2023-04-18 Meeting notes

 Date

Apr 18, 2023

 Participants

Name 

Present 

@Noreen Whysel

Bev Corwin 

@Salvatore D'Agostino

Thomas Sullivan 

Catherine Schulten 

Jim StClair 

James Kragh 

Thomas Jones 

Y

 

Non-Voting Participants  

Name 

Present 

@Simone Alcorn (Unlicensed)

Michael Magrath  @Michael Magrath (Unlicensed)

 Quorum: Yes 

 Agenda

  • NCCoE Meeting Review ISO 18013 call for participation

  • Kay presentation in Berlin

 Discussion topics

Time

Item

Presenter

Notes

Time

Item

Presenter

Notes

 

NCCoE Meeting Review ISO 18013 call for participation 

@Noreen Whysel

Presentation: 

https://turing.kantarainitiative.org/pipermail/wg-riup/attachments/20230321/dc947c13/attachment-0001.pdf 

  • Looking for use cases from verifier POV 

  • We could show them a functional model for authentication/verification 

  • TomS: Medicare and Medicaid considering supplying recipients with mobile phones. Creates a privacy risk. Federal government has a right to access data (?) since they pay 50% of state programs. (Tom J says they may have the right but not the means 

  • Bev: tech reporting requirements may show whether feds have access. Fed doesn’t have access to GIS location data. 

 

Noreen’s notes from NCCoE call 

Goal: Enable online reference implementation of mDL 

 

ISO/IEC 18013-5 MDL 

https://www.iso.org/standard/69084.html   

ISO/IEC 18013-7 Unattended Use Cases 

  • will make reader reference implementation open source 

How to get involved 

  • Verifiers should bring in use cases and business processes (RIUP WG) 

  • Issuers to provide test MDLs 

  • 3p trust service providers to provide trust lists (Kantara trusted providers list?) 

mDL implementers must meet minimum requirements 

  • AAL 2 and 3 minimum 

  • FIPS 140 validated a Secure area 

    • Cryptographic key pairs generated and not exportable 

    • more outlined on the presentation 

Scenarios / Transaction Types (use cases) - goal is to see how trustable the solution is in these use cases 

  1. Attended 

  2. Identity Proofing 

  3. Attribute Presentation 

  4. Authentication 

  5. Single Sign-on 

 

Interested in real life verifiers who are interested in using mDL in providing services. 

More information is available at 

https://www.nccoe.nist.gov/projects/digital-identities-mdl  

Contact: mdl-nccoe@nist.gov to express intent (LoE) 

Comments due March 31  

Final Project description will be in a Federal Registry Notice and formal invitation. 

 

Timeline: Project will last one year. 

  • 3-6 months: prototype development 

  • 6 months: demo available 

  • 1-1.5 years: practice guide published 

 

Q&A  

  1. Reference Implementation Sandbox: 

    1. There will be a GitHub for development reference implementation.

    2. Will run an online service/sandbox to text mDL remotely.  

  2. A participant asked to consider relaxing some of the implementer requirements. Response was to put request in the comments. 

  3. CSP can participate 

  4. How will hardware devices beyond mobile phones be incorporated (eg stationary kiosks): 

    1. Covered in18013-5. Wants to see solutions that implement other devices 

    2. As long as it meets mDL security and privacy needs 

  5. No plans to document user experience. Out of scope for now. 

    1. Expects to put something in the practice guide on their observations of user consent, but no formal evaluation of user friendliness is in scope. Would need another task to focus on UX. 

  6. Question about privacy, security 

    1. "Technology doesn't solve all privacy issues." 

    2. Sal D'Agostino posted the question. It didn't sound like he was satisfied with the answer so maybe he can discuss on the call today. 

  7. Equity across demographics 

    1. "More and more people are using mobile devices. Enabling user of mDL for different services does provide vital service, place to interact and learn from our project. Wil; try our best to have different varieties of devices, different platforms, different hardware orientations, different expenses, etc." 

    2. They do expect different people to use mDL on many different devices. 

  8. How is this linked to work in Europe? 

    1. A commenter posted: "eIDAS v2 is adopting ISO18013 as well"



Kay Upcoming Presentations 

Jim Kragh

  • Kay is looking for two slides from each WG for her upcoming presentations. 

Tom to do a draft for group to review via email. 



 Action items

Dr. Tom to do a draft a slide for Kate’s presentation for the group to review via email. 

 Decisions