iTC Meeting Minutes 2022 03 08 - biometricITC/cPP-biometrics GitHub Wiki

Agenda

https://github.com/biometricITC/cPP-biometrics/wiki/iTC-Meeting-Agenda-2022-03-08

Call started at 10:02 am EST

Attendees

Brian Wood
Naruki Kai
Jon Rolf
Greg Ott
Greg Fiumara
Craig Pezold (to discuss MDF changes)

Record of Decisions

None

Action Items

Review PR #15 and update the suggested text

Minutes

The call started with a review of the task list. Brian stated he added a point about the MDF discussion and would check off some of the other items targeting the CMFA overview, but there was nothing new on the task list otherwise.

Brian introduced Craig Pezold from the NSA to discuss the MDF integration. The main point of this discussion was to review the old issue FIA_HYB_EXT.1 that had been removed from the PP-Module and whether it should be added back in. Craig provided an overview of how he was expecting to update the PP_MDF, and how it would remove any mention of specific modalities within the FIA_UAU.5.1 SFR. The hybrid option would then point to the FIA_HYB_EXT.1 in the PP-Module to show what modalities were available for use.

The discussion focused on whether the FIA_HYB_EXT.1 requirement should be added back in and how. Craig pointed out that he thought that the biometric and hybrid are actually somewhat redundant, as he expects that any authentication method used on the device using a biometric, whether alone or in combination, would have to meet the PP-Module requirements. This led to a discussion about whether FIA_HYB_EXT.1 actually had any real value in either document.

The conclusion, after much discussion, was that this requirement could be left out of both the PP-Module and the PP_MDF as there wasn’t any specific need for it. With the logic that any biometric component of a hybrid module must also be validated independently to the PP-Module requirements means that there isn’t any specific need to have a requirement that specifies the modalities that can be used for the hybrid. Brian raised the point that it is possible that a vendor could have multiple modalities and only some tied to the hybrid, but as long as they are all certified to the PP-Module requirements, this doesn’t really matter. Everyone on the call agreed that this would be acceptable and so the SFR would not be added to the PP-Module (and the reference in the PP_MDF draft would be removed as well). Brian then closed the Issue with a comment about the discussion on the call.

The call then moved on to discuss PR #15 about the proposed text for the verification process. The main question raised on the changes were around what happens if the trust score goes below the approved level and whether it can go back above the approved level without direct user input. This has been captured in the CMFA Points Issue for tracking. It was felt that this part of the description needed a little editing for clarity, but that otherwise this proposed change looked good.

The call ended at 10:56am EST.