2020-09-10 Minutes
Attendees
Voting participants: Mark Hapner; Martin Smith; Ken Dagg; Tom Jones; Mark King
Staff: Colin Wallis, Ruth Puente
Quorum: As of 2020-08-13, quorum is 4 of 6. There was quorum
Agenda
Administration:
- Roll Call
- Agenda Confirmation
- Action Item Review: action item list
- Minutes approval 2020-09-03 DRAFT Minutes
- Staff reports and updates - Director's Corner
- LC reports and updates
- Call for Tweet-worthy items to feed (@KantaraNews)
Discussion:
- Review and Comment on the eIDAS Regulation
- Criteria Guidance (Any participant suggestions for adding or enhancing guidance for understanding assessment criteria).
Any Other Business
Minutes Approval
2020-09-03 Minutes were approved by motion. Moved: Mark King. Seconded: Mark Hapner. Unanimous Approval.
Staff reports and updates
- Interesting week with FedID Conference, if you're interested in what's happening in the federal space.
- We have noted that that SAFE BioPharma non-PKI pages have been removed. More news will come in the following weeks, which will be good for Kantara and for the industry in general.
- ISO meetings: SC27 WG 5 meetings were scheduled to start on Saturday. Kantara has supplied its liaison statement. We've also supplied comments on ISO 27560 that's consent record information structure, which is sort of an extension of Consent receipt with a much broader pattern. ISO 29150 is under the five-year review, the last two years they have been struggling partly due to the fact that it was trying to manage non-person entities as well as human entities in the same way that identity proofing was trying to cover.
- DIACC is preparing a press release next week about that Pan-Canadian trust framework. Minimum viable product product is done. They want to recognize Kantara for its efforts and asked us for a quote.
- New IT staff members.
Meeting about 63C assessment and approval
- Kantara had a meeting with its assessors, ARB Chair, NIST and IAWG Leadership, to address some identified challenges in the 63C assessments and approval. It was agreed that a federation agreement must exist in order for us to undertake an assessment of 63C. Secondly, an independent assessment of 63C cannot be done. It's designed to be a package to work with 63 A and B. The definition of federation agreement could be fairly broadly interpreted to include things like operating rules.
Comments about eIDAS regulation
- Mark King walked the group through the compiled comments available at IAWG comments (received comments until September 8th).
- Comment 14. Its scope is only defined as electronic transactions. The scope is somewhat wider, it is slightly odd that is limited to electronic transactions, "can we have the scope clarified?". It's facing that it's just the internationalist part of this that we're suggesting here needs to be looked at.
- Comment 15 is about the notification by a member State and one of the assumptions that some people have made is that that has to be in that state. There is no reason why a member State cannot for example offer an American System Canadian system or a Chinese system if it recognizes it can put it forwards and then the others have to accept it. From an international perspective something that is worth recognizing.
- Comment 16 is a simple one about the use of the term “Mutual” it is seeding the misleading and also important to understand that in many contexts one way is all you get and is quite sufficient. So it is simply asking that the thing be slightly reworded in order to take account of that.
- Comment 17 refers to seals. It perhaps ought to be elaborated a little further. It's only humans who get involved in the the moment in the first part of the ideas, but in the second part, there is a distinction between a signature done by a human which is the signature, and a signature done by a non-entity, defined as a seal. There is also a very subtle distinction in the implications of using one rather than using the other, which probably isn't intended. It's just there as an editorial problem. If it can be used interchangeably then the legal position of them ought to be the same and therefore this distinction just is no explained. So the request there is to either explain it or remove it.
- Comment 19, English version where the meaning of “required “is not clear. So it is simply tidying up that and suggesting that it is for online services.
- The next one is the suspension argument; suspension causes endless trouble and basically the recommendation here is to kill it unless somebody can actually show how it could work in practice in a legal context. It makes perfectly good sense for Access Control for buildings but when it comes to Signatures, any sense of legal certainty has disappeared. So, it was proposed that the suspension either should be removed entirely or explain what people are going to do with it and how it's going to work because most of our experiences on this are really bad.
- There is then the specific Kantara one where we need a better reference, but it simply says that consent is not generally the legal basis for the public sector data processing but it does get a mention and so when it is appropriate then it ought to be using the consent model that Kantara has got. ISO 29184 for online privacy notices and consent, Annex B contains a sample of receipt out of Kantara consent receipt.
- Comment 22 is a little bit of clarification on the location. There is considerable interest at the moment in Europe for automatically charging on your public transport using your insurance in some cases countries like to have where the contract is done or where a check is signed not just the fact of the date and who did it so as well as knowing location. So it's really just flagging up that there is this new area and that the Assurance associated with that.
- There is a comment about due diligence. The original legislation was that the EU has in its wisdom defined these levels of substantial and high with the result that you can't exceed high and you can't require more than high. That is quite a significant constraint on the market.
- Comment 1 , redoing the work on what is authentication and what is identification, not trying to dictate what it should be, but to point out that actually between their regulation and their consultation they are using different terms.