Attendees:
Gershon Janssen
Susan Landau
Mark Lizar
Anna Slomovic
Guests:
Rich Furr
Richard Wilsher
Hedy Kirkby – (GOVT Canada)
Aaron Titus
Colin Wallis
Bob Pinheiro
Bill Braithwaite
Leif Johansson
Apologies:
John Bradley
Joni Brennan
Staff:
Anna Ticktin
MINUTES:
1. ADMINISTRATIVE
- Roll Call
- Motion of minutes approval for 11 Jan 2011 will be carried over to the next call.
- Mark has announced Jeff's resignation and made a call for co-chair nominations to close on 26 May 2011
2. P3: Updates
NSTIC Update: Susan Landau
(Follow this link for a full recap of the NSTIC launch (the panel discussion commences around 21mins into the video):http://www.youtube.com/watch?v=32P-IEmBfEA)
- there seems to be a commitment to oversight at a public level
- she was disappointed not to see more federated since it's more private and more secure
- there needs to be data accountability
- Anna asks: What's the reaction to privacy issues? The incentives are not clear.
- "Privacy on the books and privacy on the ground paper" :
- Addresses FTC enforcement.
- Seems there is a federal push for privacy. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1568385
Aaron Titus's response to NSTIC:
- It's in the private sector's best interest to make it "user-friendly" in order to achieve privacy goals.
- Paper: IDF-NSTIC-WP.pdf sent to the list
PF Update---Call to Action:
- Our call to action for PF is something Mark will bring up at the F2F and look at combing the PF effort with other privacy efforts in Kantara
Generic/Privacy Assurance Framework: Richard Wilsher (IAWG)
Discussion : Developing an assurance framework for the P3
- Idea of a "Generic" Assurance Framework---as a reference and model, not a working instantiation
- Use the IAF as a model to draft a "Generic" Assurance Framework which could include the IAF, a Privacy Assurance Framework and/or an Attribute Assurance Framework
- Richard explained the structure of the IAF and suggested how the "PAF" could be drafted "sideways" from the work and effort already completed by the IAWG.
- Producing the GAF would be relevant to the developments in NSTIC as it makes Kantara more visible with a more complete assurance offering.
- What is the IAWG — P3 bridge? The DRAC "Data Recipient Assessment Criteria"
- Scopes are converging between P3 and IAWG work efforts.
- The industry is working to satisfy ICAM requirements, but many feel that ICAM is a barrier, narrow in its views and not being responsive. The industry could be mustering energy to move beyond it's narrow views.
- What are the market needs? To be relevant, we must tune into working into the right space and working against the right effort.
- ACTION ITEM 20110505-01 Mark : send a request to the IAWG asking that they identify to what extent do the SACs address privacy / security issues? Where are we going to apply and combine issues/efforts?
- P3-PFSG will focus on profiles and managing the credential
- The issue at hand : "Identity Credentials" vs "Privacy Credentials"
- There is an argument for separate frameworks, one issuing being not wanting to water down the IAF and derail it from being Identity-driven and specific. However, the IAF does not stack up in ICAM's eyes regarding privacy
- Privacy criteria related to identity
- Rich Furr : What bar of privacy do you shoot for? Do we look at different levels of assurance? We don't want to be too high or US-centric.
- The P3- PFSC has drifted towards profiles.
- Richard Wilsher: Does HIPPA map to the IAF 4 LOAs? A privacy impact assessment must be conducted ...enterprise context must be entered into by an agreed upon risk assessments scaled to LOAs.
3. P3 Roadmap/Road Blocks: (With the call already 30mins over time, these items were not addressed.)
- Liaison with IAWG: Generic Assurance Framework an Privacy Assurance Framework
- Kantara Trust Framework Summit Presentation
- Face-to-face meeting in Berlin
- Recruiting: Inviting participants (Privacy Community/Identity Community) Invite David Wasley to P3,
4. AOB