These two meeting sessions were attended by 14 members from 13 member organizations.
Introductions and Agenda
After a round of introductions, the members reviewed the published Agenda for the Security Forum. It was agreed to swap the agenda
sessions on Thursday afternoon, putting Security Architectures into Session 3 and
Evaluation of Proposed New Projects into Session 4. Otherwise the agenda was approved.
Review of Actions and Progress Since the April Meeting
The actions from the previous meeting (slides 5 through
7) were then reviewed, and approved as satisfactorily completed, with ongoing activities
being addressed in the Security Forum's agenda over the rest of this Conference. In
addition, the series of weekly teleconferences each Friday (with some cancellations) was
reviewed, and it was agreed these continue to prove their value in maintaining visibility,
debate, and progress on our major projects. In discussion it was found that holding these
weekly teleconferences on Fridays was not the most convenient day; Tuesdays were agreed as
a more convenient choice, at the same time of day (09.00 US Pacific). Ian was requested to
issue an announcement on this. The next teleconference will be on Tuesday 4th August -
topic to be decided later in this Conference.
External Reports
The following external reports from meetings, conferences, and other events attended
since the previous meeting in April 2003 were presented:
- Ian Dobson gave a presentation on the work and vision of our Security Forum to I-4 in
Dublin on 23 June. The presentation was well received and is part of our outreach effort
to establish good working relationships with other relevant consortia. Ian is following up
this initial contact to see how mutually beneficial closer links can be set up. Ian's
presentation slides are available at www.opengroup.org/security/pres.htm.
- Ian Dobson gave a presentation to the second ALPINE Project Workshop held on 25 June
2003, explaining how our Active Loss Prevention Initiative has made a significant
contribution, and how this work has now been brought back into the Security Forum. The
report and slide presentations on the ALPINE Workshop are available at www.opengroup.org/alpine/.
- Mike Jerbic attended his local ISSA Chapter meeting recently. These local chapter
meetings are held monthly and he recommended other members investigate the value they
represent - he found it well worth attending.
- Bob Blakley attended the Burton Group Catalyst meeting in San Francisco, 7-11 July.
Major items were the Liberty Alliance on Federated Identity Management and their 2.0
specifications, discussions on Identity Management regimes, and the IBM/Microsoft
Federation specification. Also in this conference an identity scheme based on encryption
of a person's email address plus timestamp was proposed - Bob and others recognized this
as being a recycled idea that has several serious unresolved issues. Last year's Catalyst
conference had Role-Based Access Control as the way forward - this year's conference
review of progress verified that good RBAC is hard.
- Nick Mansfield chairs the CEN/ISSS (one of the three standards delivery organizations in
the European Union) Privacy & Data Protection Group. This group is now operating as a
Workshop in which industry and other representatives debate and agree on a set of
recommendations which are then presented to the EU - these recommendations have the force
of pseudo-standards for the EU, so those who have interest in them should participate to
ensure they meet their requirements. Their next meeting is in September 2003, and
interested representatives must register beforehand to have a vote.
- Craig Heath participates in the OMA, on their OM and DRM working groups. He is sceptical
that the DRM-WG is wanting to create their own security protocol so as to do revocation -
all in the Security Forum meeting shared Craig's views on this. Craig also advised that
the OMA's Security Forum is working on protocols for on-board key generation, and on
wireless profiles for OCSP (RFC 2560).
- Steve Whitlock attended the IETF meeting 7-11 July in Vienna. He recommends Vienna as a
good conference location. Their PKIX & IPSec working group is at last being wound
down, having lived for around 10 years now (about three times longer than most other IETF
Wags). Their sect & S/MIME WG is finishing its current drafts. Another WG is
addressing broken protocols - Ababa - and yet another is working on Fiber Channel using
DH-CHAP. He attended two BoFs: an Enroll BoF, and an Opsec BoF. Another area of interest
was on patents, where Certicom (secure form of DH key exchange, affects IPsec) and TecSec
(document signing 7 encryption, affects XML, Sig/ENC, etc.) were discussed.
- Eliot Solomon also attended Catalyst in San Francisco and attended a BoF for early
adopters of Identity Management solutions, in which a major issue was what SSO really
means for logging in to access a set of things and what happens when you log out - does
everything terminate instantly? This raised the significant differences between what
authentication and logging-in to services mean, and the Shibboleth model focus on
authority to use particular resources without caring who is doing the access - this is
driven in part by Internet2 and FERPA compliance (no release of any
personally-identifiable information).
