Versions Compared

Old Version 1

changes.mady.by.user Mark Lizar

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Attendees:

Anna Slomovic
Mark Lizar
Myisha Frazier McElveen
Anna S Tom Smedinghoff
Rainer
Thomas H,Hoerbe

Apologies:
Gershon Jansen
Rich Furr

Staff:
Anna T

2. F2F Meeting 

Discuss -  the similarities and common ground between IAF.

3. Privacy Framework Scope
4. AOB

Below is a summary of PF going forward, scope and F2F topic ideas.    

Privacy Framework Going Forward

P3 and Kantara, are clearly at a privacy cross-roads. Kantara is ideally poised to benefit from bold initiatives to provide internet scale privacy assurance and to bridge the gap in diverse communities between legal-privacy policy and federated identity management with a Kantara certification.  

UMA and the ISWG propose radically different approaches to the current management of personal and sensitive information.  The IAF provides the pioneering infrastructure for Identity Assurance on the Internet.  A privacy framework that can provide a method of assurance and an understanding of the privacy benefits of Kantara efforts is clearly required by ICAM and NSTIC as well as the international policy and regulatory communities.  Furthermore a certification can be developed to provide an anchor for existing privacy efforts to extend privacy and trust online.  An anchor created by producing a certification that can be designed to have the full legal weight of the international and regulatory policy communities behind it.

The TFMM-WG effort provides impetus for this collaboration as to provide a central picture of effort inside and out of Kantara.  P3 Scope is to underline that need and requirement for a privacy approach and how this approach provides us with a clear opportunity.  This is an opportunity to rally a collaborative Kantara Initiative that can co-ordinate and educate a better framework of Trust.

Of course there are significant challenges that need to be faced, this is not the easiest activity to undertake, but as Colin has very aptly pointed out these are green fields that are now accessible to us as a community to collaborate in.   

In line with these challenges here is an update to the scope already presented.  Ticktin

Notes:

F2F Meeting (hopeful) take-aways:  

  • An understanding of how privacy is integrated into the assessment criteria and who's writing which pieces for what documents. What is the practical path and flow? How is the business of assessment and certification built? How does privacy get separated? Who's privacy are we actually talking about---CSPs? RPs? End users?
  • Privacy protection needs to be built into a framework, but the sets of requirements will be different depending on which entity we are providing guidance.
  • Different incentives demand different requirements. LOAs collapse into Id verification and authentication according to NIST.
  • Anna: We wouldn't want to lump privacy protections into one number. LOA might have a different LOP (protection)? (privacy)?
  • Question : Can we apply the IAF to attributes? This topic will be carried to the Berlin F2F agenda.
  • Question: How is the IAF going to evolve (beyond just NIST level) and what are the corresponding documents that will be developed?
  • Question : How is the FICAM privacy profile to be applied?  Currently it's seemingly slapped on.
  • Privacy assurance could be a vehicle for regulatory compliance.
  • Privacy assurance cannot conflict with regulatory compliance.
  • Question : How does level of protection relate to level of privacy?

Privacy Framework Scope

  • Produce a Privacy Framework (comprised of privacy principles) for Kantara that provides a Privacy Assurance Framework/Profiles for integration with IAF and that can be used to assert the privacy assurance

...

  • efforts in the ISWG and UMA.
  • The PF is exploring the development of privacy profiles that can anchor credentials and attributes

...

  • so to integrate technical privacy rules for the recipient and privacy assurance in the use of

...

  • credentials from the provider.  

In order to facilitate this Scope and the P3 rallying call to action at the imminent face to face meeting in Berlin please review this PF Scope.

Below is the schedule for the F2F meeting, In which we have a list of topics and suggestion that we can discuss in the F2F Tuesday meetings.  

Topics:

1. Socialise topics to consider :

  • Socialize the PF effort with UMA, IAWG, ISWG

...

  • and others WG's

...

  • Discuss the privacy aspects from IAF, UMA, ISWG as to provide a description of the privacy components and to outline an initial understanding of privacy service assessment criteria.

...

  • Discuss a re-write of the IAF into a

...

  • "Generic " Assurance Framework (IAWG action) whereby the IAF structure is used as a template for the development of PAF.

...

  • Extrapolate from these two efforts an outline of a Privacy Profile

...

  • Requirement for input into the P3 Privacy Framework

...

  • process.

...

  • Submit these assurance requirements

...

  • into the analysis of

...

  • Privacy Principles and discovery efforts at P3.

...

  • Develop a draft of a privacy profile from the Privacy Assurance Framework

...

  • with attributes as a use case. (HIPPA was mentioned again as the first use case

...

  • . Note: Interesting observation that health data across the internet has no privacy or regulatory protection

...

  • . )

Adjourned