LC telecon 2012-10-03 - Strategy Call

LC telecon 2012-10-03

Date and Time

  • Date: Wednesday, 03 October 2012
  • Time: 13:00 PT | 16:00 ET | 20:00 UTC (time chart)
  • Call-in toll-free number: 1-866-203-0920
  • Call-in number: 1-206-445-0056
    • Conference Code: 5423695925#
  • International Dial-In Numbers

Agenda

  1. Roll Call
  2. Discussion
    1. Trust Frameworks and NSTIC - guest, Dazza Greenwood
    2. Consumer ID working group - is there work in this space for Kantara?
    3. Next steps for Kantara members wrt Europe’s eID/Electronic Trust Regulation
    4. Kantara member panel topics for RSA (Feb 2013) and EIC (May 2013)
    5. Non-Person Entities - Device, Organisation and Software.  Implications of new ID standards and the need for certification/assurance against them.
    6. Geo-authentication and trusted location services - UPRN (Unique Property Reference No) and LEI (Legal Entity Identifier).  LEI is mandated by the G20 for the finance sector.
  3. AOB
  4. Adjourn

Attendees

  • Andrew Hughes
  • Allan Foster
  • Tom Smedinghoff
  • Patrick Curry
  • Bob Pinheiro
  • Colin Wallis
  • Dazza Greenwood (guest)
  • Sal D'Agostino

Staff

  • Heather Flanagan (scribe)
  • Joni Brennan

Notes

Trust Frameworks and NSTIC - guest, Dazza Greenwood

  • How do we pull everything in the same direction for trust framework activities, the different components necessary; we have clear support for policy components and eGovernment components, privacy and healthcare, but getting all that to work together has been a challenge.  The same conversation and challenge has been happening in the NSTIC Trust Framework working group. What is the right strategy to pull all this together?  Dazza Greenwood has put together a framing discussion which he has also presented via email to the NSTIC IDESG.  One of the best ways forward could be to follow that framing here at Kantara.
  • Dazza Greenwood: describing a methodology for putting together trust frameworks; first, recognize that the work of the different groups should come together to form a coherent and harmonized whole
    • on Kantara website, there are a wide variety of different groups, and some of them are working on a section of a Kantara scheme, others are doing potentially stand-alone work; to the extent there is a scheme with more than one group working on it, first, identify the business, legal, and technical aspects that are thematic and cross-cutting; two, have the people in charge of those groups get together in a harmonization committee where they show their drafts to each other and get comments, and prior to proposing a new version to the LC, it would go through the harmonization group first
    • harmonization, coordination, and then funnel up
    • Colin: is that the approach you are looking at for NSTIC?
    • Dazza: yes; there is the accreditation group, trust framework group, several other groups that are to create a component of a unified framework; suggesting that at least the chairs of the groups chartered to create a consistent identity ecosystem framework coordinate with each other regularly, and that group would (ideally) vote out the proposals to the plenary
    • Andrew: how important is it to have a defined unified vision? can the vision come as the work develops, or does it need to be pre-defined? (Chicken <-> Egg)  What is the importance of the vision?
    • Dazza: personal preference is the latter, so there is a strategic sense of the model as work happens
    • Joni: we have had some of those discussions and that is what we are trying to solidify in this group; a fan of a unifying idea that allows for a variety of interpretations and implementations; what should be our cohesive model?
  • Joni: what do we think about this kind of basic architecture? would we benefit from an identification exercise of Kantara, recognizing not all components might fit and we may have to make adjustments? It might be useful to reign this in and find better more efficient ways to move the space forward.  Do the three buckets Dazza described (business, technology, legal) sufficient? Where would international fit?
    • Sal: this would be a useful exercise
    • Colin: international is more like a vertical than a bucket
    • Andrew: we have to talk about aspects of "what" - for international question, what role does Kantara play in interfederation components between EU based and US based federations, for example
    • Dazza: intention was to look at business, legal, and technical dimensions for your normative work (IAF);
    • Joni: Kantara has policies, depends on ICAM for the technical profiles, so it has legal and technology via the trust framework authority (FICAM), so Kantara only has components of a complete trust framework
    • Tom: when you talk about disjointed components, even if the conclusion is that that is all Kantara wants to do, it would still be good to get some perspective on hose those components fit in to the larger picture; be explicit in what we are covering, what we are not covering, and at that point Kantara may decide to fill in the missing gaps or not; the clarity either way will be helpful
  • Joni: how do we operationalize this model to make it reach in to the work group? How should we start the process to see how we fit in those buckets?
    • Dazza: during next LC or F2F, set time aside to talk about this, start a dialogue around what a coherent, complete picture would look like to people trying to use these outputs; process should be driven by the use cases Kantara is attempting to support; start with a table of contents
    • Colin: wonder what we can do in the 4 weeks
    • Patrick: the level of maturity we have is beyond a level of initial discussion and this might take us backwards; we would need to get in to framework-mode fairly quickly and need to make sure it is clear this is not a greenfield discussion
    • Andrew: the richness of existing policy technology and standards that exist in Kantara is not particularly apparent in the published material, it is hard to do background research on the work products; maybe that's a gap the overarching framework that needs to be filled - the Kantara 101, history of legal and policy framework
      • Joni: sticking points seem to be for people to understand federation, conformance, assurance; there is a "ReadMe First"
      • AI: Joni to send Dazza an email to explain Kantara so he can forward it on to his most recent federation client adn get some of the work done there around a framework model and share with Kantara

