangold, NIST   

Lucy Lynch  ISOC

Marcus Streets, Thales e-Security

Marty Schleiff, The Boeing Company

Mary Ruddy, Identity Commons  - y

Massimiliano Masi, Tiani "Spirit" GmbH 

Mike Harrop

Mohammad Jafari, ESC - 

Orlando Adams

Peter Alterman, SAFE-BioPharma  

Peter Jones -

Rainer Hoerbe -

Rebecca Nielsen, Booz Allen Hamilton  

Rich Furr

Rick Grow - y

Ronald Perez, Advanced Micro Devices

Scott Fitch Lockeed Martin

Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y  

Shahrokh Shahidzadeh (Intel Corp)   

Suzanne Gonzales-Webb, VA - y  

Tony Rutkowski

Tony Nadlin

Thomas Hardjono, M.I.T.  

William Barnhill, Booz Allen Hamilton

Adrianne James, VA 

Patrick, Axiomatics

Steve Olshansky


We achieved quorum.



2. Agenda review and approval


We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el


The agenda was approved.


3. Approval of the Minutes


Suzanne and Dianne seconded approval of the minutes of the previous meeting April 16th.

There were no objections.

The minutes were approved.


4. Editors Update

Andrew provided an update on the face-to-face (F2F) meeting.  It was weeks ago and was held for 2 days in NY above MoMA.


Andrew explained that they came up with a “strawshirt”.  There are still some disconnects between the description of using a NIST approach upfront vs. a fully risk- based dynamic approach.  He discussed what a common approach might be.  Trust-el could occur when the RP determines that the user is insufficiently authenticated to perform a transaction.  In the TC’s output, any early way to describe the elevation event was an action to counter an ITU-T type threat. In later descriptions we found that that could be expressed as the use of an authentication factor that had not yet been used in that Transactional context.  At third type of trust-el is use of a different authN method that may or may not have a different factor. So there is common ground, but it is very slippery to find it.


Andrew reviewed the simple trust-el use case (online banking transactions) in the WebEx.


Andrew continued. MFA implies two factors from different classes. If we allow two factors of any class, we are talking about multilayered authentication.


Andrew said the policy table that related the transaction risk level and what authN is need to do that step. In the F2F we had a long discussion about who writes it. We reaffirmed that it must be the RP. The TC isn’t going to try to standardize what method is needed to go from one specific level to another.  There may come a day when this is more standardized. But that day has not yet come


Andrew continued, one can do a classic step-up,  or re-authenticate with the same methods or class or factor, etc.  The idea of D4 is to generate enough material for the RP to construct a sensible policy table.


Colin suggested that Andrew clarify the multi-layer language in his example in the document.


Cathy reminded us to keep in mind that this whole thing is a starting place.


?? Loves this. It is bringing to light other questions.


Andrew explained that for D4, he envisions an appendix of additional questions.


Andrew said one of the debate points in constructing the policy table is that we are trying to separate the authN policy.  That is, determine what is required to satisfy the risk level policy and how you could go about doing it.  The policy table could have list of methods with unique id’s and an indication of strengths, and cross links. The sample use case is sequence of things.  The user hits the bank site, etc.  The goal [at this stage of the protocol design process] is to try to determine who the actors are: authN engine, trust elevation determinor, policy table, etc. We are also trying to determine where each of these pieces might reside.


Andrew moved to the excel spreadsheet list of activities. This is an attempt to make a very fine grained activity list for the simple use case. Idea is to determine who are the actors and their actions.  Andrew walked through it


They mocked up some xml to walk thru.

Andrew said if there are no more comments or questions for now, he is done.


Someone ask Andrew what he needs, for each of us to review the drafts and add comments, questions and suggestions?


Andrew replied yes. His next task is to put this into a readable format and send it to the group for questions and additions.  There are some sections others will need to write.  He also needs to create a revised table of contents.


Andrew will send out a link to the updated doc and a request for comments.


Andrew asked if there was any other business.


Colin asked has anyone seen the final version of the NIST submission? Was it circulated by email?


Andrew responded that he saw the output from this TC. He didn’t’ see if OASIS consolidated all the TC comments as an official submission. He saw the request, but not the response to the request.


Colin commented that it isn’t obvious that there is a place in OASIS to do that.


Andrew took an action item to follow-up.



6. Adjourn


Shaheen moved to adjourn the meeting.

Andrew seconded the motion.


Andrew thanked the participants for their hard work at the F2F.  We have really made progress.



anonymous morphed into Suzanne Gonzales-Webb


anonymous morphed into Gershon Janssen


anonymous morphed into Shaheen


Shaheen: Topic: OASIS Trust-El Bi Weekly TC meeting

Date: Thursday, May 28, 2015

Time: 12:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)

Meeting Number: 730 455 371

Meeting Password: 05282015




To join the online meeting (Now from mobile devices!)


1. Go to https://jpmchase.webex.com/jpmchase/j.php?MTID=mbd343f18703878d5d18e89a46a74a97d

2. If requested, enter your name and email address.

3. If a password is required, enter the meeting password: 05282015

4. Click "Join".


To view in other time zones or languages, please click the link:



anonymous morphed into John Tolbert


Shaheen: Please do not use the call me feature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]