eGov Meeting - 2009-09-15


Kantara Initiative Face-to-Face eGovernment Working Group Meeting in Las Vegas

Date and Time

  • Date: Tuesday + Wednesday, September 14+15, 2009
  • Time: 2:00 PDT | 5:00 EDT | 8:00 UTC

Meeting Minute Status

Working Draft

This page is a Working Draft subject to further revision and has not yet been approved by the Kantara Initiative eGovernment Working Group

 
 

Attendees

  • Shin Adachi
  • Yoshihiro Satoh
  • David Temoshok
  • Robin Wilton
  • Lena Kannappan
  • Scott Cantor
  • Bob Morgan
  • Kyle Meadors
  • Herve Leger
  • Paul Madsen
  • Conor Cahil
  • Fulup Ar Foll
  • Jeff Stollman
  • Colin Wallis

Apologies

  • via telephone: Soren Peter Nielsen & Thomas Gundel, Danish Government

Agenda

1)        PR meeting outreach and membership

2)        Work items: next steps on

?             eGov profile of SAML web SSO profile v2

?             eGov Profile of ID-WSF

?             eGov Profile of InfoCard (IC)?

?             eGov Profile of OpenID (OID)?

3)        AOB

?             Multilateral WG tracking, on common issues such as LoA

Minutes

(1)      GPA signing: 

GPA agreement for the eGov WG was signed by individuals who had not yet agreed to it online nor had signed it in any other form

(2)      Summary of Discussion at the first session 1300-1435 on Tuesday September 15, 2009, PDT

Discussion ensued on the agenda items with some brainstorming and Q and A, covering variety of topics:

2.1   Description of OID/IC profile advanced by the ICAM program of the US Government: 

 

Different authentication approach and scheme to SAML. And OID and IC approach different from each other as well as different from SAML.   GSA confirms each technology to meet its criteria.  In terms of conformance, GSA closed acceptance of new products for testing a year ago due to organizational funding reasons.  Liberty Interoperable (LCRT) is still prerequisite by US GSA for SAML 2.0. OID and IC have not yet got an equivalent process.

 

2.2   OID/IC testing and conformance discussion:

 

There are different types of testing. Comformance/metric interop for SAML testing is different from the processes protocols used to support a trusted assertion from Identity provider on the other scheme.  Kantara has applied to the GSA to a Trust Framework Provider: see:

http://www.idmanagement.gov/drilldown.cfm?action=openID_openGOV

…along with IOD, IC and Internet2.  The Trust Framework Providers certify Identity Providers under one of the scheme for a given LoA.  Approved schemes do not have to interoperable.  If an end user would like to use a specific scheme, then GSA needs to provide (given the constraints of security, assurance etc).

Action 2009-09-15 - 1:  GSA agrees to develop a table to identify relationship and gaps among the assurance profiles (of the schemes approved/adopted) covering the various different protocols, conformance bodies etc.

 

The current three components are SAML, X.509, and Smartcards.  Other schemes/protocols demanded by customers/agencies, the GSA is directed to adopt are schemes such as OID and IC.

 

Must distinguish assurance testing from implementation testing. 

Regarding implementation testing, a view was expressed that IC code has shortcomings that are not easily resolved.  Testing will be necessary to confirm if it works as it supposed to. What information to be disclosed to each citizen needs to be considered as well and this varies across jurisdiction due to laws, culture, user experience. 

No incentive to meet the implementation/conformance test for OID and IC, until Government requests that for ‘products’.  This will be a problem for OID as there is usually not a ‘vendor’ to implement and ship ‘products’, especially the case with OpenID/  IC needs metadata!

 

Action 2009-09-15-2: Kantara eGov WG to approach OSIS to ask if interested in entertaining the testing for IOP testing for OID and IC.

 

2.3   Developing internationalized profiles of OID and IC discussion:

 

The profiles for these above are from the perspective of the US government/GSA only.  Suggestion made that Kantara provides comments on the profiles adopted by the GSA for OID and IC, specifically on items which could prevent internationalization. This would bring the OID and IC profiles into line process-wise with the current process for SAML. 

 

Action 2009-09-15-3: The eGov WG to facilitate commentary on the OID and IC profiles from an international perspective

 

2.4   Discussion on a V2.0 version of eGov profile SAML 2.0

 

Agreed that the biggest issue in the current v1.5 is the lack of metadata guidance.  PKI methods and signatures, algorithms (behaviour) outside of SAML, but agreed as critical for interop. Usability, e.g. How IdP discovery to be dealt with?  Replace ?????? with Discovery Model.  Metadata considered for inclusion: Role Descriptor, AuthnAuthorityDescriptor, PDF Descriptor??, AffliliationDescriptor.  Drummond Group would like feedback/input on next steps and what should be in the next version.  GSA suggested to involve DoD defense manpower data center, centered in Monterey, CA and Arlington,VA, who is responsible for IdM deployment for additional feedback/input.  Revision work would begin around November to be complete by May 2010 in time for the sumer test round.

 

Action 2009-09-15-4: All members to provide feedback/input for next revision

(3)      Summary of Discussion at the second session 1715- on Tuesday September 15, 2009, PDT

3.1   Discussion on eGov Profile of ID-WSF

 

There are few known preceding examples or practical implementations known (only Centre for Registrations in the Norwegian government who currently do not engage, and the Lasso (customized) implementation for the French government (and Lasso is expected to not be disposed to releasing IP).  Denmark has the ID-WSF to WSTrust interface work from its Health sector.  NZ government did some very exploratory work with the Java implementation of ID-WSF, but could not make it work, due to the need for a consent Service to allow users to consent to the release of their attributes in-band.

