PADv2 Plan outline

[woodbe]

This isn't meant to be the actual document, but to collect notes that can be used for writing the plan/invitation to participate.

[woodbe]

Modalities - fingerprint, face

NOTE: Eye should probably changed to iris to be clear (in our case) since the requirements are not targeted to retinal or peri-ocular.

• (NIST IEG 2023 will have a meeting on Thursday about iris, registration will close early Tuesday afternoon which will present current research on iris)

Attack Potential - Basic-Enhanced is minimum, further will have to be done as we work

• nation-state attacks will filter down "quickly" at some point, so overall the attack scores will adjust over time
• discuss with Odin team and FIDO
• IARPA is working on a sharing agreement (will let us know once ready so we can figure out how that may work)

We need to set up a process for regular review of the AP calculations in the PAD to see what may need to be changed.

Intro should also note that this is intended to be able to support various government certification requirements for biometrics

Use of GitHub seems to be OK, as long as proper controls on access, though there could be restrictions on what would be able to be published (certain types of tests). NIST has a private hosted GitLab, that may be something to consider depending on restrictions there.

[woodbe]

Tasks to be performed:

• bring SMEs on board to create PADv2
• how to integrate PADv2 into the SFRs
  • does PADv1 become mandatory, at least for modalities with PADv2 testing?
  • transition timing/planning for mandatory PADv1
• document about controlling access to PADv2
• outline of how to map between FIDO, Odin, maybe Google Android requirements
• PADv2 public description?
• change to use cases, threats in the PP-Module
  • How AP may impact those
  • Does this require moving the PP-Module to CC:2022? (this supports multi-level assurances)

[woodbe]

SME calls every 4 weeks starting on the March 19 call. Alternating calls will be "regular" iTC calls to work on other tasks.

https://github.com/biometricITC/Administration/pull/44 needs to be updated to mention repository access is limited to 2 people from one organization. Participation on calls should be restricted to those members, but may allow others as needed.

Timeline: are the recipes going to be "new" or would they be from their existing toolboxes that would be re-purposed? This would have a big impact on the timeline expectations

Attack Potential Calculations: our current tables are based on ISO, which is not default CC. We need to agree on what we should use at the start. Feedback on adjustments that are needed can be provided back to ISO.

Proper fingerprint collection: revisit how we should collect the source fingerprints (scanner or pulled by person from print)