Consumer ID working group - is there work in this space for Kantara?

  • Bob: have heard that Europe is ahead of the US in terms of consumer identity, and if that's true it is because the gov't gives individuals card readers, but in either case, is this an area for Kantara? Has proposed to NSTIC that they consider consumer credentials and usability, but this doesn't seem to be an area of energy within Kantara
    • Patrick: is the work that Kantara doing support usability? yes; are there other dimensions of usability that Kantara isn't considering? almost certainly; is there anything coming out of NSTIC that could spur activity in the Consumer ID WG?
    • Colin: No, too early. Perhaps in a year or more, but for now, no, there is nothing ready to come out of NSTIC to feed this space.
    • Bob: some of the other work, including pseudononymous credentials, is likely to go to the IAWG; third item was high assurance credentials
    • Colin: suggestion to continue consumer work within NSTIC and if the work cannot be done there, bring them back to Kantara

Next steps for Kantara members wrt Europe’s eID/Electronic Trust Regulation

Mark King gave a good talk at yesterday's eGov meeting about this topic. It might be interesting for stakeholders organized in Kantara to voice an opinion at the European Commission. A short and incomplete summary of Mark' talk is:
For some countries, in particular UK/US, there are 2 key problems:
- No provision if a country will not provide for a citizen register providing a unique identifier
- The goal of legal certainty is not useful for Common Law countries

Other issues should apply to other Member States as well:
- Lack of an open, transparent process with participation of experts before the consultation on the draft regulation;
- Clarification of liability limits and circumstances - the current draft does neither limit not scope liability;
- Impact of interop requirements on existing infrastructure;
  • Patrick can be the champion to take this forward; add to next LC call for review

Kantara member panel topics for RSA (Feb 2013) and EIC (May 2013)

  • EIC: international standardization panel idea is good; thinking similar to the panel that Nat put together at the Cloud Identity Summit
    • Look at CIS 2012 for a list of names; Colin for something pan-pacific, Ken Dagg for a North American perspective alternative from Jeremy Grant; Chris Ferguson or David Reny from the UK = comparison of national identity, commercial and public, compared from pan-pacific, us, uk, and canada; Leif for a Nordic approach
    • Patrick to suggest a few more names
    • HF to get a thread together and start coordination activities
    • Bring EIC back to the next Strategy call

Non-Person Entities - Device, Organisation and Software.  Implications of new ID standards and the need for certification/assurance against them.

Geo-authentication and trusted location services - UPRN (Unique Property Reference No) and LEI (Legal Entity Identifier).  LEI is mandated by the G20 for the finance sector.

Â