 

Some work is needed to qualify out the governments’ incentive to use ID-WSF, scope different requirements etc.  Is there sufficient interest/incentive to proceed with it as a work item for 2009/10?  Need member confirmation.

3.2  Further discussion on Multilateral WG tracking on such issues as LoA

 

Action 2009-09-15-5: Request Leadership Council to find a way to have multiple WGs communicate for shared interests and topics.

(4)      Sync up with ID-WSF evolution 0945 Wednesday, September 16, 2009, PDT

4.1  Colin briefed Soren Peter on previous day’s discussions and repeated discussions from the floor (teleconference problems).

 

4.2  Colin summarized the proposed 2010 budget for eGov to LC ($$ for SAML eGov profile, OID and IC profiles, and small $ for capturing requirements to date into the ID-WSF eGov Profile).  Paul Madsen clarified it was not yet approved by the Board of Trustees.

 

4.3  David summarized yesterday’s notion of a chart/table showing protocols, associated with criteria such as levels of assurance, to try to get a cross-protocol picture of the commonalities/gaps.  Could ID-WSF be added to that?

Paul mentioned SAML already has a chart/table similar to this that could be potentially leveraged.

Scott clarified there is an ICAM document for OID for level one assurance, but no comparable ICAM document for SAML, nor ID-WSF.  Open question raised as to who would be motivated to do that work, or ID-WSF.  What exactly would ‘acceptance’ mean now, given SAML’s long association with the GSA in terms of vendor compliance.  What more could be articulated?  Incentives for Kantara to proceed with the ICAM process for SAML 2.0 and ID-WSF eGov Profile are not clear enough.  Scott said the scheme from Kantara would not be the scheme, rather the basis of the scheme(s).  Soren Peter acknowledged that neither the ID-WSF issues, nor OID and IC adoption were urgent for Denmark.

4.4 ID-WSF eGov Profile priority for development discussion.

 

The ID-WSF/WS Trust interface project in the Danish health system referenced as one of the few ID-WSF eGov deployments, was some mixed pieces of work for privacy deployment for just health system. Regarding the ID-WSF/WS-Trust work, Soren Peter is taking a wait --and-see approach if there is enough demand to get resources to continue it/get an SDO to publish it.

Soren Peter does not have a great use for an eGov profile of ID-WSF, rather needs additional feature(s) for stronger privacy protection.

 

Paul suggested eGov to make that a use case for consideration, to start exploring if the ID-WSF Interaction service can resolve the issue or not.

 

Action 2009-09-16-6: Use the ID-WSF work from the Danish Health system the use case for consideration, to start exploring if the ID-WSF Interaction service can resolve the issue or not.

 

Soren Peter mentioned a general high interest at the move by US Gov to adopt OpenID for level One.  Government of Denmark has not directed him to follow that move yet.  Denmark would proceed to deploy the SAML based service first, and if there is a need, then they may consider it, but expected security constrains.

 

Action 2009-09-16-7: eGov to develop MRD or similar to submit it to ID-WSF evolve, due on May 2010.

 

(5)      Synch up with the P3P WG 1530 Wednesday September 16, 2009 PDT

6.1: Discussion on the need for Uses Cases to be shared/common across all WGs

This to include issues like LOAs. Use case to be complex enough to reflect/have the ability to be extended to reflect all WG issues. Examples, buying a car, Health ER out of state. Use of a narrative to describe the scenarios that can be broken down into Use Cases split by Actors, Actions, Data.  

Action 2009-09-16-8: Robin to f supply link to FIDIS Identity Revolution use cases.

From a P3P WG perspective, the process and data that should be used should be paramount. Take the use cases/processes/data out of regulatory control. Select data that complies with best practice around: minimal, least invasive, data passively collected vs. actively disclosed, data that offers a high level of assurance. Example of data passively collected is, say, cellphone numbers tracked/mapped to cell sites so that, say an insurance company knows where a person is going and can dynamically determine a change in risk profile. Example of active disclosure is a collection of wants and wishes.

6.2: Discussion on the need for/use of common terminology

Jeff called for eGov WG support for the need to develop a common terminology in Kantara WGs (using some existing repository as a base such as the LAP Glossary and ITU’s IdM Def).

6.3: Discussion on potential members to target.

Action 2009-09-16-9: swap contacts:

P3P WG to eGov WG: EC contacts: Katerina de Brises, Beth Morrow, Sverre Bauck (FEIDE/Uninett/Norginet?), Rheinhardt Posche, Aniyan Varghese (DG hosting the STORK project), Dierk van Rooy  (OECD, Tronheim), Dr Bolgais EU commissioner – use UK and DK as a way in?, UK Gov gateway contacts Jim Purvis working for Chris Haine (now at DWP), the all party privacy group Privacy International (Simon Davis), John Suffolk (UK Gov CIO), William Heath (co-founder of Mydex), UK Information Commissioners Office (Christopher Graham), Conn Crawford (again!) doing trusted computing in the Sunderland area.

eGov WG to P3P WG: Lindy Siegert (NZ), Jan Schallaboek (DE)    

Next Meeting Date and Time

Next Meeting Date: Wednesday, October 7, 2009

  • Time: 12:30 PDT | 15:30 EDT | 19:30 UTC (Time Chart)
  • Skype: ++9900827044630912
  • US Dial-In: +1-201-793-9022 | Room Code: 4630912