February 24, 2015 Meeting Page
From IDESG Wiki
SECURITY COMMITTEE WORKING SESSION NOTES - draft
Meeting Date: February 24, 2015 (working session)
- Adam Madlin
- Ann Racuya-Robbins
- Bob Pinheiro
- Christopher Spottiswoode
- Hans Vargas
- Jeff Shultz
- Linda Braun, Global Inventures
- Martin Smith
- Ryan Galluzzo
- Sal D’Agostino
- Seetharama Durbha
- Steve Orrin
- Seetharama and Ryan led the call. Notes taken by Linda Braun
- Ryan started working immediately on discussing and editing Requirement #2. He reviewed feedback from FMO. Suggested Disposition: Add language about conflicts in name space and account identifiers. Ryan will update requirement.
- Requirement #4: No suggested changes from FMO.
- Requirement #5: Suggested disposition: Modify the requirement statement to be explicitly about TLS and mutual authentication “Service providers utilize properly configured TLS to enable individuals and other entities to verify the source of credential and token data. Supplemental guidance would need to be developed. Discussion followed. Ryan updated requirement to: “Service Providers utilize industry accepted practices and standards to enable individuals and other entities to verify the source of credential and token data.”
- Suggestion was to list best practices and redefine requirements accordingly.
- Assessment Guidance document was discussed (to be created). We can add in as many references as we think are appropriate to the current requirements.
- References to end user might know about practices – as a general matter – is there anywhere in the system where there is a requirement for transparency about what the SP’s are doing? Yes, in the Privacy requirements and UXC requirements it was believed.
- Requirement #6: Suggested change was in the supplemental guidance. Suggest Disposition: Reject: A legal guardian or designated individual/member of group would be an “appropriate” user that would require the same/similar steps to determine that the individual should and does receive the credential/tokens.
- Requirement #7: Pilots suggested that the requirement include “documented” policy and “to mitigate” under Supplemental Guidance. Suggested disposition: Accepted change.
- Requirement #8: Suggested Disposition accepted. Let FMO know that Security has been discussing transparency and this is out of scope, but would like to see it covered under Privacy or UXC.
- Requirement #10: Use control of the token is proven during the authentication process. Suggested Disposition: Partially accepted. Supplemental guidance wording suggested. Team to discuss at next meeting.
- Next working session: Thursday, February 26, 2015 and will be a working meeting at noon ET.
- Linda to schedule March 3 WebEx and send notification to Security Committee.