Re: [trust-el] Minutes from May 28th call

On Thu, Jun 11, 2015 at 6:12 AM Mary Ruddy <mary@meristic.com> wrote:

Minutes for the meeting of the Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee
May 28, 2015.

1. Call to Order and Welcome.

2. Roll Call

Attending (please notify me if you attended the meeting but are not on the list below)

Abbie Barbir, Bank of America
Andrew Hughes - y
Anil Saldhana, Red Hat
Bob Sunday
Brendan Peter, CA
Carl Mattocks, Bofa
Cathy Tilton, Daon - y
Charline Duccans, DHS
Duane DeCouteau
Calvin
Colin Wallis, New Zealand Government - y
Dale Rickards, Verizon Business
David Brossard, Axiomatics
Dazza Greenwood
Debbie Bucci, NIH
Deborah Steckroth, RouteOne LLC
Detlef Huehnlein, Federal Office for Information
Diana Proud-Madruga - y
Diego Matute, Centrify
Don Thibeau, Open Identity Exchange
Doron Cohen, SafeNet
Doron Grinstein, BiTKOO
Gershon Janssen - y
Ilene Bridges
Ivonne Thomas, Hasso Plattner Institute
Jaap Kuipers, Amsterdam
James Clark – Oasis
Jeff Broburg, CA
Jeff Shultz , NIST - y
Jim Macabe (Kaiser)
John Bradley
John "Mike" Davis, Veteran's Affairs
John Tolbert - y
John Walsh, Sypris Electronics
Jonas Hogberg
Julian Hamersley, Adv Micro Devices
Kevin Mangold, NIST
Lucy Lynch ISOC
Marcus Streets, Thales e-Security
Marty Schleiff, The Boeing Company
Mary Ruddy, Identity Commons - y
Massimiliano Masi, Tiani "Spirit" GmbH
Mike Harrop
Mohammad Jafari, ESC -
Orlando Adams
Peter Alterman, SAFE-BioPharma
Peter Jones -
Rainer Hoerbe -
Rebecca Nielsen, Booz Allen Hamilton
Rich Furr
Rick Grow - y
Ronald Perez, Advanced Micro Devices
Scott Fitch Lockeed Martin
Shaheen Abdul Jabbar, JPMorgan Chase Bank, N.A. - y
Shahrokh Shahidzadeh (Intel Corp)
Suzanne Gonzales-Webb, VA - y
Tony Rutkowski
Tony Nadlin
Thomas Hardjono, M.I.T.
William Barnhill, Booz Allen Hamilton
Adrianne James, VA
Patrick, Axiomatics
Steve Olshansky

We achieved quorum.

2. Agenda review and approval

We used the following chat room for the call: http://webconf.soaphub.org/conf/room/trust-el

The agenda was approved.

3. Approval of the Minutes

Suzanne and Dianne seconded approval of the minutes of the previous meeting April 16th.
There were no objections.
The minutes were approved.

4. Editors Update
Andrew provided an update on the face-to-face (F2F) meeting. It was weeks ago and was held for 2 days in NY above MoMA.

Andrew explained that they came up with a “strawshirt”. There are still some disconnects between the description of using a NIST approach upfront vs. a fully risk- based dynamic approach. He discussed what a common approach might be. Trust-el could occur when the RP determines that the user is insufficiently authenticated to perform a transaction. In the TC’s output, any early way to describe the elevation event was an action to counter an ITU-T type threat. In later descriptions we found that that could be expressed as the use of an authentication factor that had not yet been used in that Transactional context. At third type of trust-el is use of a different authN method that may or may not have a different factor. So there is common ground, but it is very slippery to find it.

Andrew reviewed the simple trust-el use case (online banking transactions) in the WebEx.

Andrew continued. MFA implies two factors from different classes. If we allow two factors of any class, we are talking about multilayered authentication.

Andrew said the policy table that related the transaction risk level and what authN is need to do that step. In the F2F we had a long discussion about who writes it. We reaffirmed that it must be the RP. The TC isn’t going to try to standardize what method is needed to go from one specific level to another. There may come a day when this is more standardized. But that day has not yet come

Andrew continued, one can do a classic step-up, or re-authenticate with the same methods or class or factor, etc. The idea of D4 is to generate enough material for the RP to construct a sensible policy table.

Colin suggested that Andrew clarify the multi-layer language in his example in the document.

Cathy reminded us to keep in mind that this whole thing is a starting place.

?? Loves this. It is bringing to light other questions.

Andrew explained that for D4, he envisions an appendix of additional questions.

Andrew said one of the debate points in constructing the policy table is that we are trying to separate the authN policy. That is, determine what is required to satisfy the risk level policy and how you could go about doing it. The policy table could have list of methods with unique id’s and an indication of strengths, and cross links. The sample use case is sequence of things. The user hits the bank site, etc. The goal [at this stage of the protocol design process] is to try to determine who the actors are: authN engine, trust elevation determinor, policy table, etc. We are also trying to determine where each of these pieces might reside.

Andrew moved to the excel spreadsheet list of activities. This is an attempt to make a very fine grained activity list for the simple use case. Idea is to determine who are the actors and their actions. Andrew walked through it

They mocked up some xml to walk thru.
Andrew said if there are no more comments or questions for now, he is done.

Someone ask Andrew what he needs, for each of us to review the drafts and add comments, questions and suggestions?

Andrew replied yes. His next task is to put this into a readable format and send it to the group for questions and additions. There are some sections others will need to write. He also needs to create a revised table of contents.

Andrew will send out a link to the updated doc and a request for comments.

Andrew asked if there was any other business.

Colin asked has anyone seen the final version of the NIST submission? Was it circulated by email?

Andrew responded that he saw the output from this TC. He didn’t’ see if OASIS consolidated all the TC comments as an official submission. He saw the request, but not the response to the request.

Colin commented that it isn’t obvious that there is a place in OASIS to do that.

Andrew took an action item to follow-up.

6. Adjourn

Shaheen moved to adjourn the meeting.
Andrew seconded the motion.

Andrew thanked the participants for their hard work at the F2F. We have really made progress.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
anonymous morphed into Suzanne Gonzales-Webb

anonymous morphed into Gershon Janssen

anonymous morphed into Shaheen

Shaheen: Topic: OASIS Trust-El Bi Weekly TC meeting
Date: Thursday, May 28, 2015
Time: 12:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
Meeting Number: 730 455 371
Meeting Password: 05282015

-------------------------------------------------------
To join the online meeting (Now from mobile devices!)
-------------------------------------------------------
1. Go to https://jpmchase.webex.com/jpmchase/j.php?MTID=mbd343f18703878d5d18e89a46a74a97d
2. If requested, enter your name and email address.
3. If a password is required, enter the meeting password: 05282015
4. Click "Join".

To view in other time zones or languages, please click the link:
https://jpmchase.webex.com/jpmchase/j.php?MTID=m16a828670748e30e65231cd8db120c28

anonymous morphed into John Tolbert

Shaheen: Please do not use the call me feature

trust-el message