Attendees:
Gershon Janssen
Susan Landau
Mark Lizar
Anna Slomovic
Guests:
Rich Furr
Richard Wilsher
Hedy Kirkby – (GOVT Canada)
Aaron Titus
Colin Wallis
Bob Pinheiro
Bill Braithwaite
Leif Johansson
Apologies:
John Bradley
Joni Brennan
Staff:
Anna Ticktin
MINUTES:
1. ADMINISTRATIVE
- Roll Call
- Motion of minutes approval for 11 Jan 2011 will be carried over to the next call.
- Mark has announced Jeff's resignation and made a call for co-chair nominations to close on 26 May 2011
2. P3: Updates
NSTIC Update: Susan Landau
- Follow the link below for a full recap of the NSTIC launch (the panel discussion commences around 21mins into the video):http://www.youtube.com/watch?v=32P-IEmBfEA
- The panel appears around 21 minutes into the video.Susan thinks it's great that it's NIST, but rather DHS.
Seems to be a commitment to oversight at a public level
Disappointed not to see more federated since it's more private and more secure.
Needs to be data accountability.
Anna asks: Reaction to privacy issues? Incentives are not clear.
Privacy on the books and privacy on the ground paper : LINK . Addresses FTC enforcement. Seems there is a federal push for privacy.http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1568385
Aaron Titus's response to NSTIC:
- It's in the private sector's best interest to make it "user-friendly" in order to achieve privacy goals.
- Paper:
PF Update---Call to Action:
Generic/Privacy Assurance Framework: Richard Wilsher (IAWG)
- Developing an assurance framework for the P3
- Idea of a "Generic" Assurance Framework---reference and model, not a working instantiation.
- Use the IAF as a model to draft a "Generic" Assurance Framework which could include the IAF a Privacy Assurance Framework or an Attribute Assurance Framework
Richard explained the structure of the IAF and suggested how the "PAF" could be drafted "sideways" from the work and effort already completed by the IAWG and standing up for KI.
Producing the GAF would be relevant to the developments in NSTIC as it makes Kantara more visible with a more complete assurance offering.
What is the IAWG P3 bridge? The DRAC "Data Recipient Assessment Criteria" - Scopes are converging between P3 and IAWG work efforts.
Industry is working to satisfy ICAM requirements, but many feel that ICAM is a barrier, narrow in its views and not being responses to that the industry could be mustering energy to move beyond it's narrow views. - market needs? tune into working into the right space and working against the right effort.
request to iawg that they identify to the extent that the sacs address privacy / security issues?
where are we going to apply and combine issues/efforts? - profiles and managing the credential in P3-PFSC
identity credentials vs privacy credentials argument for sep frameworks, as well as not wanting to water down the iaf and derail it from being Identity driven and specific. - iaf does not stack up in icam's eyes regarding privacy
- "privacy criteria related to identity"
Rich Furr : what bar of privacy do you shoot for? do we look at different levels of assurance? We don't want to be too "high" or US-centric
The P3- PFSC drifted towards profiles.
Richard Wilsher:
Does HIPPA map to the IAF 4 assurance levels. Privacy impact assessment
enterprise context must be entered into by an agreed upon risk assessments scaled to LOAs.
3. P3 Roadmap/Road Blocks: (With the call already 30mins over time, these items were not addressed.)
- Liaison with IAWG: Generic Assurance Framework an Privacy Assurance Framework
- Kantara Trust Framework Summit Presentation
- Face-to-face meeting in Berlin
- Recruiting: Inviting participants (Privacy Community/Identity Community) Invite David Wasley to P3,
4. AOB