2021-10-05 Meeting notes

Date

Attendees

Regrets:

  • Mary Hodder
  • Catherine Schulten

Goals

  • Decide: Should we engage FTC with our ONC work?
  • Determine: Is there a Zero Trust Framework at Kantara? Should we work on one?
  • Discuss: How would an end user get data out of a Digital Wallet? Credential?

Meeting commenced at 1pm EDT

Discussion items

TimeItemWhoNotes
25minFTC

1) Our ONC submittal pairing with FTC?... lets engage them!
      -  Privacy and securely sharing PHI      Part of the May Executive Order (EO)?

jim spoke with Kat who has a contact at FTC

ONC is “frustrated” because they aren’t used to partnering with other agencies.

It may be worth exploring how to engage FTC with our ONC work.

FTC model is not based on Zero Trust. No definition of “compliance with the FTC rule”. Talking about criteria may get them interested in working with us.. 

EO assigns some work to three agencies. NIST, Commerce involved. FTC and a communications are part of Commerce. Align with zero trust. Kay is working on a contact at the FTC.

FTC involved in healthcare devices, communication of PHI. CURES Act says patient has the right to access and share their data not covered by HIPPA. FTC voted to enforce CURES Act.

Tom: Could be just sharing the proposal with FTC to see if they would fund it.

FIRE WG proposed one of two things: create list of criteria for establishing the fines and/or trust framework

Andrew: Is there a way to test our assumptions that FTC would be receptive?

Jeff: would they accept a service provider who used our criteria (Kantara requirements)

Andrew: Has ONC responded to our letter?

Jim: Not yet. Plans to make an introduction with Micky Tripathi and Kay. We have a connection with Micky. He knows our work. Catherine and Carmen at ONC are also well acquainted.

Sal: can we contact to FTC referencing the recent announcement? Andrew doesn’t think so. He suspects they already have lawyers working on the criteria. Andrew suggests finding policy orgs who work with FTC.

Vision of Privacy and Identity Protection. https://www.ftc.gov/about-ftc/bureaus-offices/bureau-consumer-protection/our-divisions/division-privacy-and-identity

Right now only GSA is a member of Kantara (they have a need for our assurance project)

Other gov: NZ, Australia, parts of UK are “almost members” and Indirectly with Canada and others through consultants. Kantara Europe is domiciled in Estonia but we don’t have govt members in EU.

Bev: Daza Greenwood has some connections with FTC.

25minTrustFramework

2) Is there a functional Trust Framework?   Show me!  
      -  Zero Trust, a core building block or fade?  Part of the EO!

Looking at who end user (who is the perimeter) goes to for trust?

Zero Trust is a Common thread among all of these items.

Andrew: Zero Trust doesn’t have to do with people. It is about the underlying technology. Tom says before anyone makes the connection, the site accessing the data should be made known to the user. A primary goal is to make sure the website is identified to the user, similar to mDL. 


10minDigital Wallet credential

3) Digital Wallet, how does a user extract or show a smart document?  what a response might entail: (Zero Trust?) - https://tcwiki.azurewebsites.net/index.php?title=Presentation_from_a_Wallet

if you have a wallet and go to a relying party, one of the things they will ask for is a mDL.

Federation could work as away for wallets and RPs to come to an common agreement about what they share. So how do you make a presentation to a requesting entity and how does the wallet answer back? Microsoft is working on it. Should Kantara have an opinion about it. If Kantara is t interested, Tom will work with Microsoft on it.

Andrew: SC17 and OpenID foundation are discussing this.  Tom: we would be creating profiles.

Andrew: How is this different from Privacy EMC? Tom is also working with them as an editor on this. But they aren’t working on interoperability.

Tom can also reach out to FTC in coordination with Jim Kragh  and Kay Chopard .

Meeting adjourned at 2:05pm EDT

Action items