Manager's Guides
The Guide to Identity & Authentication has remained at the same draft level as was
presented in the Boston (July 2003) meeting. To stimulate progress, Ian had proposed
(email dated Oct 4th) a re-think on the overall structure and content of Part 1 of this
document. Eliot - as the editor-owner of the Guide - was not impressed. In discussion, we
went through Ian's proposed revision, and revisited the history and origins of this
project, to establish how we got to the present position and so make an informed decision
on how to move forward to complete this Guide. The discussion revealed significant
differences in understanding of both what Identity is and how we should explain it in this
Guide. Bob Blakley noted that it had taken the US National Academy of Sciences 18 months
to get it right, and he offered the URL for the definitive NAS document on this subject -
"Authentication Technologies and their Privacy Implications", which contains an
extensive discussion of identity: http://www.nap.edu/catalog/10656.html. The definitions begin on page
18: http://books.nap.edu/books/0309088968/html/18.html#page
. Bob also circulated a URL for relevant CSIS information on authentication - http://csis.org/tech/authentication/0305_authentication.pdf
. All recognized that the issues surrounding Identity are complex but this is why there is
so much value in writing our Manager's Guide - to cut through the misconceptions and
present the key issues in the information security context. The conclusion of this review
session was that Eliot will take all the present input - including Ian's comments and
Bob's references - and produce a new draft for review.
The Identity Theft project was begun in this meeting, its Terms of Reference having
been approved in the Boston (July 2003) meeting. Initial discussion suggested that we
should not proceed, questioning its value (is it just media hype?) and our competence to
do an acceptable job on it. Bob Blakley (champion of the project) explained that the issue
we will address is not duped users, rather it is to reduce enterprise exposure to risk of
theft of holding private identity data. It was agreed we need to carefully define our
audience and our objectives. However, before we even get to that stage we need to do the
analysis work - (phase 1 in the project's terms of reference - see the members-only web
area, projects & plans). The vast majority of those present supported proceeding with
phase 1. Mike Jerbic reminded members that we need to ask two essential questions when
embarking on every project:
- Who is willing to contribute work on it?
- Does it add sufficient value to justify doing the work?
Responses were affirmative to both questions. It was agreed we will work to complete
phase 1 - information gathering, to identify a set of documented cases
of identity theft and investigate these cases in detail, the objective being to identify
how an identity is stolen, how a stolen identity is used, how identity theft is detected,
and how the victim of identity theft demonstrates that identity theft has occurred - by
the time we go into the next meeting (San Diego, 2-6 February 2004). In the next meeting
we will evaluate progress and have a checkpoint then on how to continue. We will also
inform the IdM joint project members about this Security Forum project.
Security Architectures
Eliot Solomon noted that in the Boston (July 2003) meeting we identified six
architecture models to be used to describe architectural views, one view being security,
and we also used a questionnaire to start drawing out the security view for one of those
six models. In the same meeting, Steve Whitlock made a start on leading the Trust Models
project - aimed at producing a technical guide for IT architects and system designers. He
proposed we work on this in this security architectures session. This was agreed.
We projected Steve's latest draft (25th Sept) and worked through his template and his
PKI example of a filled-out template, bearing in mind Steve's caveat that this represents
his first draft and not an item of work he considers is complete. Ian recorded the
extensive feedback, and will pass this to Steve (who was absent during this agenda item)
for his consideration and feedback.
An additional action is for other members to volunteer to create more trust model
examples.
Presentation on Business Requirements for PKI Certificates
Rich Lee, who met with some Security Forum members over a lunch in the Boston meeting,
gave a presentation (copy of slides is yet to be provided) on the technical requirements
on business that PKI certificates represent. He began with a brief history of the origins
of the Black Forest Group, and described it now as a trade organization that keeps itself
exclusive to invited CxOs. Their interests are to leverage experience shared between
members at CxO level. Their focus is still on emerging IT, but with a firm bias towards
business issues, so they have a different perspective now compared to when they
originated.
Rich Lee then presented the BFG's business requirements for PKI. Having recognized
their business needs, including for pervasive secure interoperability, for a common
cohesive PKI framework, they decided that security should enable management of liability.
Representations of interoperability can be made and accepted. The three key requirements
they concluded come out of this were liability allocation, distributed validation, and
end-user accountability. This led to a business assessment that current PKI products fall
short of requirements in four areas - distorted intermedia liability, processing of
certificate policies, complex and costly management, and vulnerability of underlying
platforms.
They therefore set out to address these shortcomings. Their solutions include a
composite certificate quality attribute. They also wanted a flexible hierarchy structure,
reflecting the distributed nature of the process, and accept the minimum. This permits the
customer to choose chain components, which in turn gave rise to the Black Forest Group's
PKI framework. Rich went on to talk about their future PKI direction for certificate
validation- validation process, endpoint security interests, and the business
applicability of PKI technologies - architectural longevity, etc.
Rich's conclusions were that there is significant IT consumer support for individual
accountability (the trusted workstation) and also industry support for distributed
validation. In discussion on trusted workstations, Eliot observed that trustworthiness of
the application has use in the financial industry's controlled distribution of protected
market data, and has DRM-type affinity with the recording industry. Also we should think
about scalability in a counting-down credential - is it the responsibility of the business
not the certificate to decide? Rich said he has a relevant paper on this, titled
"Insurable e-Commerce Framework", which he will share with the Security Forum.
Further discussion involved thinking on proof of concept, root CAs, injection of code, and
Microsoft use of timestamp and hash. Rich said that he would refer these more technical
questions to Roger Schell (roger.schell@aesec.com),
and it was agreed that Ian and Rich will explore the opportunity to invite Roger Schell to
our next Security Forum meeting to explore these questions.
Project ALPINE Status Report
Ian gave a status report presentation on the ALPINE
project, then displayed a tour round the ALPINE web pages to show how to access the five
documents being created under this European Commission project.
Future Plans
In this session, the Security Forum review all its current projects to validate in each
instance their continuation and update their resources, deliverables, and timescales.
EVM project - this will continue, including with the ASC RPI, NIST, and the EOIF, as
agreed in the Security Forum meeting report for Tuesday.
IdM joint project - this will continue, with contributions to complete the Identity
Management White Paper.
Manager's Guide to Identity & Authentication will continue.
The Identity Theft phase 1 activity will be done by the next meeting, and we will use
the next meeting as a checkpoint for continuation.
The Technical Guide to Trust Models will continue as planned.
The Security Architectures project will continue.
The Security Forum members will participate in the Company Review of the Secure Mobile
Architecture document.
The Security Forum will continue to monitor and provide feedback on the Messaging
Forum's secure messaging project.
The Security Forum's agenda for the next meeting (San Diego, 2-6 Feb 2004) is very
likely to include:
- EVMi (1 day)
- Project reviews
- Identity and Authentication
- Identity Theft Phase 1
- PKI Trust Models
- Security Architectures
- Progress Identity Management
- Progress Secure Messaging
