2023-08-30 Meeting notes

Chaudhury, Atef / Krishnaraj, Venkat

X

Davis, Peter

X

Hughes, Andrew

Jones, Thomas

X

Thoma, Andreas

Wunderlich, John

X

Williams, Christopher

Auld, Lorrayne

Aronson Mark

Moved to non-voting 2023-08-30

Balfanz, Dirk

Brudnicki, David

D'Agostino, Salvatore

X, Moved to non-voting 2023-08-30

Dowtin, Jazzmine

Dutta, Tim

Flanagan, Heather

Fleenor, Judith

Glasscock, Amy

Gropper, Adrian

Hodges, Gail

Moved to non-voting 2023-08-30

Jordaan, Loffie

LeVasseur, Lisa

Lopez, Cristina Timon

Pasquale, Jim

Moved to non-voting 2023-08-30

Snell, Oliver

Stowell, Therese

Sutor, Hannah

X

Tamanini, Greg

Vachino, Maria

Whysel, Noreen

5 min.

• Start the meeting.

• Call to order.

• Approve minute

• Approve agenda

@John Wunderlich 

Called to order: 13:02

Quorum reached: Yes @ 13:03

Minutes to approve: No objections, Approved

https://kantara.atlassian.net/wiki/spaces/PEMCP/pages/170065921

0 min.

Open Tasks Review

All

5 min

Announcements

Christopher taking lead on next couple of meetings. John to focus on getting implementer’s report out the door.

Ask: Warning for when discussion of implementer’s report will happen so scheduled can be accommodated.

35 min

Requirements discussion

Goal: Get a VIP statement for purpose, legitimacy, and specification.

• Discussion: Would issuer specify purposes for which credential should be used?

  • Holder should always have final say. If released by the holder, issuer could potentially restrict who gets / asks for one.

  • Terminal authentication is the verifier taking technical steps to ensure that the verifiers reading hardware/software combination meets a certain standard.

    • Identifier of the relying party that the issuer can then build business rules for in their app if their app encounters a typical relying party.

    • Issuer can issue a policy - sometimes the issuer builds the wallet, too. Wallet has credential and policy and has to make decision. Issuer can issue a policy to the wallet.

  • Falls into limiting use into authorized uses, or a security issue around only allowing readers that meet issuer’s standard

  • Issuer says “you must meet policy X” before credential will be issued to device. At presentation time, that authorized wallet uses the information provided to the issuer to validate that the device is on the list that’s in the policy and will provide the data to the reader. (this would be a new set of requirements)

• Discussion: Policies

  • Certain policies may be privacy-preserving, others not

  • Verifying organization should train its staff that use the reader on how to respond to questions about privacy

  • Some policies have no technical implications. People policy vs machine policy

  • Need a statement about people supporting policies - parked until Security

  • Complying with 27001 involves training and HR requirements

• Discussion: VIP requirement under UR is “Can’t phone home”

  • Highly desirable, or requirement? Not all credentials will seek to be privacy enhancing

Adjourn