Versions Compared

Old Version 6

changes.mady.by.user Former user

Saved on

compared with

New Version 7

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Interesting week with FedID Conference, if you're interested in what's happening in the federal space.
  • We have noted that that SAFE BioPharma non-PKI pages have been removed. More news will come in the following weeks, good for Kantara and for the industry.
  • ISO meetings: SC27 WG 5 meetings were scheduled to start on Saturday. Kantara has supplied its liaison statement. We've also supplied comments on ISO 27560 that's consent record information structure, which is sort of an extension of Consent receipt with a much broader pattern. ISO 29150 is under the five-year review, the last two years they have been struggling partly due to the fact that it was trying to manage non-person entities as well as human entities in the same way that identity proofing was trying to cover. 
  • DIACC is preparing a press release next week about that Pan-Canadian trust framework. Minimum viable product product is done. They want to recognize Kantara for its efforts and asked us for a quote.
  • New IT staff members.


Meeting about 63C assessment and approval 

  • Kantara had a meeting with its assessors, ARB Chair, NIST and IAWG Leadership, to address some identified challenges in the 63C assessments and approval. It was agreed that a federation agreement must exist in order for us to undertake an assessment of 63C. Secondly, an independent assessment of 63C cannot be done. It's designed to be a package to work with 63 A and B. The definition of federation agreement could be fairly broadly interpreted to include things like operating rules


Comments about eIDAS regulation


  • Mark King walked the group through the compiled comments


Comment 14 on page 5 was that it?

Its scope is only defined as electronic transactions and they're in the internal Market article 14 about international issues. The scope is somewhat wider and therefore it is slightly odd that it is there and also that it is limited to electronic transactions where there's really just a pointer saying, can we have the scope clarified?

Again, it's facing that it's just the the internationalist part of this that we're suggesting here needs to be looked at.


Comment 15 is about the notification by a member State and one of the assumptions that some people have made is that that has to be in that state. There is no reason why a member State cannot for example offer an American System Canadian system or a Chinese system if it recognizes it can put it forwards and then the others have to accept it. from an international perspective something that is worth recognizing and I suggest that a recycle is the appropriate point to mention it. There's a danger that they will decide that actually they didn't intend that, but I think at the moment that position is fair to flag up.


Comment 16 is a simple one about the use of the term “Mutual” it is I think seeding the misleading and also important to understand that in many contexts one way is all you get and is quite sufficient. So it is simply asking that the thing be slightly rewarded in order to take account of that.


comment 17 refers to seals. Now this one maybe a slightly more interesting one and perhaps ought to be elaborated a little further. It was mentioned that there was a problem with 115 in terms of whether it could or couldn't cope with entities that weren't persons and one of the things that that is clear is that the it's only people humans who get involved in the the moment in the first part of the ideas, but in the second part, there is a distinction between a signature done by a human which is the signature and a signature done by what used to be called a signature done by a nonentity on that is defined as a seal. There is also a very subtle distinction in the implications of using one rather than using the other, which probably isn't intended. It's just there as an editorial problem, but the result is that you have these two different things which you then says actually can be used interchangeably. So, if it can be used interchangeably then the legal position of them ought to be the same and therefore this distinction just is not

Explained. So the request there is to either explain it or remove it.


19 English version where the meaning of “required “is not clear and is it when you are using the online service you need to do that or does it mean that if the service is only online than the supplies, but actually if there's a paper version well a foreigners can use that.

So it is simply tidying up that thing and suggesting that it is for online services.


The next one is the suspension argument anybody who's been in pki for the last 40 years will know that suspension causes endless trouble and basically the recommendation here is to kill it unless somebody can actually show how it could work in practice in a legal context. It makes perfectly good sense for Access Control for buildings and so on but when it comes to Signatures, it is really you get yourself in a complete tangle as to what's happening, whether it's there and any sense of legal certainty has disappeared. So, I've proposed there to suggest that the suspension either should be removed entirely if people have now come to the conclusion that it is not appropriate or if they have got it explain what people are going to do with it and how it's going to work because most of our experiences on this are really bad.


There is then the specific Kantara one where I think we probably need a better reference in but it simply says that consent is not generally the legal basis for the public sector data processing but it does get a mention and so when it is appropriate then it ought to be using the consent model that Kantara has got.


Comment 22 is a little bit of clarification on the location.


Colin should we also mention the international standard that's coming out or being worked on with respect to consent. Well, yes, the one that that consent receivers annexed into yes, that's ISO 29184 for online privacy notices and consent. It's a new standard was just I think it became an IAS and May. Annex B contains a sample of sample. receipt out of Kantara has consent receive vocational thinking more along the lines of referencing it as there and then providing a link to buy to our spec and basically the international.


Considerable interest at the moment in Europe for automatically charging on your public transport using your insurance in some cases countries like to have where the contract is done or where a check is signed not just the fact of the date and who did it so as well as that of obviously knowing location. So it's really just flagging up that there is this new area and that the Assurance associated with that maybe something that they should approve should include as recognizing it as I trust service which will be used again across borders If you're driving across a border.


there is then a comment about due diligence and this is mainly to do with the fact that in many cases It Isn't So Much liability as diligence witchy that as a as a concept should be accepted in here, but the particular Rider and the aspect of it which is again was hidden. I think in the original legislation was that the EU has in its wisdom defined these levels of substantial and high with the result that you can't exceed high and you can't require more than high.

that is quite a significant constraint on the market. Clearly. Their official remit is limited to where this state provided. But if you're using the state provided one and there's an upper limit on what I can be. It's completely unreasonable to expect the private sector to do better than that.


Comment 1 . redoing the work on what is authentication what is identification simply and again not trying to

Dictate what it should be but to point out that actually between their regulation and their consultation. They are using different terms. And therefore, it has been very difficult to actually make everybody agree because we are as usual arguing about definitions and Common sense and the things that we miss coping may be very different.


So I picked out four things here, which can be done in many different ways. But which I hope are enough to point out that there are significantly different scenarios. And what's applicable for one and the concerns in one can be very different from the concerns in the other and then pointing out that really where it is in the dock.


without suggesting a particular thing other than to align it with another International body.

such as UNCITRAL rather than recommending that they use that the idea that is here is that we should simply point out the difficulty with that and caveat the comments further down by we are using those in this rather unusual context of the way that they seem to have ended up using


Comment 5.