iTC Meeting Notes 2019 05 16 - biometricITC/cPP-biometrics GitHub Wiki

Agenda:

https://github.com/biometricITC/cPP-biometrics/wiki/iTC-Meeting-Agenda-2019-05-16

Call started at 10am EDT

Attendees

  • Brian Wood
  • Naruki Kai
  • Nils Tekampe
  • Albert Soler

Record of Decisions

  • TB Issue #9 was reviewed and closed
  • TB PR #6 was reviewed and closed after minor edits based on the call.

Action Items

  • Brian will send out an official call for a vote on publishing the current draft for public review next week

Minutes

The call started with a review of the status on the scheme contact and decision. At this point there have been a few emails but there has not yet been any progress towards a decision on a direction for the iTC. Nils stated that based on his experience working with the schemes (BSI in particular, which is very busy), that it may take several months (possibly even to the ICCC CCDB meeting) before we may have a decision. In the meantime we are all reaching out to try to get motion.

Nils then provided an overview of some changes that were made to the repository. New branches were made for "development" in addition to the "master". The purpose here is to work regularly in the develop branch which also has a lower bar for approvals for merging (1 approval) while the master is currently set to 4 approvals for a merge from develop to master. The intent with 4 approvals is to have a majority vote to approve the change, so this can be adjusted based on the size of the iTC (Brian will work on more formal docs for this, likely with some sort of attendance to measure quorum for determining outcome on some periodic basis).

The next topic was a review of cPP issue #143 about the change to the attacker motivation. This seems to be solved, but the corresponding PR #165 has not been approved yet and so this issue is still open. A point made here by Nils is that he feels that changes that impact testing and the possibility of AVA_VAN are difficult to approve since the underlying AVA_VAN issue is not yet resolved.

The next topic reviewed was the proposal for creating a "camera toolbox" TB issue #3. Nils pointed out that while at a high level there does seem to be commonality between different camera-based attacks, that when you get into actual details (when thinking about reproducibility across evaluations), these common parts become very minor. He also pointed out that we can ask BSI for access to their finger and face toolboxes, but that we will have to be clear that these toolboxes would not be used to support AVA_VAN but only for ATE_IND. It was noted in the Issue to do this after the scheme direction for AVA_VAN has been resolved.

TB Issues #4 and #7 were skipped today for time.

Brian then moved to TB issue #9 to talk about transaction vs attempt matches. This issue was closed as the questions raised were answered and did not lead to expected PRs at this point.

The TB PR #6 was then reviewed. There was a further discussion of the transactions vs attempts, with the decision to leave it as transactions. It was also determined that the ATE_IND was correct. This was corrected after the call and the TODO line was removed and the PR was merged based on approvals.

The cPP PRs in preparation for public review (161, 162, 163, 165, 167) were quickly reviewed but no discussion was done at this point.

cPP PR #164 was then discussed along with the proposal to move to public review. The document was generally reviewed for its content. A few questions were raised about the review process (how common is it to other groups). Brian explained that the DSC iTC is doing spreadsheet comments (because they are in Word) while the FE group for NIAP is doing something similar to this where you can make comments in GitHub but also send in spreadsheets, so what we are doing is not uncommon.

An important point that was brought up was whether we would allow for a second comment period since EU comments may be limited with the AVA_VAN question still open. Brian proposed adding a second review period that could be activated if changes are significant enough to need it (depending on scheme feedback and the types of comments coming in), so we could extend the period as necessary. This was considered acceptable.

The last topic discussed is the proposed vote on the public release. Nils asked how we would determine who would be allowed to vote. Brian's response is that we would send to the iTC mailing list and anyone on the list could vote. The rules for voting don't have minimum numbers, only requirements of 2/3 majority positive with less than 1/4 negative, so this would allow anyone to vote under those conditions.

Brian will collect the votes (shared with Naruki and Nils directly) to tally the results. Brian will send this out next week after sharing the proposed voting email.

The next call will be in 2 weeks, according to the normal schedule.

The call ended at 11:16am EDT.