[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes from May 28th call
Minutes for the meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee May 28, 2015. 1. Call to Order and Welcome. 2. Roll Call Attending (please notify me if you attended the meeting but are not on the list below) Abbie Barbir, Bank of America Andrew Hughes - y Anil Saldhana, Red Hat Bob Sunday Brendan Peter, CA Carl Mattocks, Bofa Cathy Tilton, Daon - y Charline Duccans, DHS Duane DeCouteau Calvin Colin Wallis, New Zealand Government - y Dale Rickards, Verizon Business David Brossard, Axiomatics Dazza Greenwood Debbie Bucci, NIH Deborah Steckroth, RouteOne LLC Detlef Huehnlein, Federal Office for Information Diana Proud-Madruga - y Diego Matute, Centrify Don Thibeau, Open Identity Exchange Doron Cohen, SafeNet Doron Grinstein, BiTKOO Gershon Janssen - y Ilene Bridges Ivonne Thomas, Hasso Plattner Institute Jaap Kuipers, Amsterdam James Clark – Oasis Jeff Broburg, CA Jeff Shultz , NIST - y Jim Macabe (Kaiser) John Bradley John "Mike" Davis, Veteran's Affairs John Tolbert - y John Walsh, Sypris Electronics Jonas Hogberg Julian Hamersley, Adv Micro Devices Kevin Mangold, NIST Lucy Lynch ISOC Marcus Streets, Thales e-Security Marty Schleiff, The Boeing Company Mary Ruddy, Identity Commons - y Massimiliano Masi, Tiani "Spirit" GmbH Mike Harrop Mohammad Jafari, ESC - Orlando Adams Peter Alterman, SAFE-BioPharma Peter Jones - Rainer Hoerbe - Rebecca Nielsen, Booz Allen Hamilton Rich Furr Rick Grow - y Ronald Perez, Advanced Micro Devices Scott Fitch Lockeed Martin Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y Shahrokh Shahidzadeh (Intel Corp) Suzanne Gonzales-Webb, VA - y Tony Rutkowski Tony Nadlin Thomas Hardjono, M.I.T. William Barnhill, Booz Allen Hamilton Adrianne James, VA Patrick, Axiomatics Steve Olshansky We achieved quorum. 2. Agenda review and approval We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el The agenda was approved. 3. Approval of the Minutes Suzanne and Dianne seconded approval of the minutes of the previous meeting April 16th. There were no objections. The minutes were approved. 4. Editors Update Andrew provided an update on the face-to-face (F2F) meeting. It was weeks ago and was held for 2 days in NY above MoMA. Andrew explained that they came up with a “strawshirt”. There are still some disconnects between the description of using a NIST approach upfront vs. a fully risk- based dynamic approach. He discussed what a common approach might be. Trust-el could occur when the RP determines that the user is insufficiently authenticated to perform a transaction. In the TC’s output, any early way to describe the elevation event was an action to counter an ITU-T type threat. In later descriptions we found that that could be expressed as the use of an authentication factor that had not yet been used in that Transactional context. At third type of trust-el is use of a different authN method that may or may not have a different factor. So there is common ground, but it is very slippery to find it. Andrew reviewed the simple trust-el use case (online banking transactions) in the WebEx. Andrew continued. MFA implies two factors from different classes. If we allow two factors of any class, we are talking about multilayered authentication. Andrew said the policy table that related the transaction risk level and what authN is need to do that step. In the F2F we had a long discussion about who writes it. We reaffirmed that it must be the RP. The TC isn’t going to try to standardize what method is needed to go from one specific level to another. There may come a day when this is more standardized. But that day has not yet come Andrew continued, one can do a classic step-up, or re-authenticate with the same methods or class or factor, etc. The idea of D4 is to generate enough material for the RP to construct a sensible policy table. Colin suggested that Andrew clarify the multi-layer language in his example in the document. Cathy reminded us to keep in mind that this whole thing is a starting place. ?? Loves this. It is bringing to light other questions. Andrew explained that for D4, he envisions an appendix of additional questions. Andrew said one of the debate points in constructing the policy table is that we are trying to separate the authN policy. That is, determine what is required to satisfy the risk level policy and how you could go about doing it. The policy table could have list of methods with unique id’s and an indication of strengths, and cross links. The sample use case is sequence of things. The user hits the bank site, etc. The goal [at this stage of the protocol design process] is to try to determine who the actors are: authN engine, trust elevation determinor, policy table, etc. We are also trying to determine where each of these pieces might reside. Andrew moved to the excel spreadsheet list of activities. This is an attempt to make a very fine grained activity list for the simple use case. Idea is to determine who are the actors and their actions. Andrew walked through it They mocked up some xml to walk thru. Andrew said if there are no more comments or questions for now, he is done. Someone ask Andrew what he needs, for each of us to review the drafts and add comments, questions and suggestions? Andrew replied yes. His next task is to put this into a readable format and send it to the group for questions and additions. There are some sections others will need to write. He also needs to create a revised table of contents. Andrew will send out a link to the updated doc and a request for comments. Andrew asked if there was any other business. Colin asked has anyone seen the final version of the NIST submission? Was it circulated by email? Andrew responded that he saw the output from this TC. He didn’t’ see if OASIS consolidated all the TC comments as an official submission. He saw the request, but not the response to the request. Colin commented that it isn’t obvious that there is a place in OASIS to do that. Andrew took an action item to follow-up. 6. Adjourn Shaheen moved to adjourn the meeting. Andrew seconded the motion. Andrew thanked the participants for their hard work at the F2F. We have really made progress. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> anonymous morphed into Suzanne Gonzales-Webb anonymous morphed into Gershon Janssen anonymous morphed into Shaheen Shaheen: Topic: OASIS Trust-El Bi Weekly TC meeting Date: Thursday, May 28, 2015 Time: 12:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00) Meeting Number: 730 455 371 Meeting Password: 05282015 ------------------------------------------------------- To join the online meeting (Now from mobile devices!) ------------------------------------------------------- 1. Go to https://jpmchase.webex.com/jpmchase/j.php?MTID=mbd343f18703878d5d18e89a46a74a97d 2. If requested, enter your name and email address. 3. If a password is required, enter the meeting password: 05282015 4. Click "Join". To view in other time zones or languages, please click the link: https://jpmchase.webex.com/jpmchase/j.php?MTID=m16a828670748e30e65231cd8db120c28 anonymous morphed into John Tolbert Shaheen: Please do not use the call me feature |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]