To OASIS Members: A draft TC charter has been submitted to establish the OASIS Electronic Identity Credential Trust Elevation Methods ("Trust Elevation") Technical Committee (below). In accordance with the OASIS TC Process Policy section 2.2: (
http://www.oasis-open.org/committees/process-2009-07-30.php#formation ) the proposed charter is hereby submitted for comment. The comment period shall remain open until 11:45 pm ET on 20 July 2011. OASIS maintains a mailing list for the purpose of submitting comments on proposed charters. Any OASIS member may post to this list by sending email to:
oasis-charter-discuss@lists.oasis-open.org. All messages will be publicly archived at:
http://lists.oasis-open.org/archives/oasis-charter-discuss/ . Members who wish to receive emails must join the group by selecting "join group" on the group home page:
http://www.oasis-open.org/apps/org/workgroup/oasis-charter-discuss/ . Employees of organizational members do not require primary representative approval to subscribe to the oasis-charter-discuss e-mail. A telephone conference will be held among the Convener, the OASIS TC Administrator, and those proposers who wish to attend within four days of the close of the comment period. The announcement and call-in information will be noted on the OASIS Charter Discuss Group Calendar. We encourage member comment and ask that you note the name of the proposed TC ("Trust Elevation") in the subject line of your email message. Best regards, /chet ---------------- Chet Ensign Director of Standards Development and TC Administration OASIS: Advancing open standards for the information society
http://www.oasis-open.org Primary: +1 973-378-3472 Mobile: +1 201-341-1393 --- Name of the TC: OASIS Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee Statement of Purpose: The Trust Elevation Technical Committee will identify methods being used currently to authenticate electronic identities by online relying parties and service providers, and similar methods in development or identified in theoretical models. By comparison and factoring of those methods, the TC will propose and describe a set of standardized protocols that service providers may use to elevate the trust in an electronic identity credential presented to them for authentication, at generally-recognized levels of assurance, representing increasing degrees of authentication certainty. The Trust Elevation TC will base its initial analyses of the identified trust elevation methods on the four levels of assurance described by the U.S. in OMB [1] and NIST [2] publications, and work towards a general model that includes other comparable formal standardized authentication levels of assurance, such as those published by ISO and ITU. The more widely-recognized and adopted these standardized protocols are, the more useful they will be to governments, businesses and individuals engaged in eGovernment and eCommerce. The Trust Elevation TC is intended to respond to the suggestions of several governments, including the US government's NSTIC strategy document [3] that national and global identity infrastructures can be developed and supported by private sector cooperation among providers, users and subjects of trusted identity systems. The EIC-TEM documentation from this TC should promote interoperability among multiple identity providers, and among multiple identity federations & frameworks, by facilitating clear communication about common and comparable operations to present, evaluate and apply identity [data/assertions] to sets of declared authorization levels. [1] Office of Management and Budget Memorandum M-04-04, E-Authentication Guidance for Federal Agencies, Dec. 2003. [2] NIST Special Publication (SP) 800-63, Rev. 1, Electronic Authentication Guidelines, Dec. 2008. [3] Office of the President, National Strategy for Trusted Identities in Cyberspace (NSTIC), April 2011:
http://www.nist.gov/nstic/ Scope: The initial conceptual scenario for this TC’s focus is as follows: An online service provider that has determined its electronic authentication requirement at NIST Level 3 receives an electronic identity credential from an end-user that is recognized as a Level 1 credential. By applying one or more recognized methods for assessing the identity of the end-user, the service provider is able to assure itself that the presented credential actually represents the asserted identity at higher level(s) of assurance comparable to NIST Level 2 and 3. Work within the TC's scope includes descriptions of the process steps and component services necessary to confirm a conclusion of trust elevation between each pair of levels. Those descriptions and analysis may include catalogs of data services (or types of service), taxonomies or functional definitions of the types of identity and assertion data on which those services operate, substantive data exchanges or models, and model message exchange patterns. The TC may include functional data security/integrity requirements in its process descriptions, e.g., certain trust elevation methods may only be recommended if conducted within certain minimum levels of data integrity protection. Where possible, the TC generally will rely on existing widely-used definitions and data categories. The TC may also make functional comparisons of alternative assurance level schemes, so as to map its trust elevation processes to a variety of regulatory frameworks. The following work will be out of scope for the TC: - Mandates of specific message formats or schema. The TC will provide process and data requirements that can be equally applied regardless of transport method or data schema encoding. No one data format or schema will be mandated. The TC may provide detailed instances of assurance & elevation message exchanges, as examples, but its output should be generally applicable regardless of schema encoding. List of deliverables: The Trust Elevation TC will create the following deliverables: 1. The initial deliverable is a comprehensive list of methods being used currently to authenticate identities online to the degree necessary to transact business where material amounts of economic value or personally identifiable data are involved. First Public Review Draft to be completed by six months after the first meeting. 