LC telecon 2012-09-19 - Strategy Call

LC telecon 2012-09-19

Date and Time

  • Date: Wednesday, 19 September 2012
  • Time: 13:00 PT | 16:00 ET | 20:00 UTC (time chart)
  • Call-in toll-free number: 1-866-203-0920
  • Call-in number: 1-206-445-0056
    • Conference Code: 5423695925#
  • International Dial-In Numbers

Agenda

  1. Roll Call
  2. Discussion
    1. Consumer identity space (in the context of AntiFraud)
    2. High Assurance PKI Federation outside USA/FICAM
    3. European/UK situation
    4. Non-Person Entities - Device, Organisation and Software.  Implications of new ID standards and the need for certification/assurance against them.
    5. Geo-authentication and trusted location services - UPRN (Unique Property Reference No) and LEI (Legal Entity Identifier).  LEI is mandated by the G20 for the finance sector.
    6. Trust Framework Subcommittee
    7. NSTIC
  3. AOB
  4. Adjourn

Attendees

  • Joni Brennan
  • John Bradley
  • Tom Smedinghoff
  • Bob Pinheiro
  • Allan Foster
  • Sal D'Agostino
  • Patrick Curry
  • Myisha Frazier-McElveen
  • Colin Wallis

Staff

  • Heather Flanagan (scribe)

Notes

Consumer identity space (in the context of AntiFraud)

  • http://bobpinheiro.com/docs/NSTIC_and_IDTheft.pdf  
  • Joni will be at the Anti-Phishing/e-crime event in mid-October and is looking for information/background
  • there seems to be a disconnect between cybersecurity and the identity standards space; Joni's presentation is on Identity Federation as Beat Cop
    • if organizations are joining in a circle of trust, there will be a shared set of metadata, and some of that metadata could include information about good AND bad actors, and then all in the federation would know who the bad actors are in those IdPs
    • John - a good theory, but is against NSTIC Principle #2; if you make the assumption that the IdP has the ability to protect the user against the bad actor, then making sure the IdP doesn't know where and how identity is being used is kind of a conundrum
    • Joni - maybe this can follow the Canadian "triple blind" model - the broker doesn't know who you are, the IdP doesn't know what you were trying to access, and the broker doesn't know who provided your authN services
    • are there any decent anti-fraud angle that ties in to what Kantara does?
    • Do you need a list of bad guys, or is a list of good guys enough? if you can identify who you are dealing with, that could be good enough; you should only need to be identified as who you are for certain, limited things
    • John - Note that Germany has tried to implement this, but it hasn't received much traction; if you want to be a trusted party in Germany, you have to buy your certificate from the government and let them know exactly what government-approved attributes we will be used
    • is the focus is on consumers and consumer fraud (identity theft)?  it doesn't have to be 100% consumer, because even the gov't/enterprise can be consumer; this can be about any kind of fraud; let's be clear on what fraud means - it usually means impersonation, and that leads us down the path of the identity proofing model(s)
    • what else in the federation model helps prevent or identify fraud? (John) if you can put more analytics and behavioral analysis in the IdP activities, that could help prevent fraud (think about what credit cards and pay pal's do); could federation operators do this instead of IdP?
    • (Tom) looking at the EV-SSL certificate model and that trust framework, isn't that an anti-fraud at it's heart? (Bob) you have to focus on what kind of fraud we're talking about, because this space is so big; so now the website has auth'd itself to the user/consumer, so how does the consumer auth themselves to the website? It was originally client-side certificates, which never panned out; there is a big hole there, for users to be able to auth themselves properly to the website (high assurance, easy to use); (Tom) in theory, that's where federations would come in
    • (John) there are legal issues here too, if you deny service because of a third party set of information; (Tom) this is a fundamental liability question
    • (Allan / Joni) if RP agree to trust a set of IdP, if those IdP have people or something that use their system in a known fraudulent way, then the IdP can lock them out, and because they've done that, as the spammer, you can no longer use that identity to use that service in that federation model
    • (Tom) are we mixing identity and conduct here? are we asking the IdP to make value judgements?  (Bob) if we can just focus on identity, that is potentially easier
    • this presentation/panel is with very technical, non-identity geeks; the goal is to get them interested/excited/understanding the federation and trust framework model and how it can help them

High Assurance PKI Federation outside USA/FICAM

  • From Patrick; there is no equiv of FICAM overseas, and so looking to use KI right up to the top with level 4 where "we" is the wider BBFA context (UK, but a EU context, with Korea, Canada, and US); so what do we do outside of where FICAM has sovereignty; and how do those nations work with each other and the US; if you have L4 or L3 in the US, but the industry is not part of FICAM, then what? For example, the finance sector; leads to interesting questions when talking about global supply chains
  • So, if we use KI SAC to go through that for a company getting L3 certified in Europe, and it is cross-certified to FICAM, what does that actually mean/look like?
  • (Joni) as the IAWG is completing the Disp of Comments for the latest rev of IAF, would request them to start looking at a comparison of requirements at a n international type level; e.g. the IAF against the appropriate UK identity scheme; (Patrick) noting that this particular topic is about PKI / High Assurance; to go on the Roadmap for IAWG
  • the IAF has to go under some revision on its own for some mapping to the latest 800-63-1; see also see ISO 29115
  • note there is an IANA registry of LoA that could fit in to this as well

 

European/UK situation

  • Draft Regulation, which is a draft piece of legislation which would be voted in to law: mutual recognition and that makes much of the SAC irrelevant
  • Kantara could potentially have impact by making FICAM more aware on an international front
  • SANS tag 3 just published a draft version 4, and the UK equiv of the NSA

skipping next agenda items in favor of time, will recapture 3-5 on the next strategy call

Trust Framework

Â