Versions Compared

Old Version 4

changes.mady.by.user Heather Flanagan

Saved on

compared with

New Version 5

changes.mady.by.user Heather Flanagan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Participant

Attending

1

Auld, Lorrayne

2

Balfanz, Dirk

3

Chaudhury, Atef

Yes

4

Brudnicki, David

5

Dutta, Tim

6

Flanagan, Heather

Yes

7

Fleenor, Judith

8

Glasscock, Amy

9

Gropper, Adrian

10

Hughes, Andrew

11

Jordaan, Loffie

1112

LeVasseur, Lisa

1213

Lopez, Cristina Timon

1314

Snell, Oliver

1415

Stowell, Therese

1516

Tamanini, Greg

1617

Vachino, Maria

1718

Whysel, Noreen

19

Williams, Christopher

Other attendees

Goals

  • Check-in on work progress

  • Review draft outline and status of writing tasks

...

Time

Item

Who

Notes

  • Start the meeting.

  • Call to order.

  • Approve minute

  • Approve agenda

John Wunderlich 

Called to order: 10:05 PT

Quorum achieved

Administrivia: Andrew Hughes, Christopher Williams will be dropped to non-voting status after this call

Minutes Approved:

  • Motion to approve: John Wunderlich; seconded by Gail Hodges; no objections

2022-10-12 Meeting notes - Draft

2022-10-19 Meeting notes - Draft

5 min.

Open Tasks Review

All

Task report
spacesPEMCP
labelsmeeting-notes

  • Gap analysis update: Also working on a spreadsheet grid to ensure that each actor has all 10 principles are addressed by at least one requirement

30 min.

Draft Report Discussion

John Wunderlich 

Discussions

Report from Implementor’s Report sub-group

Draft Google Doc:https://docs.google.com/document/d/1EpjETW_5Byb0WsM7xXVKNnU08SDXfdYQ2fjLLx7s514/edit?usp=sharing

  • substantively complete

Notes:

Framing statement - Verifiers

  • In the intro example of the user, “Hope," there is a phrase about the biometric being retained on an ephemeral basis. Is the scope intended to define a mechanism for RPs to assert or certify that they have disposed of the photo biometrics? Curious about scope, viability and policing to realize that aspiration.

    • requirements will be listed as "MUSTs" - there will be a requirement that in an operational circumstance where the retention of biometrics is not legally required, there will be active notice etc etc etc. Next step after this is the creation of profiles for things like using mobile credentials in bars, in stores, etc. Some requirements won't apply to some profiles. The conformance tester against the profile will go in and do what auditors/assessors do.

    • we need to take into consideration the boundaries of what's achievable

  • Possibly that we're focused on the wrong thing. What can the user actually see and have promised? The example of Joe's Bar & Grill is not the verifier, it's Stripe. Part of this is to get them to say what they're doing and make it legally binding; that more than the technology is what is important to the user. Want to know if an org is keeping the data before I give it to them.

    • Building a set of requirements that build policy, intent, and procedures that enable what we want to see for the end user is what we have as our ultimate goal.

  • maybe we need an introduction at the beginning or risk factor at the end? What if we have a wallet provider that does not adhere to any of our requirements? Do we create the requirement that the wallet provider must signal what they do? What about the RP and what requirements are set to them?

    • testing and conformance are postponed for now; they come after we agree to the requirements.

  • in order not to be surprised, there has to be some sort of expectation. Unclear how the verifier gets introduced into the flow; we're already in collection at the point of the verifier. Perhaps reorder the framing statements? The verifier has to have an understanding of the risk they're taking on. Understanding that is something that happens earlier on in the process. Maybe "the verifier must determine the risk and collect"

Framing statement - Providers

  • for this and other aspects of the document, John may work on a RACI (Responsible, Accountable, Consulted, Informed) diagram

Holder

  • would be useful to have more in this document about the holder

Tasks

  • will start adding content so we can iterate and report back to the group, making sure everyone has an opportunity to chime in. Final version expected by end of November.

  • group is encouraged to comment!

5 min.

Requirements Review

John Wunderlich

Pending


Other Business


Co-ordinating/planning PEMC/Kantara at IIW

  • goal to both update people on PEMC’s plans ask people for input on our work

  • planning on 1-2 sessions on the Tuesday/Wednesday of the unconference

  • Please note OpenID Foundation will have a workshop 1230-4pm Monday 11/14 before IIW. No cost, open to the public. We will have a listening session on the Government-issued credential Privacy whitepaper hosted by Heather Flanagan, as a precursor to IIW itself. Pre-registration link will be made available (and required).

Reminder: Seasonal clock skew has started; Daylight Saving Time ends in the UK/Europe on 31 October vs in the US on 6 November. Call times for the 2 November meeting may be different from what you expect.

Adjourn


13:51

...