| Start the meeting. Call to order. Approve minute Approve agenda
| John Wunderlich | Called to order: 10:05 PT Quorum ?Minutes to Approve: achieved Administrivia: Andrew Hughes, Christopher Williams will be dropped to non-voting status after this call Minutes Approved: 2022-10-12 Meeting notes - Draft 2022-10-19 Meeting notes - Draft |
30 min. | Draft Report Discussion | John Wunderlich | Discussions Report from Implementor’s Report sub-group Draft Google Doc:https://docs.google.com/document/d/1EpjETW_5Byb0WsM7xXVKNnU08SDXfdYQ2fjLLx7s514/edit?usp=sharing
Notes: Framing statement - Verifiers In the intro example of the user, “Hope," there is a phrase about the biometric being retained on an ephemeral basis. Is the scope intended to define a mechanism for RPs to assert or certify that they have disposed of the photo biometrics? Curious about scope, viability and policing to realize that aspiration. requirements will be listed as "MUSTs" - there will be a requirement that in an operational circumstance where the retention of biometrics is not legally required, there will be active notice etc etc etc. Next step after this is the creation of profiles for things like using mobile credentials in bars, in stores, etc. Some requirements won't apply to some profiles. The conformance tester against the profile will go in and do what auditors/assessors do. we need to take into consideration the boundaries of what's achievable
Possibly that we're focused on the wrong thing. What can the user actually see and have promised? The example of Joe's Bar & Grill is not the verifier, it's Stripe. Part of this is to get them to say what they're doing and make it legally binding; that more than the technology is what is important to the user. Want to know if an org is keeping the data before I give it to them. maybe we need an introduction at the beginning or risk factor at the end? What if we have a wallet provider that does not adhere to any of our requirements? Do we create the requirement that the wallet provider must signal what they do? What about the RP and what requirements are set to them? in order not to be surprised, there has to be some sort of expectation. Unclear how the verifier gets introduced into the flow; we're already in collection at the point of the verifier. Perhaps reorder the framing statements? The verifier has to have an understanding of the risk they're taking on. Understanding that is something that happens earlier on in the process. Maybe "the verifier must determine the risk and collect"
Tasks:Framing statement - Providers for this and other aspects of the document, John may work on a RACI (Responsible, Accountable, Consulted, Informed) diagram
Holder Tasks will start adding content so we can iterate and report back to the group, making sure everyone has an opportunity to chime in. Final version expected by end of November. group is encouraged to comment!
|
| Other Business |
| Co-ordinating/planning PEMC/Kantara at IIW goal to both update people on PEMC’s plans ask people for input on our work planning on 1-2 sessions on the Tuesday/Wednesday of the unconference Please note OpenID Foundation will have a workshop 1230-4pm Monday 11/14 before IIW. No cost, open to the public. We will have a listening session on the Government-issued credential Privacy whitepaper hosted by Heather Flanagan, as a precursor to IIW itself. Pre-registration link will be made available (and required).
Reminder: Seasonal clock skew has started; Daylight Saving Time ends in the UK/Europe on 31 October vs in the US on 6 November. Call times for the 2 November meeting may be different from what you expect. |