TFS Monthly Sync – Draft Meeting Notes
Wednesday, December 14, 2016
Peter Alterman, SAFE BioPharma
Andrew Hughes, KI LC Chair
Colin Wallis, KI
Scott Shorter, KUMA
Ken Crowl, Experian
Adam Madlin, Symantec
LaChelle LeVan, FICAM
Nandini Diamond, FICAM
Stuart Levy, TransUnion
Ruth Puente, KI
SAFE BioPharma Update
- They are in process of updating their policy mappings with Federation PKI and ETSI Electronic Signature and Infrastructure Working Group policy-documents related to operations of the qualified certificates for digital signatures, electronic ID, and other services such as electronic seals and electronic time-stamps, and others.
- They are looking for full alignment on proof of concept and documenting the cross certificate of Fed PKI for the last 15 years and trust list approach. SAFE has a technical solution on this area and they plan to have it operational by the end January. They would like to demonstrate the proof of concept live during the Internationalization Day, March 8th, and present the technical and policy related discussion surrounding this topic, to show the government that there are policy and technology solutions already in place to enable comparable trust in digital signature and electronic files, electronic assertions and electronic ID.
- They also have been focused on the development of the Federation Services Requirement document. (The document was sent to the mailing list after the call "SAFE-BioPharma Operating Requirements for Federation Services V 0.3").
- They raised the concern on how to express and represent a trustmark. There is an eIDAS article that addresses issuance of trustmark, SAFE has language for issuance of trustmark, IDESG as well, etc. For a full implementation of a federation infrastructure it is important the presence of trustmark from a Federation Operator or a Trust Framework Provider to a CSP, as a mean of enabling infrastructure services, considering that the credential comes from a CSP that has been reviewed and approved from one or more Trust Frameworks. There should be an extended attribute in the credential issuance, in particular in the SAML assertion. The second core extended attribute that should be present, is a representation of level of assurance that allows all the parties to know how trustworthy is the assertion of identity that comes with the credential. Trustmark needs to be something that is dynamic and digitally signed and can be validated through a backend process itself.
- It would be good to ask Incommon on the metadata tag for level of assurance that equates the level of assurance.
- Service Assessment Criteria project to improve usability and clarity of the criteria, which includes adding statements of risk mitigation objectives that should help readers and implementers to better understand the criteria and if there are alternatives could help them to achieve the objectives.
- Ending the review of IDESG mapping to the KI IAF.
- After the New Year they plan to consider the potential impacts of 800-63-3.
- Compiling last comments on NISTIR 8149.
- They are organizing 2 events in March in the GSA facilities:
1) March 7th: ICAM Day - government only.
2) March 8th: Digital Signatures and Internationalization efforts open discussion for all stakeholders (government, industry and frameworks).
- Peter Alterman, SAFE, is helping to define the agenda of March 8th event, which is focused on the ETSI and PKI alignment and digital signatures, e-signs.
- They plan to send more details in January.
- There will be remote participation.
- The Digital Signatures and Internationalization is specific to PKI with 3 sessions focused on the policy (2016 EU Regulations, the ETSI Digital Signature working group, and the US efforts) business cases, technology and architecture.
- Federal information on electronic and digital signatures: https://cio.gov/wp-content/uploads/downloads/2014/03/Use_of_ESignatures_in_Federal_Agency_Transactions_v1-0_20130125.pdf
- They have been working with NIST on 800-63-3.
- They are looking for better communication and model on services alignment across the PKI and non-PKI frameworks, procedures, policies auditing and requirements.
- It is missing a Mapping from the TFPs to the federal government and to FICAM requirements. They would like to get a mapping across the TFPs.
- As a friendly request, they asked the TFPs to send the pointers to their assessment criteria and auditing practices to Nandini Diamond at email@example.com
- They estimate that by the end of January the new operating procedures will be released.
- Regarding questions on additional profiles for assertion models, FICAM has no intention to come up with alternate profiles.
- They are evaluating to remove the FICAM testing, be contributors to the process and rely the tests on the providers.
- It was commented that ETSI TS 119612 in 2015 replaced TS 102331.
- Next meeting will be held on January 11th.
- TFPs to send the links to their assessment criteria and auditing practices to Nandini Diamond at firstname.lastname@example.org
- Ask Incommon about the metadata tag for level of assurance.