May 14, 2014 Meeting Page
1. Call to Order and Roll Call
- Assign Note taker
2. Review comments received on the draft Attribute Practices Statement template
Additional comments are welcome!
Peter Alterman has agreed to discuss his fundamental comment about whether "heavy-weight" attribute assurance and attribute provider practices statements are really needed or desirable.
3. Next steps on the Attributes Assurance Whitepaper
Proposal: extend this white paper into second ToR deliverable: "Develop a white paper that includes an analysis of applying the existing LOA identified in NIST SP 800-63, as well as other sources to include ISSA and OIX, that explores the feasibility of extending an attribute trust framework to the private sector"
4. Any other Business
5. Preview next meeting (preparation for June plenary)
Attendees: Jerry Kickenson Peter Alterman Andrew Hughes Ann Racuya-Robbins Bob Natale David Coxe Jonathan Rosenberg Sal D'Agostino Tim Baldridge
1. We reviewed few comments on APS from Jerry Kickenson. Disposition is recorded in comment form.
2. Peter presented his position on heavyweight controls and attribute levels of assurance. APS is not levels of assurance. But rather than derive APS from RFC 3647, a survey of actual "trusted" attribute providers and derive from actual practices. Andrew agreed with Peter and David that LOA is not appropriate for attributes. But should we get RP current requirements on how they decide to trust attribute providers?
3. Regarding LOA approach to attributes, view is that assurance should be left to market and not formalized in single standard. There seemed to be a consensus on this among those present.
4. It was noted there are lots of attribute management efforts and initiatives - this is 7th or 8th. Is this effort within IDESG necessary?
5. Tim: Disambiguating identities using additional attributes has a real use case (federal, at least), to prevent identity theft, and allow agencies to tie returning users to existing identities. Agrees there are no LOAs for attributes - either RP trusts the provider, or doesn't.
6. David noted that NSTIC pilots are doing attribute exchange with large providers, and providers in pilot do not offer any guarantees or APS-like statements. RPs either trust the provider based on history and business relationships, or don't. There is no contract or formal standard involved. This is an example of actual practice. David also noted that OIX Attribute Trust Framework, after approval, is not fully implemented. The attribute "label" described in the OIX framework is just not provided by large attribute providers.
7. Jerry mentioned NIST request to have a session at June plenary to seek input on an attribute assurance workshop. Request is now with Adam Madlin, Security Committee chair.
A1: Revisit with Security Committee whether the APS is a useful deliverable of IDESG. A2: If APS within IDESG is indeed a useful exercise, go back and survey actual operational practices as input to it. A3: White paper, which advocates levels of assurance for attributes, should be reconsidered, at least for private sector.
9. Next meeting: May 25. Discuss June plenary, NIST session request, what else do we want to accomplish at plenary?