IAWG Bi-Weekly Meeting Minutes - 2009-11-25
Kantara Initiative Identity Assurance WG Teleconference
Notes ratified to Minutes on March 31, 2010 teleconference.
Date and Time:
Date Wednesday, Nov. 25, 2009
Time: 8:00 PDT | 11:00 EDT | 15:00 UTC
Attendees:
- Shin Adachi, NTT
- John Bradley
- Rich Furr, Safe Bio-Pharma Assoc.
- Brian James, Dept. of Energy
- Lena Kannappan, FuGen Solutions
- Pete Palmer, SureScripts
- Erik Putrycz, Apption Software
- Jeff Stollman
- Colin Soutar, CSC
- Richard Trevorah, tScheme
- Nigel Tedeschi, BT
- Frank Villavicencio, NetStar-1
- David Wasley, InCommon
- Ben Wilson, DigiCert
- Tom Smeddington, Observer
- Brett McDowell, Staff
- Britta Glade, Staff
Agenda:
- Roll call
- Approve past meeting notes
- IAF SACs
- IAF US Government-focused (ICAM) Privacy Profile
- Status update and discussion
- Discussion of contribution plan for Privacy Profile to P3WG
- Possible motion to a WG Report with a goal to a final vote as a recommendation
5. Initial review of the IAF Assessor Qualification Requirements (AQR) - ARB will share this document with IAWG looking for us to review and provide feedback
- Next steps regarding this deliverable
6. Additionally (as time allows) - FORG status update (Rich Furr)
- AOB
1. Roll Call
SUMMARY: Roll was completed and quorum was met. Non-voting members desiring to be moved to voting status were taken care of at this time.
2. Approve past meeting notes
MOTION: Frank moved to approve all past minutes. No objections. Motion approved by consensus.
3. IAF SACs and Related Documents
SUMMARY: The group voted to release the SACs as a FINAL DRAFT TECHNICAL SPECIFICATION and DRAFT RECOMMENDATION for the LC to take forward for All Member ballot. The group also voted to release the "Identity Assurance Framework - US Federal Privacy Profile" as a Report, noting it is still in draft stage.
DISCUSSION: Richard Trevorah reported that all outstanding issues have been resolved. ESM 55 has been resolved. Not referring to specific privacy policies but this would be subject to a separate assessment. Revised redline sent. NO comment so assuming updates have been accepted.
DISCUSSION: Rich Furr raised a question related to the use of antecedent data at levels 2 and 3 PKI for identity verification. The FBCA Certificate Policy Working Group developed a specific statement for inclusion in the Federal CP to allow specific use of antecedent data. Rich questioned the current state of the SAC at levels 2 & 3 PKI in this case. Frank indicated that his motion would include a statement that a work stream would be developed to address this in the upcoming timeframe. The lack of specific language in the SAC that prohibits the use of antecedent data is interpreted that such data MAY be used and specific language will be developed.
DISCUSSION: CSC raised the question regarding the privacy language in the SAC in terms of the requirements specified by national law in most jurisdictions. David Wasley indicated that if the Kantara program specifies a comparable privacy policy then it can accredit Kantara as a certifier. Reason is partly that the ICAM privacy policy is specifically government related and the use case does not necessarily apply to broader use cases. David is trying to drive the TFPAP to a point that it can support the broader model.
DISCUSSION: Brett suggested that in the discussion, we clarify the use of Privacy Policy. There is a privacy policy inclusion requirement in the SAC which requires the IDP to disclose their policy to subscribers. The ICAM privacy policy is NOT a policy per say, but rather six general privacy principles. We are trying to develop a separate set of privacy policy guidelines that will be a separate document. David is trying to work to ease some of the more restrictive sections of the ICAM principles.
DISCUSSION: We need to have a means to maintain version control on the SAC to determine which version specific CSPs were certified under. This is however, a separate discussion.
DISCUSSION: Frank reported that we are taking the steps to separate the SAC from whatever privacy profile comes out of the ICAM. The Kantara documents need further review.
MOTION: The group agrees that the IAWG will develop a work stream to address the use of antecedent data in identity verification and other issues that the IAWG may wish to raise at levels 2 & 3 PKI. Rich Furr so moved and Colin Soutar seconded. Passed by unanimous consent.
MOTION: The Identity Assurance Work Group (IAWG) hereby approves the "Identity Assurance Framework - Service Assessment Criteria" v0.8 as a Final Draft Technical Specification per the IAWG IPR Policy and Draft Recommendation per the Kantara Initiative Operating Procedures. Rich Furr so moved and John Bradley seconded. The vote passed by unanimous consent, save an abstain from CSC.
DISCUSSION: Lena asked if there will be opportunity to provide feedback at a future date. Frank advised that this is requested. The ARB will also review and make recommendations based on the initial certifications.
MOTION: The Identity Assurance Work Group (IAWG) hereby recognizes the "Identity Assurance Framework - US Federal Privacy Profile v0.1DRAFT" as a Report per the Kantara Initiative Operating Procedures to solicit comments. Rich Furr so moved; Lena seconded. Motion passed unanimously.
ACTION ITEM: Britta to prepare electronic ballot for IAWG for the rest of the IAF items (Glossary, Overview, and Levels of Assurance).
Meeting adjourned at 9:12 PT.
Next Meeting
- *Date: Wednesday, Dec. 9, 2009
- Time: 8 PDT | 11 EDT | 16:00 UTC (Time Chart)
- Dial in: Skype: +9900827044630912 or US Dial-In: +1-201-793-9022 begin_of_the_skype_highlighting +1-201-793-9022 end_of_the_skype_highlighting | Room Code: 4630912