...
Summary: Frank indicated IAWG will not have access to a funded editor moving forwards. However we still needed to address two deliverables:
Federation Operator Rules & Guidelines (FORGE) – Rich Furr had previous indicated he could take this role on.
Separate the IAF into the 5 constituent parts applying the Kantara document style -- Britta indicated she had volunteered for this role. (NOTE: these are currently available in our WORKING DRAFTS section.)
"Fish Bowl" meeting report back
...
Summary: Britta reported on the ICAM submission. Overall we have received very positive feedback from the ICAM team as to the completeness and applicability of our application. During the first round of feedback, the ICAM team asked for more specifics with regards to the review of privacy requirements in the Trust Framework Provider Adoption Process (TFPAP). These requirements, found in section 3.3, are:
Trust Criteria Assessment – Assessment Team determines whether criteria applied by the Applicant to its member identity providers are comparable to ICAM criteria. Trust criteria assessment includes:
1. Technical and policy comparability based upon the Appendix A trust criteria;
2. Privacy policy comparability using the following criteria:
a. Opt In – Identity Provider must obtain positive confirmation from the End User before any End User information is transmitted to any government applications. The End User must be able to see each attribute that is to be transmitted as part of the Opt In process. Identity Provider should allow End Users to opt out of individual attributes for each transaction.
b. Minimalism – Identity Provider must transmit only those attributes that were explicitly requested by the RP application or required by the Federal profile. RP Application attribute requests must be consistent with the data contemplated in their Privacy Impact Assessment (PIA) as required by the E-Government Act of 2002.
c. Activity Tracking – Commercial Identity Provider must not disclose information on End User activities with the government to any party, or use the information for any purpose other than federated authentication. RP Application use of PII must be consistent with RP PIA as required by the E-Government Act of 2002.
d. Adequate Notice – Identity Provider must provide End Users with adequate notice regarding federated authentication. Adequate Notice includes a general description of the authentication event, any transaction(s) with the RP, the purpose of the transaction(s), and a description of any disclosure or transmission of PII to any party. Adequate Notice should be incorporated into the Opt In process.
e. Non Compulsory – As an alternative to 3rd-party identity providers, agencies should provide alternative access such that the disclosure of End User PII to commercial partners must not be a condition of access to any Federal service.
f. Termination – In the event an Identity Provider ceases to provide this service, the Provider shall continue to protect any sensitive data including PII.
The ARB reviewed this feedback and made some suggested recommendations to updates for the SAC, which are highlighted in the updated version of the SAC that has been circulated and is also in DRAFTS on our wiki. The specific in DRAFTS. The specific updates can be found online and are evident in the termination provisions and some additional service definition inclusions.
As such, the recommendation from the ARB to the IAWG for consideration is to 1) make the recommended updates as outlined above and above and 2) specifically specifically for opt-in and informed consent, create create a very lightweight lightweight appendix/profile be created specifically for the US Federal Government that directly addresses the specific opt-in requirements for attribute release to be applied.
Kick off – Federation Operator Rules and Guidelines (FORGE).
...