2014-11-03 eGov Meeting Minutes

1. Administration

5 participants - quorate

Ocotber minutes - Thomas moved, Denny seconded

2. Meeting reports:

2.1 IIW

Indianopolis A-Camp Advanced Camp

Open Space conference

Vectors of Trust Meeting

Roland, Leif, Scott Cantor, Justin Reiker sp?, NSTIC Peter Gillet sp?

Topic is not mature yet with diverse points of view

The relevant stakeholders and experts still don’t agree very much.

It became clear that there are two general approaches

1) have a more granular view on how to convey level of assurance

e.g. FIDO alliance - strong authn but no identity proofing

low identity assurance but high authentication assurance

more granular approach

reduce the number of requests

2) to see Vector of Trust as a framework

depending on the risk assessment of the Relying Parties

Rainer was proposing a risk based vector of trust - before a wide number of controls are made mandatory to a RP, this should be minimized as much as possible. In a commercial environment, it should be possible to limit the liability to a certain euro value (10, 100e ) etc

From a legal point of view, everything that is outside compliance requirements, it should be possible to communicate the risk requirement “risk appetite” of the RP and the offering of the IDP.

In EDU, IDPs say they have no liability. What then is the value of the identity?

An additional list of 10-12 areas was made which in addition to the 3-4 which Justin announced. Bob Morgan had developed a list of three.

Denny: Various uses cases for risk-based authentication, especially seen in gov services:

Velocity checking, how often you access a given service or geolocation checks but based on transaction

Classic risk management approaches can be applied:

• Transferring the risk: specify a liability for the risk
• Mitigating the risk: verify by audit that agreed controls are implement
• Avoid: risk:
• Accepting the risk:

3-4 vectors

a linear scale of each vector

if you have multiple vectors

Need sub vents

general operational security crosses all sectors

see also the related mailing list

—

Yubikey presentation captured attention very well

non-observability non-linakbility of accounts

privacy enhanced login

U2F authentication (FIDO) is very well implemented

Very privacy preserving feature

The key never leaves the hardware

The ephemeral key is sent to a verifier and then check upon return.

This helps to keep unlinkability

Still a proprietary interface to google chrome. IE has committed to implement.

Could be applied to attributes also.

SAML vs OpenID Connect

Major difference is in the capability of dynamic configuration of clients.

ZXID had an implementation

GEANT trust broker - IETF draft is available for a proposal of a dynamic same configurations

Good discussion about service provider provisioning

Typical an assertion is sent to the SP with some attribute statement and

Sometimes you need users up front (legacy reasons, groupware, reporting etc)

Lots of discussion on how to do that, and how to do it in scale

OCT?? Washington State

Scalable MQ services have been implemented where IDP are pushing user objects to applications in a proprietory format depending on the application.

Discussion regarding SAML attribute statements, SCIM etc

See Notes Topic : Grouper and Messaging