2020-08-27 Minutes
Attendees
Voting participants: Mark Hapner; Martin Smith; Ken Dagg; Tom Jones; Mark King
Non-voting participants: James Jung
Invited guests: Tom Smedinghoff
Staff: Colin Wallis, Ruth Puente
Quorum: As of 2020-08-13, quorum is 4 of 6. There was quorum
Agenda
- Administration:
a. Roll Call
b. Agenda Confirmation
c. Action Item Review: action item list
d. Minutes approval 2020-08-13 DRAFT Minutes
e. Staff reports and updates - August Newsletter Keeping up with the Kantarians
f. LC reports and updates
g. Call for Tweet-worthy items to feed (@KantaraNews)
2. Discussion
a. Review and Comment on the eIDAS Regulation - See EC Public Consultation
b. Criteria Guidance (Any participant suggestions for adding or enhancing guidance for understanding assessment criteria).
3. Any Other Business
Minutes Approval
2020-08-13 Minutes were approved by motion. Moved: Martin Smith Seconded: Tom Jones. Unanimous approval.
Staff reports and updates
- Colin walked the group through the August Newsletter Keeping up with the Kantarians
LC reports and updates
• Tom Jones commented that the FIRE Workgroup had published the Mobile Authentication Assurance statement. It is not really ready for review but if anybody wants to provide input should contact him.
Review and Comment on the eIDAS Regulation - See EC Public Consultation
- Mark King said he sent earlier this week some themes that are of interest on this topics. He commented he was not clear as to which half of the legislation his themes were directed. The first part is essentially about electronic ID purely as defined in the public sector cross border within Europe and the second one is a much broader requirement for Trust Services which may be restricted to the specific ones listed or maybe, those are just examples. There are questions as to whether for example location-based services, so that your insurer knows where your car is, something which might be subject to that. He believes that the fundamental question is which bits of this are actually for Kantara, whether it is this particular part for the ID or some other part of the Trust Services and just to confirm that it is thought that it is something that should actually be contributed to.
- It was commented that the eIDAS regulation is obviously Identity but, it relates to its applicability to the private sector.
- Mark King explained that the public – private sector interaction is an interesting one, in eIDAS it is absolutely limited by what they can do under the European competence. They are not able to do anything themselves about Identity. What they have to do is shoehorn the cross-border authentication as being the thing they are able to legislate. He added that something that has changed quite a lot since it was originally done was the attitude to Consent, it has been discussed in Kantara, Consent should not be used as the legal basis when there is a disparity and particular for public sector and monopolies. Consent is completely pointless until you identify the person.
- Tom pointed out that there is another issue about consent, in the statement of “the user should supply identification before they supply consent”, in the Word that came out from IDESG the statement says, “before the user applies consent, the website will identify first”.
- It was agreed that it is appropriate for Kantara to provide comments on eIDAS. The rationale for that is Kantara as a global organization is able to provide a global perspective and experience to eIDAS, and comments should be welcomed. Secondly, as to the scope of those comments, there is not any issue. If there are relevant comments to the document, perspectives that are relevant to the document, then Kantara can do it. Regarding Tom’s question around if it is applicable to the private sector or not, if it is not clear from the read of eIDAS, then that question should be asked. If something can be done to make it applicable to the private sector, then more suggestions should be made.
- Mark King said that he will take the themes that had been provided so far and elaborate those into paragraphs, and then send that out for next week (for more discussion and review).
- He walked the group through the list of themes:
- He started observing that the question about the bigger picture is because they are limited to what they can do. The expectation is that it has to fit with other initiatives; different countries with different legal systems it really does have tremendously different impact, whether or not this legislation is required to enable use. That is context setting.
- It was asked if “other countries” refers to outside the EU. Mark responded that even inside the EU.
- Mark King added about the question as to whether the private sector is able to use this for things which it wants itself, the real issue is where it is required to provide something in order to comply with age verification for example. There is a great difficulty of who is coming first, who is paying for it, where is this liability? Because the inconsistencies they have, have not gotten any real progress in this area. The other one in terms of liability interest is the provider, is it really the government taking the liability for what those commercial providers are providing to other countries? The authentication identification again has been blurred and the definitions that they use in consultation happen not to be exactly the same used in the legislation itself.
- It was stressed about payment, that it is needed to be careful about how much information you need to make a payment. Mark King said that indeed it is changing significantly, the very necessary authentication does not have to be the old-fashioned identity using your name and place of birth. The other one that has been political reluctant surprisingly to use payment systems for things that are provided for free. When it is payments, there is a clear model of taking one percentage fee transaction, it is not obvious what the public sector transaction should be for that. The subscription models in particular, are problematic in that area. There is no reciprocal arrangement within the eIDAS.
- Location is missing as a trusted service, this is a bit vague, because nobody is quite sure what these things should be. It is a hot topic in Europe at the moment.
- Proof of presence was mentioned earlier, Mark K. stressed he was not sure if it is a legal issue or a legal security practice. He also remarked that there has been a lot of criticism about using ID. He is concerned about the fact the European Commission of Human Rights, when it comes to anti-fraud, it only talks about the public organizations, it does not talk about the private sector. The consent is the other point that was discussed and mentioned.
- It was asked about the appropriateness of using the structure provided by eIDAS for an international private sector-based set of identity systems. The question for Mark is what is his overall sense of the extent to which this regulation is actually being used in the sense of how many transactions are actually being conducted using credentials that are issued by a country and governed by this regulation. Mark responded that the numbers are small.