- Eliot also ran a SIMC meeting in July, where around 20 attendees validated the SIMC
Identity Management Phase 1 scenarios, and are now focussing on how identity management
can contribute to straight-through processing - federation of authority rather than of
identity. If the outcomes of their work are appropriate for publication, SIMC may decide
to bring their results to a standards group in due course.
Manager's Guide to Identity and Authentication
Eliot explained that in March 2003 Steve Mathews presented a draft of this Guide,
comprising six typical IT identity scenarios. Ian then added introductory context to it
and presented it in the Austin meeting (28 April - 1 May). Eliot took an action from the
Austin meeting to merge relevant information from an earlier draft for a Guide to PKI, and
this was reviewed in one of our Friday teleconferences. This latest draft is available
from www.opengroup.org/projects/idm
(remember to login to access it).
Eliot explained his approach in Part 1 - to explain the complexity of the subject of
identity in the personal, social, and business contexts, and then introduce how these have
been brought into the technical IT context and the consequent requirements for digital
identity and authentication of that digital identity have evolved; and then in Part 2,
where we describe IT identity and authentication using a series of typical scenarios - as
proposed by Steve Mathews in his original draft.
Much discussion ensued on a range of issues in Part 1. Bob recommended that the
definition for "identity" be replaced by that given in the American Heritage
dictionary. Nick suggested this Guide should approach identity from the usage viewpoint;
enrollment is the precursor to identity and this needs to be brought out. Nick also noted
that in British law a person has one identity but may have multiple aliases. Bob
recommended we also refer to the US National Academy of Sciences publications for
authoritative information on this. We should also keep in mind the three popular concepts
for identity - something you know (e.g., a password), something you have (e.g., a token or
certificate), something you are (e.g., a biometric - fingerprint, etc.). We also need to
cover strength of enrollment and the mechanism used for it, and issues surrounding
strength of authentication. Nick noted that other things that should be included are that
common trust mechanisms are well-established, and identity management means management of
a lifecycle of relationships.
Eliot welcomed these comments and requested further inputs, particularly on what new
sections are needed, restructuring to improve presentation and flow of the information,
and improvements to the sequencing and flow of the scenarios. He added that the tone and
style needs to be consistent with that used in the Manager's Guide to Information
Security.
PKI Trust Models
Ian referred to the half-page description (see the PKI Trust Models link from the
members-only plans page at http://www.opengroup.org/mem_only/councils/ogsecurity/plans.htm)
that Steve had submitted for this project, which we discussed in a SecF Topic
teleconference in June. Steve then presented a Trust Models outline template (available
from www.opengroup.org/projects/sec-guides/)
for describing Trust Model characteristics to be used to map the descriptive content for
each trust model under selected headings, and led a review on it.
Steve added several improvement points to the presentation template, and actions were
agreed to take this work forward - see Next Steps.
Identity Management Business Perspectives
Ian reported that following the SecF Topic teleconference in early July, in which we
reviewed Steve Whitlock's alternative version and compared it with Martin Roe's original
version, in discussion the differences were characterized as Martin's original being
biased towards business-to-consumer and Steve's version being more business-to-business.
In this context we can anticipate further views that reflect business-to-employee, etc.
The conclusion of this brief discussion was that when we receive Martin's updates to his
original version, Ian will merge the two existing versions into one revised document,
which we will then use to verify the consistency of the deliverables from the Identity
Management joint project, and the content of our Manager's Guide to Identity and
Authentication.
Issue to sec-members an announcement that our Friday weekly teleconferences are in
future to be moved to Tuesdays, at the same time of day (09.00 US Pacific). Include the
new dial-in numbers, and announce that the next telecon will be on 5 August.
ACTION: Ian
Co-ordinate further contributions to developing the Manager's Guide to Identity and
Authentication, leading to a proposed final review draft by the end of August.
ACTION: Eliot Solomon
Lead activities to progress the development of a Technical Guide to PKI Trust Models,
by providing an updated PKI Trust Models template, co-ordinating further contributions
from other members, and producing a sample of a filled-out template for review in a SecF
Topic Telecon in early October.
ACTION: Steve Whitlock
Merge the two existing versions of the Identity Management Business Perspectives White
Paper into one revised document, which we will then use to verify the consistency of the
deliverables from the Identity Management joint project, and of our Manager's Guide to
Identity and Authentication.
ACTION: Ian
