LC telecon 2013-01-16

Date and Time

Date: Wednesday, 16 January 2013
Time: 13:00 PT | 16:00 ET | 21:00 UTC (time chart)
Dial-in: Skype:+99051000000481
- US Dial-In: +1-805-309-2350 | Room Code: 402-2737
- For more dial-in information, see: http://kantara.atlassian.net/wiki/display/GI/Telco+Bridge+Info

Agenda

Roll Call
Discussion
1. Business model exploration
AOB
Adjourn

Attendees

Eve Maler
Tom Smedinghoff
Myisha Frazier-McElveen
Colin Wallis
Allan Foster
Patrick Curry
Pete Palmer

Staff:

Heather Flanagan (scribe)
Andrew Hughes
Joni Brennan

Notes

See email thread on the LC: "[KI-LC] 2013 Roadmap ideas topic on the LC agenda.."

New ideas: training in the identity ecosystem might be an interesting business opportunity; Kantara to put on seminars? "Market Maker"; a project model or a subscription model?

In a market model, we can set the rules, and we can assist market participants in coming to the market; if we know of a large constituency that doesn't see the value today of exposing their consumers/citizens to this market, maybe our role is to consult with them to inform them and bring them in

There is a market perhaps more at the high LoA than the lower LoA, both for governments and for Kantara; as governments require higher levels of assurance, then we have a business opportunity to help the suppliers of those governments to be certified at those levels

Note that if Kantara is seen as the right hand of FICAM and tied so tightly to a government, then suppliers don't see a reason to do anything with Kantara

A good point, but if suppliers can work through brokers to get to government, what role does Kantara have at all? We need a high security federation model in highly regulated supply chains

The use cases for assurance may not align well with what the government needs; LoA 1-4 is completely well backed by use cases that are government driven, there are some private sector use cases that can work with that tight progression, but most can't (i.e. strong correlation being more critical to private sector than verification); a huge market for "authentication 3, proofing 0"

That model, between social identity proofing space and the hardcore proofing, is the basis for a presentation Colin W will be doing

So, what does this mean for Kantara? Continue on the current path, or shift to a consumer view of the trust framework, splitting authN from the proofing? Can socialness have a value and how do we offer services? While a certain vendor model might be terrible in one jurisdiction or sector, it might be perfectly reasonable elsewhere - Kantara shouldn't make that call

In our discussion, we're segmenting the marketplace, and the characteristics of each part are different as are the opportunities; Kantara is in 1 or 2 places at the moment, but not everywhere, so we can cherry pick in the others so we can more easily integrate and operationalize the work; we want to be most impactful with the least expenditure of resources

The rigidness of LoA 1-4 may not even work for governments; they are just told they have to fit

Problem is that when talking about suppliers and governments, for interoperability purposes need to have as few options as possible; look at this from the perspective of a company and what they have to pay to be in compliance with; follow the money

Are we resource constrained enough to have to focus only one end of this continuum, or can we focus on two? There is no one sized fits all here. Can we afford not to?

Maybe there is a business model for innovating here, outside the strict LOA?

Levels 1 and 4 seem fairly clear, but it gets grey as people look for some kind of gradient between 2 and 3; the IAF has tried to account for some of that need, but we if we don't have real requirements driving it, it makes it hard to build a business model and a framework out of it

The mandate of Kantara focusing on Community, like the Cloud Space or something, and we are looking for places where trust is essential

Can we coordinate which sectors we are exploring to maximize our investment of time?

Short term: industry standard certification in the UK

Eventually we're going to have to circle around to submit the SAC to ISO; but perhaps ISO is not in a position to recognize to recognize the SAC?

Europe has no Assurance Assessment Criteria; so this is a potential big space; we would need to create an extension for the European space

Patrick to draft an email describing what something could look like from a non-government point of view

Ask Eve to write up something similar for the social space

Trusted Platform computing is set out to publish a module involving device authentication, particularly at low LoA; when that spec comes out, it is being discussed that there is no certification model for operators at the end point; maybe this area could be a business opportunity space for us as well? This could impact all the mobile providers as well as leading in to health care space. Let's reach out to the telco's to get them to provide assessment criteria use cases; this could also be discussed with TechAmerica

is this market around the assessors or the consumers here? Both markets

Concern is that our core business is not creating the awareness and understanding needed in the market place to create a client base; our core business is the certification and assessment

New Action Items

Action	Assigned To	Description	Comments

Next meeting

Date: Wednesday, 23 January 2013 - Admin Call

Time: 13:00 PT | 16:00 ET | 21:00 UTC (time chart)

Call-in toll-free number: 1-866-203-0920

Call-in number: 1-206-445-0056

Conference Code: 5423695925#

International Dial-In Numbers

Browser not supported