IAWG Meeting Notes 2011-02-02
This was a non-quorate call. What follows are unofficial notes.
Attendees:
Myisha Frazier-McElveen
Rich Furr
Ben Wilson
Ken Dagg
John Bradley
Richard Trevorah
Jeff Stollman
Patrick Curry
Rainer Hoerbe
Mark Lizar
Nathan Faut
Apologies:
Frank Villavicencio
David Wasley
Bill Braithwaite
Pete Palmer
Staff:
Joni Brennan
Anna Ticktin
Meeting Notes:
a. Roll Call---Quorum not reached
b. Reminder of Motion of Minutes Approval: 19 Jan 2011
http://kantara.atlassian.net/wiki/display/idassurance/IAWG+Meeting+Minutes+2011-01-19
- Unable to approve previous minutes as quorum was not met.
c. Kantara F2Fs in May:
- 10 May Kantara TFW Summit in Munich (EIC)--- http://www.id-conf.com/
- Rainer Horbe and Joni confirm attendance
- The summit agenda will focus on Trust Frameworks
- 16-18 May Berlin (F2F @Fraunhofer) — http://kantarainitiative.org/confluence/display/GI/Kantara%20Initiative%20Conferences
- Rainer and Patrick confirm attendance
The work group identified the following milestones to met by the Berlin F2F:
- PKI/LOA 3 documentation matured
- RP Guidelines outlined
ACTION ITEM 20110202-01 ANNA--- will commence a wg thread soliciting interest in attendance and begin a draft agenda for all interested attendees to present to their approving bodies for potential financial endorsements.
Patrick advises of the following upcoming events:
- The ISO/IEC JTC1 SC27 WG5 Plenary Meeting on ISO standards for identity management and privacy is taking place in Singapore 12-19 April. Many key experts will be at that event – efforts are in hand to ensure European Commission representation. This is an opportunity for the European nations to get greater visibility of Kantara input.
- The next European Commission DG Home Affairs ID Management/Fraud Expert Meeting should be held sometime after 25 April and before mid-May. Patrick will inform them of the Berlin event to try to prevent any conflicts.
- Eema Events: (Estonia are regarded as a leader on citizen ID in Europe...)
European e-Identity Management Conference
8-9 June 2011 – Tallinn, Estonia
The European City of Culture 2011 - Information Security Solutions Europe (ISSE)
4-6 October 2011 –
Prague, Czech Republic
IAWG telecon frequency---
- Consensus of the WG is that there is much to be done. In order to keep the pace and gain traction, it is recommended to have the telecons remain weekly.
d. Action Item Review:
ACTION ITEM 20110126-01 Myisha — to finalize the latest draft version and resubmit to the list for a more thorough/official review on / by the next call. Closed.
2. FOG All Member Ballot: Anna Ticktin
ACTION ITEM 20110202-02 Anna — to make the (non-normative) edits and present the document to the WG for approval by next week.
3. SAC Level 3 / PKI Report: Rich Furr
- With 1 person's concerted effort, these could be recommendations for resolution and could be built in 1-2 weeks.
- Patrick suggests partnering with, or perhaps, recruiting Judy Spencer?
- Rich will circulate relevant documents to the list immediately.
- Patrick will reach out to Certipath for assistance, as well.
- The WG set a milestone of revving the documents to a level of maturity by the F2F in Berlin.
- The need and demand for this work lies with PKI Federation LOA 3-4, OIX and Facebook connect groups...
- The WG agrees that the SAC criteria should be available in advance of Q4.
- Rich suggests HIA should be interested in LOA3 as the LOA3/PKI health certificates have been high.( See relevant email thread captured at the end of these notes.)
- Patrick suggests Certipath, too, should be interested.
4. Status of RP Guidelines: Frank Wray and Ben Wilson
- see email dated 02 Feb 2011 titled: [WG-IDAssurance] Relying Party Guidelines
- Question: How comprehensive in scope and how big of a document are we looking for?
- Answer: We should start with a full concept / full picture then distill down to an executive summary.
- In the end, it should be RP criteria or a baseline to certify against or expand the certification program against.
- Guidance (on best practices) informs criteria for the doc.
- Question: Who is the audience: RPs or assessors?
- Ben wilson will redraft and recirculate.
- This work has been targeted for Berlin and should coordinate with the P3-PFSG efforts and Trust Framework Architecture.
Due to time constraints, the following agenda items will be carried over to the next telecon:
- 5. SAC Profile Creation Guidelines Doc: Myisha
- 6. Recruitment: Auditors and Assessors
- 7. AOB:
- FAQs
- ABA Draft Definition of Trust Framework
ONC Recommendations Thread---Rich Furr
Please see the attached recommendation from the ONC Privacy and Security Tiger team that was issued in June 2010. Most of the members of this team are now part of the Direct Project Security Work Group (me included) which is working to set the policies for the National Health Information Network.
I have highlighted key provisions to wit:
These security protocols and technologies will determine what "language" that given policies must speak. Most notably the decision to use the IETF X.509 standards for a PKI-based infrastructure will force NHIN Direct users to create trust policies that speak in terms of certificates, public key infrastructure and certificate authorities. Other protocol and technology decisions will have similar policy language implications; and
2.1 Use of x.509 Certificates. The NHIN Direct protocol relies on agreement that possession of the private key of an x.509 certificate with a particular subject assures compliance of the bearer with a set of arbitrary policies as defined by the issuing authority of the certificate; and
2.5 Sender identification. NHIN Direct messages must be reliably linked to the public certificates possessed by the sender, through standard digital signatures or other means that match the certificate subject to the sender's address or health domain. Implementations must reject messages that are not linked to valid, non-expired, non-revoked public certificates inheriting up to a configured Anchor certificate per 2.2.
2.6 Encryption. NHIN Direct messages sent over unsecured channels must be protected by standard encryption techniques using key material from the recipient's valid, non-expired, non-revoked public certificate inheriting up to a configured Anchor certificate per 2.2. Normally this will mean symmetric encryption with key exchange encrypted with PKI; and
". Implementations should also ensure that users can leverage existing credential management programs; for example, ICAM in the federal space (see related links).
It is interesting to note that Kantara is included in the related links section of the recommendations.
I also include urls for the various key Direct Project Work Groups:
_http://wiki.directproject.org/Security+and+Trust+Workgroup_
_http://wiki.directproject.org/Best+Practices+Workgroup_
_http://wiki.directproject.org/Implementation+Group+%26+Our+Workgroups_
If not IAWG, certainly the HIAWG should be aware of what is going on...