This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "KBAPM Meeting Notes"
(→IDESG/OWASP KBA Call December 1, 2014) |
(→IDESG KBAPM Meeting Notes 20141201) |
||
| Line 5: | Line 5: | ||
IDESG/OWASP KBA Call | IDESG/OWASP KBA Call | ||
December 1, 2014 | December 1, 2014 | ||
| − | + | Attending: | |
Bev Corwin | Bev Corwin | ||
Ann Racuya-Robbins | Ann Racuya-Robbins | ||
| Line 12: | Line 12: | ||
Noreen Whysel | Noreen Whysel | ||
Donald Gooden | Donald Gooden | ||
| + | |||
| + | Note Taker: Noreen Whysel | ||
Bev: to write up approach to conflict situations. | Bev: to write up approach to conflict situations. | ||
Revision as of 16:54, 12 December 2014
Meeting Notes
IDESG KBAPM Meeting Notes 20141201
IDESG/OWASP KBA Call December 1, 2014 Attending: Bev Corwin Ann Racuya-Robbins Laureano Batista Luis Enriquez Noreen Whysel Donald Gooden
Note Taker: Noreen Whysel
Bev: to write up approach to conflict situations. "No man in the middle" approach: connects people in situation without formal mediation. Let them talk it out as much as possible, give them responsibility for disclosure of intellectual property.
Agreed that: We will not sign onto non-disclosure agreements with vendors to understand their KBA processes.
Ann: Added an outline to the OWASP KBAPM project page. Advantage to following open OWASP protocols including using versioning and having commit privileges, etc.
Energetics.com: Develops codes and standards. Review Metrics and Evaluation and see what we can use of their thought processes/outlines for creating standards.
Luis: confirmed we have a GitHub at OWASP. Ann suggests also looking at OpenHub. Bev suggests advantage of GitHub is people will likely find us.
Ann will send out link to website whenever there is a significant change to the structure.
Penetration testing. Is it ethical? Luis: if you have permission, it should be OK. Bev: need to be sure it is legal, may require an agreement/formal permission to test KBA. Use OWASP methodologies, procedures and testing tools. Luis: Intellectual property rights is an issue. May not be able to publish results.
Task: develop tasks for seeking an agreement with vendors. Is there a boilerplate? Needs to allow us to access information and publish results?
Luis: IDology: Enhanced KBA. Uses information already collected on customers to authenticate identity. Provide documentation, video, image.
Bev: Virtual Self: create a virtual avatar that is different from your actual self. Now we have real name policies and can't do it as much.
Laureano: Google: uses google ecosystem, need to sign out while you are on the same browser or associate the accounts, which means they know it is you.
Bev: Can also be an issue when you are doing business in more than one state. Google doesn't have access to subnets.
Laureano: B2C paradigm: Authenticate users, i.e., what is the mechanics/structure of authentication from the business' perspective? Given ethical/legal restraints, we will not be able to access their metrics. We can only ask. Need two different identifications: authentication of identity who owns the account and identity verification of the user. Are they asking ethical question about what they are doing with identity information? What is robust, what isn't? How much burden are we placing on user? Does that affect sales? risk/reward on cost of business metric drives KBA forward. More important in health and finance than in social media?
Bev: need to examine public versus private personas. And how to protect privacy when it is stripped by ToC. Personal vs corporate vs government.
Don: Looking for performance metrics. QUestins/responses/uses.
Noreen: We are creating standards, not setting policy or taking a political stance, but understanding the environment and legal constraints. Standard should have some flexibility to address changes in the environment but I don't think we can set policy.
Ann: What body of law governs KBA in EU?
Luis: IFROS European Court of Justica Privacy, Asia. Main problem with dynamic KBA is some EU jurisdictions don't allow it. EC Secondary Source Law. Rule may not always be the same depending on local government.
Laureano: Forward facing nature. Bev: Look at what the gaps are, future direction/momentum.
Don: Brian Lawler, authored, National Standards: Models of Knowledge based Authentication (KBA Symposium) http://csrc.nist.gov/archive/kba/agenda.html
Task: Need a clear set of questions for ID.
Update on IDESG Concern about subject matter expertise and having enough people Need to bring in someone from NIST, like Jim, need a big name. Timeline: 2 year commitment. Bev: caution that there could be discriminatory policies or exclusion. We want to avoid this. Noreen: IDESG's timeline and the standards deliverable need to be open to changing KBA landscape. A lot will change in two years.
Adjourn 12:32ET.
