March 5, 2015 Meeting Page
From IDESG Wiki
SECURITY COMMITTEE MEETING NOTES - draft
Meeting Date: March 5, 2015
- Aaron Guzman
- Adam Migus
- Andrew Hughes
- Ann Racuya-Robbins
- Jeff Shultz
- Linda Braun, Global Inventures
- Martin Smith
- Paul Knight
- Paul Laurent
- Ryan Galluzzo
- Sal D’Agostino
- Seetharama Durbha
- Seetharama and Ryan led the call. Action: Adam Madlin to post all minutes provided by Linda to the wiki.
- Notes taken by Linda Braun
- Ryan started by reviewing Requirement #10. He said this requirement was discussed on 2/26/2015 and again during a call with a small group on 3/3/2015.
- Requirement #10: Outcome based requirement statement, updated to: Service provider employs secure authentication on protocols for the purpose of demonstrating user control of the issued token. Group agreed to move onto the next requirement as there was not full agreement in the wording.
- Requirement #11: Ryan read FMO comments: If we have no quantitative way to demonstrate comparative determinations of strength then we cannot use this requirement. This may need to be a requirement for a second factor. Users are able to choose a multi factor authentication option.
- The team considered the following outcome based requirement statement during the discussion.
- Service providers must consider shared secret authentication methods as weak when conducting risk analysis or access control.
- User is able to choose the authentication mechanism and should be given guidance to make a risk based choice.
- Users are able to choose a multi factor authentication option.
- Comment: user should be able to choose the authentication method they use.
- Chat from Martin Smith: maybe the requirement is for transparency, and "meaningful" transparency.
- Meeting ended with statement: Service Providers offer an alternative to password authentication. Team agreed to meet next week to work on statement further. And,Ryan will work on supplemental guidance.
- Next working session: Linda to put out a Doodle poll with option of meeting Monday (March) or Tuesday (March 10).
- Linda to schedule next working session.
- Adam to post previous notes to wiki.