iTC Meeting Minutes 2023 02 09 - biometricITC/cPP-biometrics GitHub Wiki
Call started at 10:02am EST
-
Brian Wood
-
Ahmad Dahari Jarno
-
Jim Arnold
-
Quang Huy Nguyen
-
Clare Parron
-
Naruki Kai
-
Greg Fiumara
-
Robert Chapman
-
Greg Ott
-
Brian will create an overview document with a framework outline for PADv2
-
Everyone needs to comment on the NIST 800-63 draft issues before the next call
The call started with a review of the task list. Brian updated the reference to the latest version of the FIDO biometrics spec in the Task List.
The next topic was the discussion of the expectations for PADv2. Huy asked how this was supposed to relate to other standards (like the FIDO spec). Brian stated that the overall goal was to get closer to a unified set of requirements so there could be some amount of cross-acceptance of evaluations between different standards (maybe with a re-presentation of the evidence, but limited duplicate testing).
Brian then asked what modalities should be included (at least at the beginning) for PADv2. The overall agreement was face and fingerprint, and others could come later (eye was the likely next candidate). Brian pointed to the FIDO spec that how they divided their species levels (Levels A, B and C) was different than how we did. The main thing was that for face we included 3D species (like printed faces) while those are covered in Level C which is not tested currently in the FIDO spec.
There was a discussion on the differences between FIDO and the PPM and what that would mean for recognition. Brian stated that most of the differences were in the surrounding device. The FIDO one is limited to the authenticator while the PPM is the whole device, and so there were some different expectations about the environment. These would be minor overall, but likely require some level of additional review depending on the direction of first to second evaluation. The goal would be that the amount of extra work would be minimized. FIDO has a process for handling this, but it isn’t clear how it could be handled under CC. Brian stated that maybe some level of justification could be made for a match between specs to allow it, but this would still be scheme dependent (since composed TOEs are still not really a thing).
Brian then asked what about the attack potential. Since the current targets are all at Basic, would we want to look at Enhanced-Basic or Medium, or something in between? FIDO defines some of their in their Level calculations, which could be used as input. Huy stated that we don’t really know yet until we think about the attacks. Brian agreed, but stated he thought that a slightly expanded Enhanced-Basic may be the sweet spot, something along the lines of 15 total points as the max. This would require some justification to be written, but that should not be a blocker.
Brian then asked about who could help with creating PADv2 test cases. Greg F and Greg O suggested reaching out to various universities (there is a group many participate in related to this type of research) and asking them to contribute. A leading person to talk to is the person in charge of the FIDO spec as she is also a director in this group. It was agreed that when we got a little further along we would talk to them to see if they would work with the iTC.
The next question was then how to integrate PADv2 into the PPM. Brian thought the best way would be to add a selection to the FIA_MBE_EXT.3/FIA_MBV_EXT.3 requirements that would have the user choose the PAD level for the specific modality in question. So if a PADv2 is available it could be chosen, but it would not be required (though if PAD was selected, at least PADv1 would be required). This led to a question about what would be required if PADv2 is selected in terms of testing. The question was whether PADv2 would also require all PADv1 tests or only a subset of them (or maybe a smaller number of species but all tests). There was agreement though that at least some about of PADv1 would be mandatory even for PADv2 claims, though it was thought to try and make it a smaller set to keep better control over the costs/timelines for the evaluation.
Brian then said he would work on an outline of the framework and direction for the next PADv2 call, and the next calls would start to look at FIDO and BSI docs.
One point that was raised was about the biometric testing requirements and whether the labs can support the testing here. Brian stated that at this point for PADv1 the requirements are probably OK for the CC labs, though this may change with the PADv2 requirements (this still isn’t clear). He pointed out that the current expectations are that we rely on outside proof for the FAR/FRR claims and do sanity checks on the numbers, then do the PAD (when claimed). This isn’t expected to change so there wouldn’t be a large requirement for the CC labs to get 50-100 people to come in for biometrics testing. This should help scope the testing requirements. There was also a note about NIST PIV testing requirements, and it wasn’t clear what these are. Greg F pointed out that he is an author on that document and is referring to the iTC toolbox as the basis for the PIV testing.
The next call will focus on the NIST 800-63 draft comments. Brian would like to try and close these out on the next call though with the deadline being March 24, there is enough time to take the next 2 calls before needing to be done. Everyone is to look at the issues and add comments before the next call.
The call ended at 10:54am EST.