(Slide 10)
Jeff: SC7 no longer exists. SC8 and SC9 are the new groups. X9 hasn't really restructured yet accordingly.
Mark: It's evolving
... SC9 does now own the WG10 product
... what I'm trying to do in X9 (still draft) ... we see no
need for X9 to reorganize to match the ISO reorg.
... part I of 12812 is likely to become a standard; mostly
about terminology
Jeff: ISO 12812 parts 2-5 ended
up being technical specifications. The majority of the security
requirements are in Part 2
... we were not happy with the direction, so we decided in F4
that we would do a wireless Part 3
... we published our own, which does not align fully with ISO
12812 Part 2
Mark: Two new work items are being handled separately
Jeff: So we'll have 134 Parts I
and II in ISO
... my understanding is that we want to reconcile our Wireless
Part 3 and ISO's 134 Part II; there's only a few
differences
[Discussion about reviewing viewpoints]
(Slide 11)
[Discussion of ISO 9564...PIN management and security]
scribe: we wrote a biometric info
management security standard
... we have just republished it for the 4th time
IJ: what is relationship of biometric spec to FIDO?
Jeff: 84 is independent of
biometric. The spec defines a flow.
... X9.84 has not been widely adopted; FIDO is not compatible
with it.
... a challenge with FIDO is identity proofing at
enrollment
... there's a sample, template storage, and template....all
that could happen in one place or happen in 3 places
Jeff: Idea was to bring forward what we knew about auth
Jeff: New work; auth on the
(untrusted) Internet; this is probably where FIDO fits the
best
... 122 refers to other standards
IJ: What is the X9 work on identity proofing?
Jeff: We just had a 117 meeting
on this topic; we've skirted this issue because banks have
their own KYC processes; it's such an entrenched area based on
risk assessment, we have not seen it as a standardization
opportunity
... what we did in 117 is we said "We have to have KYC as the
first step." We refer to a NIST special publication on this
topic.
... I think we require the highest security level where you
have in-person meetings and signed credentials.
... we view that as the initial step outside of 117.
iJ: Say more about the FIDO question
Jeff: There are standards for how
to do auth with asymmetric encryption from a crypto
perspective
... we have a standard on how to manage biometric
information
... when you enroll a biometric multiple samples are
taken
... the information is adjusted to create a template (which is
used later for matching)
... the template is just some binary data sitting in storage
... you hope nobody can get at it and manipulate it.
... in FIDO, there is a correlation between unlocking the
stored private key, then doing a digital signature
... the relying party gets the digital signature. That's
one-factor auth.
... it's an indicator that the biometric auth happened, but
there's no real proof.
IJ: Freshness is part of FIDO
Jeff: But; there's no proof. If
the matching result was incorporated into the next step .. that
would be a different thing
... so I don't think this is real 2-factor. if I am the relying
party and all I get is signature and I trust biometric
happened, that is 1-factor authentication.
... I think there are techniques, but those are not in the FIDO
protocol.
(slide 12)
X9.137 (token management and security)...work in progress
scribe: some engagement with card
brands on 119.2 and they are aware of 137
... we had participation from 3 big token providers
X9.141 data protection and breach notification
Jeff: A letter was sent to
congress saying there needed to be a breach notification
standardization.
... a work item was assigned to my group to work on
x9.141
... part I is for data protection
... we will look at NIST framework and reference X9 standards
and not reinvent the wheel
... part II is for breach notification....lawyers are sifting
through state laws
[Slide on X9 policy and practices]
<scribe> [Ongoing liaison]
X9A: Has a formal laision with
ISO blockchain group
... we do have liaison relations with ITU (more informal)
... so we have a spectrum of liaisons.