2023-04-05 Meeting notes

Draft


Date

Apr 5, 2023

Attendees

See the Participant roster

Voting (6 of 10 required for quorum)

Participant

Attending

Participant

Attending

1

Aronson, Marc

Yes

2

Chaudhury, Atef / Krishnaraj, Venkat

Yes

3

Davis, Peter

 

4

Dowtin, Jazzmine

Yes

5

D'Agostino, Salvatore

Yes

6

Hodges, Gail

 

7

Jones, Thomas

 

8

Thoma, Andreas

Yes

9

Wunderlich, John

Yes

10

Williams, Christopher

Yes

Non-Voting

Participant

Attending

Participant

Attending

1

Auld, Lorrayne

 

2

Balfanz, Dirk

 

3

Brudnicki, David

 

4

Dutta, Tim

 

5

Flanagan, Heather

Yes

6

Fleenor, Judith

 

7

Glasscock, Amy

 

8

Gropper, Adrian

 

9

Hughes, Andrew

 

10

Jordaan, Loffie

Yes

11

LeVasseur, Lisa

 

12

Lopez, Cristina Timon

 

13

Snell, Oliver

 

14

Stowell, Therese

 

15

Tamanini, Greg

 

16

Vachino, Maria

 

17

Whysel, Noreen

 

Goals

  • Check-in on work progress

  • Review draft outline and status of writing tasks

Discussion items (AKA Agenda)

Time

Item

Who

Notes

Time

Item

Who

Notes

5 min.

  • Start the meeting.

  • Call to order.

  • Approve minute

  • Approve agenda

@John Wunderlich 

Called to order: 13:04 ET

Quorum reached: Yes

Minutes approved:

https://kantara.atlassian.net/wiki/spaces/PEMCP/pages/168427549

0 min.

Open Tasks Review

All

 

10 min.

Government-issued Digital Credentials and the Privacy Landscape - whitepaper

@Heather Flanagan (Unlicensed)

The Government-Issued Digital Credentials and the Privacy Landscape whitepaper starts its public comment period today. The comment period closes on April 24.

  • Will discuss at the OpenID Foundation Workshop on 17 April 2023 (please register!)

  • Will present on the recommendations at EIC and Identiverse

45 min.

Draft Report

@John Wunderlich

Question of “implied consent” in the Draft report: Google doc

  • This is a very difficult topic that is used in various ways in different jurisdiction. We need to be clear as to what definition we’re using in this paper.

    • Is this defined in any international standards? Not so far as anyone on the call knows. It is, however, regularly used operationally.

    • Are we talking about implied consent, or implied notice? Perhaps consent must be intentional; implied consent is logically an implied notice.

    • Circle of care is an example where submitting/requesting health care is consent and implied notice exists.

    • Maybe it would make more sense to talk about this re: PEMC as consent requires intentionality on the part of the person who is providing the consent; that intentionality can be drawn from an explicit action or the context drawn from an implied notice. There is sufficient understanding relative to the risk. GDPR-style: An entity that’s processing the info about a person has to have the authority to do that; one authority is consent. The authorities aren’t in priority order; none is more superior than another. It can also come from more than one place.

      • If you have multiple sources, you have to decide what to do if one contradicts another. Does one supercede another? This implies the hierarchy we wanted to avoid.

      • If the person says no and the processing happens anyway, then that makes consent irrelevant because it is not respected.

    • In the definition table, we recognize the phrase is used in places, but we are not going to use it and instead stick with the more formal notice and consent.

    • Unclear how this might impact notaries.

    • For government use cases, there is a lot of informing going on.

    • For commercial wallets/credentials, there is some level of user consent that will be recorded (maybe one-time, or every time). Re: how the verifier does their job, it will come down to how we define implied consent. If we can have just one definition of consent (vs implied vs explicit) would make life easier and be less open to interpretation.

  • Purpose Legitimacy and Specification

    • Updated with revised text

    • Can we be more clear about definition of terms and exactly how verification will happen? What does it mean for something to be valid or validated? How is the space defined as “safe”? Definition, yes, but exactly how verification/validation will happen is a bit more tricky. The technical description of how verification/validation will happen needs to be specified in the the technical specifications themselves. We do want to do something to make sure that entities are following the right guidance and possibly signals what they’re doing or that they’ve been certified as doing it correctly (e.g., the “blue check”).

      • This group will write a set of requirements around privacy that an auditor would be able to measure and offer a stamp of approval (the same way Kantara handles 800-63 requirements). It’s beyond the scope of this draft, but is something can be included for clarity.

  • Will pick up at Purpose Limitation again next week to wrap up the language.

 

5 min.

Other Business



IIW Planning

 

Adjourn



 

Next meeting

Apr 12, 2023

Action items