Agenda:

https://github.com/biometricITC/cPP-biometrics/wiki/iTC-Meeting-Agenda-2021-02-11

Call started at 10:00 am EST

Attendees

• Brian Wood
• Greg Ott
• Naruki Kai
• Clare Olin
• Jon Rolf
• Fiona Pattinson

Record of Decisions

• None at this time

Action Items

• Brian will review some of the older pull requests and then merge https://github.com/biometricITC/Administration/pull/24

Minutes

Before the call started, Brian asked if there was any objection to looking for a new date for the call. One person had expressed interest due to a conflict that came up in his schedule. There was no clear better date, so Brian said he would send out a Doodle survey for everyone to vote on a new date. The time would be kept the same.

A quick review of the Task List. There were no updates.

Brian noted that the comment period had closed on Friday and that several comments did come in. Cybersecurity Malaysia sent a comment spreadsheet to Brian which he transferred to GitHub (with PRs and Issues). The spreadsheet with links to GitHub was uploaded to the CCUF OnlyOffice site.

The call then focused on the fingerprint toolbox pull requests an issues.

The first review was a quick look through the pull requests that had been merged before the call. These were largely editorial updates and there were no questions on the review.

The Cybersecurity Malaysia items were reviewed. With the exception of CSM 12 all the pull requests (and issues) were merged and closed. This particular issue about moldable plastics as a new mold material was discussed and more information was requested from Cybersecurity Malaysia. Based on their feedback, this pull request will be updated and the new material integrated into the toolbox. Based on the timeline they provide about being able to supply the needed information, the iTC will determine when this will be integrated. All the other pull requests had been approved prior to the call except CSM 2/3, which had two proposed edits to choose from (which had been left to the call to decide as a group). Once the group agreed, the change was accepted and merged.

The call then reviewed the Inventory update with the coverage of cast and mold steps into the inventory document and then to be referenced from the attack files. The one concern raised was whether the same steps were always used. Brian pointed out that he took the instructions straight from an attack file, so they should all be the same, but would verify this while making other edits to the attack files.

The next topic was the decision on how to merge the attacks to reduce duplication. Brian proposed two pull requests based on different methods for combining the attacks. One only merged the 2D prints and left 3D separate, while the other merged all based on the cast material. There was some discussion about whether this was good or what the best way to approach the combination is. One potential different method was to focus on the molds instead of the cast, so an attack file would be based on the mold type instead. Brian pointed out that it seems like the cast type was more in common with the other toolboxes, but he was open to other methods. He also pointed they could consider creating a "prep" document that talked about creating all the molds first, and then just used them in the test. The group was not sure about this, and it was felt the current proposal should work. Brian will marge the rest of the attacks together and add them to the combined attacks PR for review.

The final topic was about when a mold release agent should be used. Brian had created a pull request that added a note about practice and testing would be needed to ensure the creation of high quality molds, so it was clear that this would be needed. This was approved and merged.

The last topic of the call was about timelines. Given that the update period after the public review is 60 days and after a week almost every open issue/pull request has been closed, should the timelines be moved up to publish earlier. The question was about the inclusion of the moldable plastics. Brian was concerned that adding this in and going to proposed draft without a full review period on that new material as potentially a problem. Yet he also did not want to delay the publication of the toolbox. It was agreed that Brian would reach back out to Cybersecurity Malaysia to see if they had a better idea as to the timeline for providing the rest of the needed information for the toolbox, and based on that the iTC could decide how to proceed. Brian thought that if they were quick (providing the information in February), then it could probably be included in the current cycle with one more public release and a short update period, but if it was going to be longer (March or later), then it should be handled in parallel to the publication and be added as quickly after the initial publication (and before any evaluations could occur). This would be discussed more once the potential timeline from Cybersecurity Malaysia is known.

A Doodle link will be sent out to determine if there is a better time for the call. Depending on the response from the survey, the call time may change for the next call.

The call ended at 11:00am EST.

EDIT: The next call will be on February 23, 2021 at 10am EST. This will be the new call schedule (every 2 weeks from this date).