Versions Compared

Old Version 8

changes.mady.by.user John Wunderlich

Saved on

compared with

New Version 9

changes.mady.by.user John Wunderlich

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Time

Item

Who

Notes

5 min.

  • Start the meeting.

  • Call to order.

  • Approve minute

  • Approve agenda

John Wunderlich 

Called to order: 13:02

Quorum reached: Yes @ 13:03

Minutes to approve: No objections, Approved (tick)

2023-08-23 Meeting notes2023-08-09 Meeting notes2023-08-02 Meeting notesCandidate Requirements2023-07-19 Meeting notes2023-07-12 Meeting notes2023-06-07 Meeting notes

2023-04-05 Meeting notes

2023-04-12 Meeting notes

2023-04-26 Meeting notes

0 min.

Open Tasks Review

All

Task report
spacesPEMCP
isMissingRequiredParameterstrue
labelsmeeting-notes

5 min

Announcements

Christopher taking lead on next couple of meetings. John to focus on getting implementer’s report out the door.

Ask: Warning for when discussion of implementer’s report will happen so scheduled can be accommodated.

35 min

Requirements discussion

Goal: Get a VIP statement for purpose, legitimacy, and specification.

  • Discussion: Would issuer specify purposes for which credential should be used?

    • Holder should always have final say. If released by the holder, issuer could potentially restrict who gets / asks for one.

    • Terminal authentication is the verifier taking technical steps to ensure that the verifiers reading hardware/software combination meets a certain standard.

      • Identifier of the relying party that the issuer can then build business rules for in their app if their app encounters a typical relying party.

      • Issuer can issue a policy - sometimes the issuer builds the wallet, too. Wallet has credential and policy and has to make decision. Issuer can issue a policy to the wallet.

    • Falls into limiting use into authorized uses, or a security issue around only allowing readers that meet issuer’s standard

    • Issuer says “you must meet policy X” before credential will be issued to device. At presentation time, that authorized wallet uses the information provided to the issuer to validate that the device is on the list that’s in the policy and will provide the data to the reader. (this would be a new set of requirements)

  • Discussion: Policies

    • Certain policies may be privacy-preserving, others not

    • Verifying organization should train its staff that use the reader on how to respond to questions about privacy

    • Some policies have no technical implications. People policy vs machine policy

    • Need a statement about people supporting policies - parked until Security

    • Complying with 27001 involves training and HR requirements

  • Discussion: VIP requirement under UR is “Can’t phone home”

    • Highly desirable, or requirement? Not all credentials will seek to be privacy enhancing

  •  John Wunderlich To make sure that every must/should in the Implementer’s report is ported to requirements.
  •  John Wunderlich Update instructions on how to create requirements
  •  John Wunderlich Email to encourage people to e-mail to create a requirement suggestion, try to elevate progress

Requirements CoverageCandidate Requirements

Adjourn


...