iTC Meeting Minutes 2023 03 07 - biometricITC/cPP-biometrics GitHub Wiki
Call started at 10:03am EST
-
Brian will email the NIST SP 800-63-4 comment form
-
Brian will reach out to the FIDO Alliance Biometrics WG to ask for a presentation
The call started with a review of the task list. There were no updates at this time, though Brian marked off the NIST review as the comments would be sent at the end of the call.
The call then started with a review of the NIST SP 800-63-4 comments. One final comment had been added which Brian added to the spreadsheet on the call. The group then agreed this was ready to send so Brian will send it after the meeting.
Next was a review of the current thinking regarding PADv2. A summary of this is:
-
The Attack Potential calculation will be at least Enhanced-Basic, maybe a Low Medium, depending on the research and work
-
Using PADv2 would still require at least a representative set of PADv1 testing for the applicable modality to pass
-
PADv2 would focus on fingerprint first, then face. Anything else (at this time) is based on request
The group then started to look at the FIDO spec. Brian pointed out that the latest version of the spec has an interesting set of FAR/FRR tests with there being a self-attest option with a "sanity" test as well as a full test by the lab. There are 2 levels that match (with higher confidence on the lab testing), but with the different number of subjects and required docs from the vendor.
The topic then moved on to the PAD section and a discussion about how the FIDO PAD requirements are laid out. FIDO provides 3 levels of PAD species for each modality, and these are roughly set by expectations to Attack Potential, but these do not match quite to what the BIO-iTC has done for PADv1. Brian pointed out that for fingerprint there is definite overlap between the A/B and PADv1, but for Face, it spans A/B/C for some (but not all), and eye also has a mix of A/B/C. Without knowing more about the individual details of the calculations, it is difficult to know exactly why these are different, but there was also a wider range of participants in the FIDO group, which probably led to the differences.
Brian said that as we work on PADv2 there may be benefits to re-evaluating the existing scores to see if some of the current species should be moved to a v2 level (without change). This may be the case for face or eye, but isn’t clear, since the attacks that were used were readily found online, though the equipment may have some differences (third party vs purchased could have some implications in terms of the scores).
Brian said he would reach out to FIDO and see if he can schedule with them to present their work to us so we could discuss the differences. Naruki asked what the goal of this is. Brian stated that to him, the goal would be to try to generally align the two sets of requirements such that they would be accepted by the other party (with minimal additional work if any). If this can be accomplished, then vendors would be able to perform one evaluation and know it would be valid for multiple purposes. This does not mean they have to be perfectly aligned, but close enough to be considered acceptable.
Naruki pointed out that this would mean FIDO would need to accept the BIO-iTC as well (assuming we accepted the FIDO work). Brian stated that FIDO has worked on this type of mapping for other certifications in the past (such as accepting FIPS for the authentication tokens), and we could work with them to accomplish that. This may require some sort of liaison agreement, but that could be worked out.
Naruki then asked when we would talk to BSI. Brian stated that the review of the BSI PP would be next and that we could reach out to them to discuss it once we were done with the FIDO review. At that point we would want to try and lay out some overall goals of what we want to try to update.
Brian also pointed out that one possible benefit to having PADv2 is that it could provide a way to update the PPM and mandate PADv1 for all devices while leaving the more challenging PADv2 as optional. This would be at least a v1.2, maybe a v2 change, but could be determined as the PADv2 takes shape.
The call ended at 10:52am EST.