2022-10-26 Meeting notes

Owned by Heather Flanagan (Unlicensed)
Last updated: Nov 02, 2022
4 min read

Approved November 2, 2022

Date

Oct 26, 2022

Attendees

See the Participant roster

Voting (5 of 10 required for quorum)

Participant

Attending

Participant

Attending

1

Aronson, Marc

 

2

Davis, Peter

 

3

D'Agostino, Salvatore

Yes

4

Hodges, Gail

Yes

5

Hughes, Andrew

 

6

Jones, Thomas

Yes

7

Krishnaraj, Venkat

 

8

Thoma, Andreas

Yes

9

Williams, Christopher

 

10

Wunderlich, John

Yes

Non-Voting

Participant

Attending

Participant

Attending

1

Auld, Lorrayne

 

2

Balfanz, Dirk

 

3

Chaudhury, Atef

Yes

4

Brudnicki, David

 

5

Dutta, Tim

 

6

Flanagan, Heather

Yes

7

Fleenor, Judith

 

8

Glasscock, Amy

 

9

Gropper, Adrian

 

10

Hughes, Andrew

 

11

Jordaan, Loffie

 

12

LeVasseur, Lisa

 

13

Lopez, Cristina Timon

 

14

Snell, Oliver

 

15

Stowell, Therese

 

16

Tamanini, Greg

 

17

Vachino, Maria

 

18

Whysel, Noreen

 

19

Williams, Christopher

 

Other attendees

  •  

Goals

  • Check-in on work progress

  • Review draft outline and status of writing tasks

Discussion items (AKA Agenda)

Time

Item

Who

Notes

Time

Item

Who

Notes

  • Start the meeting.

  • Call to order.

  • Approve minute

  • Approve agenda

@John Wunderlich 

Called to order: 10:05 PT

Quorum achieved

Administrivia: Andrew Hughes, Christopher Williams will be dropped to non-voting status after this call

Minutes Approved:

  • Motion to approve: John Wunderlich; seconded by Gail Hodges; no objections

2022-10-12 Meeting notes

2022-10-19 Meeting notes - Draft

 

5 min.

Open Tasks Review

All

  • Gap analysis update: Also working on a spreadsheet grid to ensure that each actor has all 10 principles are addressed by at least one requirement

30 min.

Draft Report Discussion

@John Wunderlich 

Discussions

Report from Implementor’s Report sub-group

Draft Google Doc:Outline For Kantara PEMC

  • substantively complete

Notes:

Framing statement - Verifiers

  • In the intro example of the user, “Hope," there is a phrase about the biometric being retained on an ephemeral basis. Is the scope intended to define a mechanism for RPs to assert or certify that they have disposed of the photo biometrics? Curious about scope, viability and policing to realize that aspiration.

    • requirements will be listed as "MUSTs" - there will be a requirement that in an operational circumstance where the retention of biometrics is not legally required, there will be active notice etc etc etc. Next step after this is the creation of profiles for things like using mobile credentials in bars, in stores, etc. Some requirements won't apply to some profiles. The conformance tester against the profile will go in and do what auditors/assessors do.

    • we need to take into consideration the boundaries of what's achievable

  • Possibly that we're focused on the wrong thing. What can the user actually see and have promised? The example of Joe's Bar & Grill is not the verifier, it's Stripe. Part of this is to get them to say what they're doing and make it legally binding; that more than the technology is what is important to the user. Want to know if an org is keeping the data before I give it to them.

    • Building a set of requirements that build policy, intent, and procedures that enable what we want to see for the end user is what we have as our ultimate goal.

  • maybe we need an introduction at the beginning or risk factor at the end? What if we have a wallet provider that does not adhere to any of our requirements? Do we create the requirement that the wallet provider must signal what they do? What about the RP and what requirements are set to them?

    • testing and conformance are postponed for now; they come after we agree to the requirements.

  • in order not to be surprised, there has to be some sort of expectation. Unclear how the verifier gets introduced into the flow; we're already in collection at the point of the verifier. Perhaps reorder the framing statements? The verifier has to have an understanding of the risk they're taking on. Understanding that is something that happens earlier on in the process. Maybe "the verifier must determine the risk and collect"

Framing statement - Providers

  • for this and other aspects of the document, John may work on a RACI (Responsible, Accountable, Consulted, Informed) diagram

Holder

  • would be useful to have more in this document about the holder

Tasks

  • will start adding content so we can iterate and report back to the group, making sure everyone has an opportunity to chime in. Final version expected by end of November.

  • group is encouraged to comment!

 

5 min.

Requirements Review

@John Wunderlich

Pending



Other Business



Co-ordinating/planning PEMC/Kantara at IIW

  • goal to both update people on PEMC’s plans ask people for input on our work

  • planning on 1-2 sessions on the Tuesday/Wednesday of the unconference

  • Please note OpenID Foundation will have a workshop 1230-4pm Monday 11/14 before IIW. No cost, open to the public. We will have a listening session on the Government-issued credential Privacy whitepaper hosted by Heather Flanagan, as a precursor to IIW itself. Pre-registration link will be made available (and required).

Reminder: Seasonal clock skew has started; Daylight Saving Time ends in the UK/Europe on 31 October vs in the US on 6 November. Call times for the 2 November meeting may be different from what you expect.

 

Adjourn



13:51

Next meeting

Nov 2, 2022 

Action items