2020-09-03 Minutes
Attendees
Voting participants: Mark Hapner; Martin Smith; Ken Dagg; Tom Jones; Mark King
Non-voting participants: James Jung
Invited guests: Tom Smedinghoff
Staff: Colin Wallis, Ruth Puente
Quorum: As of 2020-08-13, quorum is 4 of 6. There was quorum
Agenda
Administration:
- Roll Call
- Agenda Confirmation
- Action Item Review: action item list
- Minutes approval 2020-08-27 DRAFT Minutes
- Staff reports and updates - Director's Corner
- LC reports and updates
- Call for Tweet-worthy items to feed (@KantaraNews)
Discussion:
- Review and Comment on the eIDAS Regulation - See IAWG Comments HERE
- Criteria Guidance (Any participant suggestions for adding or enhancing guidance for understanding assessment criteria).
Any Other Business
Minutes Approval
2020-08-27 Minutes were approved by motion. Moved: Tom Jones. Seconded: Mark Hapner. Unanimous Approval.
Staff reports and updates - Director's Corner
- It has not been decided yet whether to respond or not to the UK government.
- Colin presented on Monday at the ONC Patient Identity and Matching working session. He thanked the Fire Working Group for helping with the slides and the input from Tom Jones on this call.
- In the US, there is industry talk of Congressman Bill Foster (D-IL) proposing a bill with a working title 'to establish a governmentwide approach to improving digital identity, and for other purposes'. He will keep the group posted if he hears more about it.
- John Wunderlich put his hand up to spin up the much anticipated Kantara mDL Discussion Group. This DG will focus on rounding out the ISO 18013-5 mDL standard's privacy and security recommendations in Annex E - a critically essential success factor to enable the development of the fledgling global mDL ecosystem.
- Kantara was asked by Secure Technology Alliance for a 4th and possibly final webinar.
- It was reminded that Service Assessment Criteria being out for public review until September 21st.
Review and Comment on the eIDAS Regulation
Comments reviewed during the meeting: eIDAS_Comments_Draft.odt
- Mark King said there has been a lot of discussion on the mailing list.
- He pointed out that the first point has to do with liability, things about the potential for parties, the process by which the European law comes into existence and the various different terms that are being used. European governments are very much taken on liability. In fact, the underlying parts of the eIDAS and the ID part of the regulation is precisely that the notifier notifies something, and the other parties have to accept it. The reason that they have to accept it is that the notifier, he is taking liability (that is the state of the notifying state).
- He explained that the consultation refers to ID as who you are which is a national competence, and therefore they cannot say anything at all about it in the regulation. Authentication proves you are who you say you are, whereas the actual regulation itself says that identification is a process of using personal identified data uniquely representing the person, and that person can be a legal of physical person. The authentication is a process to enable that identification to be confirmed.
- Martin commented that just to be clear, there is no reason for the IdP to re-provide the identifying information. Mark King responded it is right, he suggested that when you are dealing with any other party, you can have as many identifiers as you both agree to use. There is no need for uniqueness if you want to use Facebook today and Google tomorrow.
- Mark King added that another important point is the attribute, the association of information with people, and he does not think eIDAS attempts to cover any of that at all.
- Martin asked Mark King if when he uses the term “unique”, he does not mean that the identifier itself is unique. Mark King answered that in various contexts people are interpreting “unique” in different ways. Martin clarified that he thought that Mark meant you have only one identifier per person. Mark explained that it is definitely the sense that you want to show in some cases that this is somebody on your list; but also, quite often, it is showing that two people are different. That is why he was suggesting that when you are signing up “it is me”, there is a uniqueness requirement there that you can only do it once and you cannot pretend to be someone else.
- Ken suggested at the beginning of the comments, that those two definitions that Mark King provided are stated as assumptions, only to provide clarifications to readers. Mark King responded it definitely needs an explanation at the beginning.
- Mark King explained that the European regulations or directives are forwarded by the Commission, then they go through some complicated process involving the parliament and the council. Then, when the regulation comes out, there are implementing acts typically required to be done by the Commission within a year which are supposedly just sorting out the administrative details. Unfortunately, they sometimes are leaving the problems that could not be solved. He argued that what he is doing here is reminding them that the issues which came out, still need to be tackled without giving any particular indication as to a preference for the results.
- The question of levels should be reviewed. Even if three levels for authentication are found to be needed, the need for anything other than HIGH for identification is not explained. The same signature is used in the physical world for all transactions. Mark King said that the suggestion is following ISO standards, the answer from the delegated is that it is not being done, which is a problem for everybody else.
- Colin said there are only three nations who have notified as substantial. There is a service provider in Italy, the other is in Netherlands and the other in the UK.
- Mark King mentioned that the suggestion for the public sector is to engage with the payments industry in a coordinated fashion, which could be mentioned in a recital, and to remove the expectation of simply growing whatever is mandated in eIDAS to cover private sector use.
- It was commented about line 147 that there is a problem with cross-borders when you appear multiple times in multiple jurisdictions.
- Ken suggested to differ this part for the next meeting.
- Ken asked Mark King to add titles for each comment and suggestion and use softer language.