January20080130

Jump to: navigation, search

Identity Assurance SIG Kick-off Meeting
January, 30th 2008

Attendee List
Peter Alterman, GSA
Debbie Bucci, NIH
Duane Clouse, Verizon Business
Dan Combs, NEPCC
Edward Coyne, SAIC
Russ Cutler, Liberty Alliance
Nathan Faut, KPMG
Myisha Frazier-McElveen, GSA
Sam Garts, Probaris
Jim Gross, Wells Fargo
Jane Hennessy, Wells Fargo
Helen Hill, HIMSS
Henry Horton, IBM
Lena Kannapan, FuGen Solutions
Edward Konchalski, Indian Health Financial Systems
Georgia Marsh, KPMG
Brett McDowell, Liberty Alliance
Andrew Nash, PayPal
Jeff Nigriny, CertiPath
Paul Norton, ID Analytics
Bob Pinheiro, Pinheiro Consulting
Michael Platoff, Pfizer
Hemma Prafullchandra, FuGen Solutions
Scott Rea, Dartmouth College
Tatsuki Sakushima, Nomura Research Inst. of America
RJ Schlecht, Mortgage Bankers Assoc.
Mollie Shields Uehling, SAFE-BioPharma Association
Judith Spencer, GSA
Tammy Stathas, GSA
Jeff Stollman
Vijay Takanti, CertiPath
David Temoshok, GSA
Jagn Vasantharao, Comtech-GSA
Frank Villavicencio, Citi

Nogtes
Peter Alterman (IASIG co-chair) drew the following diagram to explain the relationship between the Liberty Identity Assurance Framework (LIAF) and the specific Policies & Technologies utilized by individual Identity Federations.

abc

There was concern that LIAF was defining policies and technologies. This diagram explained the relationship of the framework to the specific deployments.

[Hemma: I think this is an area that the IASIG can take on – better explain that LIAF is a framework and does not stipulate specific policies or technologies that MUST be used by an Identity Federation. It does define criteria that SHOULD be considered by Identity Federations. If a Federation chooses to define specific policies and technologies that fall within the LIAF, then the Federation members can be assessed and LIAF certified. By getting LIAF certification the Federation can more efficiently and easily interoperate and establish trust with other LIAF certified Federations. Thoughts? ]
[Comment1 - Exactly the point. It can help keep Liberty from drifting into becoming a federation itself.]

IASIG should:

  • Facilitate Policy and Technology/Operational definition/selection/implementation.
  • Provide training and introductory material to folks just embarking on developing identity federation.
  • Provide case studies of mature Identity Federations (e.g. Federal PKI, SAFE).
  • Help to identify emerging and evolving trends for inclusion in the LIAF.
  • Collect Use Cases to challenge LIAF. For example, Mortgage Industry – low technology capability.
  • Perform a gap analysis of LIAF against:
    • SAFE
    • EU E-Sig
  • Reach out to:
    • International Forums (e.g. Porvoo)
    • Identity Analysts (e.g. Gartner, BurtonGroup, …)
    • Auditors/tScheme/WebTrust

Concrete Feedback:

  • HSPD-12 credentials were mentioned and the attendee (Was this Judy Spencer or Dave Temoshok of GSA?) wanted to understand how they fit in. We need to get a Use Case from this attendee.
  • The process to review LIAF for comprehensive coverage will be iterative. Each Use Case challenge may result in further refinement or additions to the criteria defined in LIAF.
  • The language used in LIAF is US-centric. We need to go through a “globalization” effort and change LIAF so that it makes sense to all the regions in the world. For example, LIAF says “one form of Federal or state-issued identity” – this could just say “one form of Government issued identity”. There is mention of FIPS 140-2 – this is US-centric and should be listed as one of equivalent standards to define the requirements of the hardware or software cryptographic modules.
    • It was suggested that we approach the following international bodies to provide regional input: USCIB/ICC (get contacts from commerce dept), EU, South America, ASIA, etc.
    • Learn from previous international discussion – Peter and Judy
  • LIAF MUST remain technology agnostic.

[Comment2 - But not all technologies satisfy all trust levels]

  • LIAF must link Risk to Approach.
  • Address Privacy concerns by reaching out to Privacy advocates and EU.
  • We need to better articulate the value of a trust framework.
  • There was much discussion on Identity and what an Identity includes – even the term “core identity” was used, where a core identity includes name and organizational affiliation. There was discussion around an Identity Hub which includes an Organization identity, individual identity and then other attributes, e.g. citizenship. Identity attributes and assurance was discussed at length (see comment) . TSCP (www.tscp.org) was mentioned as an example where in order to support data marking (DRM & access control) the FIRST needed to establish identities and their attributes.

[Comment3 - The question of Identity actually becoming an attribute was raised]

    • It is currently out-of-scope.
    • It should, however, be considered in the future; but recognize that there will be multiple attribute profiles.
  • LIAF should define scope in terms of federation actors – it currently does not define criteria for consumers of the identities (i.e. relying parties/downstream consumers); LIAF should explicitly state what is in scope for v1 and what will be addressed in later versions.

Logistics:

  • Prefer face-to-face meetings
    • Try to schedule around other events such as RSA conference, etc.
  • We should sponsor sessions at other events, tradeshows, conferences, e.g. HIMSS.
  • Break into working groups to develop/get case studies (e.g. SAFE, Federal PKI) and use cases.
  • Publish on the wiki – meeting notes, Case Studies, Use Cases.
  • Leverage mailing list to communicate with attendees.
  • Share attendee contact list.
  • Review LIAF and provide comments via email or through the wiki.
  • Hemma to provide/post Use Case template on the wiki.
Retrieved from "http://wiki.projectliberty.org/index.php/January20080130"
Personal tools