2014-11-03 eGov Meeting Minutes
Date and Time
Date: 3. November 2014
Time: 11:00 PDT | 14:00 EDT | 20:00 CET | 06:00 NZ(+1)
Role Call
- Rainer Hörbe
- Denny Prvu, CA Technologies
- Ken Dagg
- Thomas Gundel, ITCrew
- Keith Uber, Ubisecure (Note taker)
Apologies
- Colin Wallis
1. Administration
5 participants - quorate
Ocotber minutes - Thomas moved, Denny seconded
2. Meeting reports:
2.1 IIW
Indianopolis A-Camp Advanced Camp
Open Space conference
Vectors of Trust Meeting
Roland, Leif, Scott Cantor, Justin Reiker sp?, NSTIC Peter Gillet sp?
Topic is not mature yet with diverse points of view
The relevant stakeholders and experts still don’t agree very much.
It became clear that there are two general approaches
1) have a more granular view on how to convey level of assurance
e.g. FIDO alliance - strong authn but no identity proofing
low identity assurance but high authentication assurance
more granular approach
reduce the number of requests
2) to see Vector of Trust as a framework
depending on the risk assessment of the Relying Parties
Rainer was proposing a risk based vector of trust - before a wide number of controls are made mandatory to a RP, this should be minimized as much as possible. In a commercial environment, it should be possible to limit the liability to a certain euro value (10, 100e ) etc
From a legal point of view, everything that is outside compliance requirements, it should be possible to communicate the risk requirement “risk appetite” of the RP and the offering of the IDP.
In EDU, IDPs say they have no liability. What then is the value of the identity?
An additional list of 10-12 areas was made which in addition to the 3-4 which Justin announced. Bob Morgan had developed a list of three.
Denny: Various uses cases for risk-based authentication, especially seen in gov services:
Velocity checking, how often you access a given service or geolocation checks but based on transaction
Classic risk management approaches can be applied:
- Transferring the risk: specify a liability for the risk
- Mitigating the risk: verify by audit that agreed controls are implement
- Avoid: risk:
- Accepting the risk:
3-4 vectors
a linear scale of each vector
if you have multiple vectors
Need sub vents
general operational security crosses all sectors
see also the related mailing list
—
Yubikey presentation captured attention very well
non-observability non-linakbility of accounts
privacy enhanced login
U2F authentication (FIDO) is very well implemented
Very privacy preserving feature
The key never leaves the hardware
The ephemeral key is sent to a verifier and then check upon return.
This helps to keep unlinkability
Still a proprietary interface to google chrome. IE has committed to implement.
Could be applied to attributes also.
SAML vs OpenID Connect
Major difference is in the capability of dynamic configuration of clients.
ZXID had an implementation
GEANT trust broker - IETF draft is available for a proposal of a dynamic same configurations
Good discussion about service provider provisioning
Typical an assertion is sent to the SP with some attribute statement and
Sometimes you need users up front (legacy reasons, groupware, reporting etc)
Lots of discussion on how to do that, and how to do it in scale
OCT?? Washington State
Scalable MQ services have been implemented where IDP are pushing user objects to applications in a proprietory format depending on the application.
Discussion regarding SAML attribute statements, SCIM etc
See Notes Topic : Grouper and Messaging
Date and Time
Date: 1. December 2014
Time: 11:00 PDT | 14:00 EDT | 20:00 CET | 06:00 NZ(+1)
-------------------------------------------------------
To join the teleconference
-------------------------------------------------------
DIAL IN INFORMATION:
Skype: +99 051 000 000 481
Conference Id: 613-2898
US Dial-In: +1-805-309-2350
http://kantara.atlassian.net/wiki/display/GI/Telco+Bridge+Info