2. The second deliverable is an analysis of the identified methods to determine each one’s ability to provide a service provider with assurance of the submitter’s identity sufficient for elevation between each pair of assurance levels, to transact business where material amounts of economic value or personally identifiable data are involved. First Public Review Draft to be completed by [nine] months after the first meeting. 3. The final deliverable will be an “Electronic Identity Credential Trust Elevation Methods Protocol” specification that recommends particular methods as satisfying defined levels of assurance for elevating trust in an electronic identity credential to assure the submitter’s identity sufficiently to support elevation between each pair of assurance levels to transact business where material amounts of economic value or personally identifiable data are involved. Alternative and optional methods may be included. The description of each recommended method shall include functional definitions of the types of identity and assertion data employed by each method, and may include specification of the data services required in each elevation, substantive data exchange patterns or models, message exchange patterns or models, and such other elements as the TC deems useful. The first Public Review Draft will be completed by [fifteen] months after the first meeting. The TC may re-factor the deliverables above as it sees fit into fewer, more, or differently combined documents. In any case, the deliverables shall: - Be vendor-neutral and product-agnostic. (The TC may also elect to provide proof-of-concept instances, but will strive to facilitate ease of implementation regardless of data schema choices.) - To the extent feasible, re-use rather than re-invent suitable existing definitions of policy concepts such as identity tokens and personally-identifiable data. - To the extent feasible, be consistent with generally accepted definitions of service-oriented architectural principles. - Describe with specificity their application to established US NIST levels of assurance. - Include a catalog or list of common types of services and functions. - Include a set of definitions or sources of definitions for common functional types of data elements. IPR Mode under which the TC will operate: The Trust Elevation TC will operate under the RF on Limited Terms mode of the OASIS IPR Policy. Anticipated audience or users: The Trust Elevation TC is intended for the following audiences: Architects, designers and implementers of providers and consumers of enterprise identity management services. Language: Work group business and proceedings will be conducted in English. Non-normative Information Regarding the Startup of the TC Similar or applicable work: The proposers are unaware of any currently published work that covers the scope described here. Some elements of the project may be informed by or related to the following: - ISO/IEC JTC 1/SC 27/WG 3, Evaluation criteria for IT security -- Part 3: Security assurance components (ISO/IEC 15408-3:2008). - ENISA, Mapping ENISA Authentication Levels (Nov. 2008). - NIST Special Publication (SP) 800-63, Rev. 1, Electronic Authentication Guidelines, Dec. 2008. - Oxford Internet Institute, M. Rundle, ed, Towards a Policy and Legal Framework for Identity Management: A Workshop Report, Oct. 2009. - IDABC: Study on eID Interoperability for PEGS (Dec. 2009). - Kantara Initiative, Identity Assurance Framework: Glossary, Levels of Assurance & Service Assessment Criteria, Feb. 2010. - Open Identity Exchange, The Open Identity Trust Framework (OITF) Model, Mar. 2010. - ITU-T Study Group 17, Draft Rec. ITU-T X.cybex: Cybersecurity information exchange framework (Dec. 2010). Date & time of first meeting: The first meeting will be held Monday, September 5, 2011, at 11:00 US Eastern time, by teleconference. The National Institute of Standards and Technology (NIST), the Open Identity Exchange and the eCitizen Foundation will co-sponsor the first meeting. Ongoing meeting schedule: To be decided by the committee. Bi-weekly teleconferences and the occasional (semi-annual) face to face work session may be appropriate. Meeting leadership will be shared among the three co-sponsors mentioned above on a rotating basis until the TC membership decides on another approach. Participants The names, electronic mail addresses, and membership affiliations of at least Minimum Membership who support this proposal: - Peter Alterman; NIST,
peter.alterman@nih.gov - Don Thibeau; OIX,
don@openidentityexchange.org - Abbie Barbir; Bank of America,
abbie.barbir@bankofamerica.com - Dazza Greenwood; eCitizen,
civicsdotcom-econtracts@yahoo.com - Anil Saldhana; RedHat,
Anil.Saldhana@redhat.com - Brendan Peter; CA Technologies,
Brendan.Peter@ca.com - Mary Ruddy; Identity Commons,
mary@meristic.com - John "Mike" Davis; Veterans Health Administration,
Mike.Davis@va.gov - Tony Rutkowski, Yaana Technology,
tony@yaanatech.com - Debbie Bucci, National Institutes of Health,
Bucci@exchange.nih.gov Primary Representative Statements of Support: - Paul Lipton,
paul.lipton@ca.com, primary representative CA Technologies – I approve the Trust Elevation TC charter. - Mark Little,
mlittle@redhat.com, primary representative RedHat – I approve the Trust Elevation TC charter. - Abbie Barbir,
abbie.barbir@bankofamerica.com, primary representative of Bank of America - I approve the Trust Elevation TC charter. - Peter Alterman,
peter.alterman@nih.gov, primary representative of the National Institute for Standards and Technology - I approve the Trust Elevation TC charter. - Don Thibeau,
don@openidentityexchange.org, primary representative of the Open Identity Exchange - I approve the Trust Elevation TC charter. - John "Mike" Davis,
Mike.Davis@va.gov, primary representative of the Veterans Health Administration - I approve the Trust Elevation TC charter. - Dazza Greenwood,
civicsdotcom-econtracts@yahoo.com, primary representative of the eCitizen Foundation - I approve the Trust Elevation TC charter. - Debbie Bucci,
bucci@exchange.nih.gov, primary representative of the National Institutes of Health - I approve the Trust Elevation TC charter. - Mary Ruddy,
mary@meristic.com, primary representative of the Identity Commons - I approve the Trust Elevation TC charter. - Tony Rutkowski,
tony@yaanatech.com, primary representative of Yaana Technology - I approve the Trust Elevation TC charter. Convener: The convener will be Peter Alterman, National Institute of Standards and Technology. Member Section: OASIS ID-Trust Member Section