Date and Time
Date: 7. July 2014
Time: 11:00 PDT | 14:00 EDT | 20:00 CET | 08:00 NZ(+1)
Role Call
- Colin Wallis, NZ govmt
- John Spicer, 2Keys
- Rainer Hörbe (note taker)
- Matthew Trigg, UK cabinet office
- Guy Huntington, Province Alberta
1. Administration
5 participants - quorate
June minutes - Colin moved, John seconded
2. Discussion: separate LoAs for identity proofing and credentials?
Guy: Govmts of Alberta and B.C. Have separated credential from identity assurance. Federal Canda may go the same path. FICAM has identity assurance broken out. Europe and UK having both in the same LoA value. So it appears that Us and Europe are marching different trust framework paths, as possible is Canada. NZ hard coded identity assurance into the values. So it will be interesting to see how these frameworks evolve on the policy and protocol levels.
Rainer: what are the requirements for relying parties to separate cred. and id assurance?
Guy: LoA of identites and credentials are not aligned. Alberta is also considering to use multiple credentials of different strength, e.g. from 3rd parties.
John: When identities are shared between governments, they might want to know the different types of LoA.
Matt: For the UK it is all about service consuming knowledge and confidence about the user for transactions. High level of id assurance does not provide more trust. On the other side, if id assurance is low, there is no need to pay to a high assurance credential, thus would not be proportionate.
Guy: A use case that we have to deal with is a low id and high cred assurance, with is a lower session assurance.
Matt: .. the level of proofing is the more expensive part.
Guy: Multiple credential use case, some strong, some low – user may choose – session level is lowest of the two.
Colin: History in US is based on NIST 800-63: It was designed for enterprise-type authnentication, now it is used as baseline for G2C space.
Matt: in the UK we are struggeling with finding a use case where you need a strong credential but low proofing.
Rainer: With some use cases where the service does not link to pre-existing PII, there might be a benefit to have a stronger credential, but it is up to the user to decide. There might be no need to enforce it by the service.
John: Proofing is improved over the course of the next couple of years, that is why the values should be separated.
Rainer: For the long term it might make sense to put the additional into some attributes, and use the AuthenticationContext for the combined value.
..
Colin: There was a discussion in 29115. ISO SC27 is currently creating identity proofing guidelines.
AI: Colin to extract salient pieces from the ISO document and share it in the WG.
Matt, John emphasize the need to agree on terminology.
Rainer: We had a discussion on the scope of LoA a couple of years ago. There is a slide in:
http://kantarainitiative.org/confluence/display/TFMMWG/Enhanced+LoA
John: made a mapping about use in different countries. Will ask to make this available to the group. Canada has to come up with names and values and associanted use case.
Rainer: 29115 defines the scope of LoA .. includes both IPV and authentication. I think that min(IPV, credential) is a common semantic for SAML authentication context. But this needs to be discussed. Anyway the scope in 29115 is clearly described: includes IPV and authN, but not anything after the authentication event, like session protection, e.g. holder of key-type models.
Colin: Formally, the scope of SAML authnContext is defined out of band.
(..) we should work on this inthe group and propose a solution in eGov profile or saml2int; could then propose this to this OASIS SSTC.
Matt: will try to contribute something abount session assurance (may be a bit embryonic).
Date and Time
Date: 4. August 2014
Time: 11:00 PDT | 14:00 EDT | 20:00 CET | 06:00 NZ(+1)
-------------------------------------------------------
To join the teleconference
-------------------------------------------------------
DIAL IN INFORMATION:
Skype: +99 051 000 000 481
Conference Id: 613-2898
US Dial-In: +1-805-309-2350
http://kantarainitiative.org/confluence/display/GI/Telco+Bridge+Info