IAWG Meeting Minutes 2016-04-07

Kantara Initiative Identity Assurance WG Teleconference

 

DRAFT Meeting Minutes - IAWG approval required

Date and Time

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Minutes Approval: 
    4. Action Item Review
    5. Organization Updates - Director's Corner
    6. Staff reports and updates
      1. FICAM Sync meeting update
    7. LC reports and updates
    8. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
  2. Discussion
    1. Privacy Criteria development - discussion of approach
    2. Approve statement of requirements for SAC update task
    3. Review of IAWG Charter
    4. Status update on AL2_ID_RPV#020 change
  3. AOB
    1.  
  4. Adjourn

 Attendees

Link to IAWG Roster

As of 2015-11-05, quorum is 5 of 9

 

Meeting achieved || did not achieve quorum

 

 

Voting

  • Andrew Hughes 
  • Rene McIver
  • Ken Dagg 
  • Russ Weiser
  • Scott Shorter
  • Lee Aber
  • Adam Madlin 
  • Paul Casley

Non-Voting

  • Christine Abruzzi

Staff

  •  Colin Wallis

Apologies

Richard Wilsher

 

 

Notes & Minutes

Administration 

Minutes Approval

Motion to approve minutes of 2016-03-10: Andrew Hughes
Seconded: Adam Madlin
Discussion: 
Motion Carried

Action Item Review

  •  Scott to Add link to the action items page to the meeting minute template, and to figure out how to use the action items page.

Staff Updates

LC Updates
  •  Organizational updates, Kantara funding is coming along.  
  • Discussion of connected life, IOT, UMA, etc. what else would Kantara get involved in (e.g. Block Chain). Ken and Andrew discussed starting a relying party working group to focus on their needs.  There are funded projects in UMA and consent and information sharing working groups. We will talk about the IAWG project.  Kantara will be well represented at IIW, European identity conference and the cloud identity summit. Email Andrew, Ken or Colin for a discount coupon.
  • Next call 
Participant updates
  •  

Discussion

Privacy Criteria development - discussion of approach

how do we develop privacy criteria? Are the criteria associated with levels of assurance or cut across all loa?  Should we create content or follow standards group that have created guidelines?

there are federal privacy criteria that are an add on to the core criteria of the SAC. this work came to the IAWG when the privacy working group of Kantara shut down.  What set of privacy criteria should go into Kantara service assessment criteria.

adam asks if there's a request to do this. Ken reports that the P3 working group (privacy principles/psomething??) group did some work and contributed it to IAWG. IAWG agreed to start the conversation on do we need them and if so what.

Adam responds that other jurisdictions may have different requirements. Paul responds that safe harbor and other issues have been a big deal due to InCommon's global reach.  FERPA information release has to be described in privacy policies.  Students need to give permission to take a course, that turns out not to be consent.  There were issues on the research side with federated partners in Europe

russ Weiser agrees with that point, agrees  there  need to be privacy statements available. FICAM and connect.gov want consent on every attribute share, there are ways to do it once instead. This crosses multiple areas. IS THERE A WAY TO KNOW THAT THE Attributes have been shared before,  Paul points out there's a NSTIC grantee that's working on, including finer granularity and revocable consent.  InCommon ecosystem is straining with lack of data sharing, so consent approach would be helping.

consent and organization sharing group is trying to solve the same problem with consent receipts.

andrew summarizes that there does need to seem to be a need. Do we need a white paper first? Do we need research Into privacy frameworks? Do we need to recruit new folks that are more privacy oriented in their work lives?

ken agrees with the need. Is this possibly a new discussion group?  Andrew isn't sure that would result in quick action. If the objective is to help CSPs demonstrate compliance to privacy requirements.

paul says that this seems right for a trust mark to him

csps do have to answer a lot of personal questions, a trust mark could help.

russ Weiser observes that older generations would not understand trust marks.  Suggests someone put together a spreadsheet of the approaches being followed

google research on data rprivacy laws - compendium of privacy laws available

scott to ping Jenn Behrens to inquire about a survey of privacy law requirements

Status update on AL2_ID_RPV#020 change

There was a discussion of this in January on new working for the criteria in question. Has to do with evidence checks and verifying information. Russ had put forward a question resulting in a proposed change, saying that dynamic verification of personal information previously provided by or likely to be known by the applicant.

russ restates the problem- current practices and 800-63, Verizon must collect government I'd and account number for LOA2. Then it says verify against one or the other.  If csp do not verify the account number information the. There shouldn't be a requirement as a KBA at LOA2.

Russ makes a motion to update the u]evaluation criteria to collect and approve the minor changes in the SAC so we can get them approved. Andrew seconds that motion. The motion carries.

Approve statement of requirements for SAC update task

update task has been around to rewrite the document in objective oriented terms. Once IAWG approves the reu8qments, the leadership council and then the board of directors. If approved all the way up, a request for proposals will go out.

action for Ken to send it in the current version. Next week's agenda will have a vote on it.

 Review of IAWG Charter

 Each working group should look at charters each year. We're overdue by a number of months, so Andrew is looking for volunteers to read the charter and see if they make sense, barring that, one or two people to help Andrew read that. Scott will participate. Ken calls for participation by non leadership. Andrew clarifies that the. Changes will come to the group for endorsement.


 

AOB

For the groups knowledge. E-gov is working with InCommon to develop a new egov profile, should have something to evaluate in a week or two.  Colin clarifies that InCommon built a profile, a mapping was done, asking InCommon to incorporate the gaps.

Attachments

 

Next Meeting