2015-01-06 eGov Meeting Minutes
Date and Time
Date: 6. January 2015
Time: 11:00 PDT | 14:00 EDT | 20:00 CET | 06:00 NZ(+1)
Role Call
- Colin Wallis
- Rainer Hörbe
- Ken Dagg
- Keith Uber, GlobalSign/Ubisecure (Note taker)
1. Administration
Non-quorate call.
November minutes posted immediately prior to call, to be approved on next call.
Preparations for election
AP: Colin to send a request for nominations for leadership via email listserv.
Rainer, Colin and Keith all prepared to stand again for same positions.
Secret ballot method, same as last time.
2. NZ UMA Pilot
NZ government is doing a pilot for UMA (first government UMA case). ForgeRock implementation: OpenStack - OpenUMA
Use case: Delegated authority (For B2G)
Use case: Government director is the main holder of authority, but wants to delegate to a company financial controller to file tax returns. Replace paper-based process.
General discussion of current UMA implementations: CloudIdentity/Gluu/ForgeRock/Roland pydc library etc
Rainer: Is UMA secure enough for the government use case?
The difference between oAuth and openid connect and SAML etc is that the security model is based on https, not on signatures.
Not secure enough for all use cases.
Colin: For filing a tax return that is adequate
Rainer: we have ultra-secure signature solutions (German MPA for example) that are so complicated that people use services to simplify the deployment which drop the security level back to HTTPS security level.
Keith: Are external tax agents, tax accountants and auditors considered, or is the delegation internal to the same company? Are third-parties involved?
NZ Companies House / Companies register is third-party. NZ Companies register only for limited liability companies, not for sole traders, not for partnerships, not for non-profit. Only limited liability companies have a company number, others don't. A lot of argument and debate on sole traders - if they have a unique identity, privacy implications, even if the sole trader trades as "John Smith Plumbing" Interesting case for privacy commission officials.
Colin will let us know as the project goes ahead.
3. New work topic: Gathering of requirements for government acting as relying parties
Continued discussion from egov mailing list thread.
Ken: Some have clearly defined requirements:
Incommon, Safe Biopharma
UK has come up with some
USA has come up with some
6-10 clearly identified
We need to communicate to actors in eGov that we are taking on this piece of work. To welcome various governments to get on board. This should be a priority to do first. If there is no interest, the work is not worth taking on.
Colin: an example place to gain traction is O5. O5 has many allied nations, (Mexico, Israel, Sweden) Identity summit that runs currently every 6 months.
Next one Jan 27-29 in Mexico City.
Could we send a message to take along and let them know?
2 days of government only discussion. 3rd day is Kantara led industry day.
D5 - Digital five has been formed in December. Hosted by UK.
Members from UK, NZ, Estonia, Israel and Republic of Korea. Expectation that other governments would join.
We need to get these representatives to understand the task at hand, and help contribute to the discussion.
On the mailing list a beginning list has been made.
AP: Keith to create a starting point wiki page to summarize and provide fill the blanks spots for further contributions
4. Conference Reports:
Rainer: EWTI - European Workshop on Trust and Identity http://identityworkshop.eu/ 3-4 Dec 2014
Session notes available at https://identityworkshop.eu/ewti2014/session_notes.pdf
60-65 registered participants, 2/3 were from Higher Ed. Timetabling close to year end not best
Lots of interesting topics:
"IDP of last resort" great topic
Informal problem statement was written about that to connect STORK, United ID, IDP for the homeless
Vectors of Trust discussion
Javascript aspects, code is running in the browser, not on the server. These frameworks have problems using saml.
Lots of technical recommendations about this. See item 7 in proceedings
David Simonsen from WAYF gave a great presentation on metrics about consent: "how many people drop off" when presented with consent dialogs
Provisioning of users at the relying party side. If SPML and SCIM don't work, what to do?
Privacy considerations when doing up front provisioning. Internet2 session also about similar topic.
Out of band provisioning using AWS message queue, non-standard implementation.
One guy from a company in Slovakia
Keith: Gartner IAM, Las Vegas, 2-4 Dec 2014
Close to 1400 attendees,
Interesting keynote by Jeremy Wiltz on FBI's next generation biometrics databases.
Very high-level.
David Pogue, funny
Brian Iverson, great fundamental presentations
Good eGov Case Study on DC One Card
AP: Keith to invite guest to present case study to egov group
Other
Rainer: Does anyone have any identity and open government data thoughts/experience/expertise
Open Research Data "done a quick and incomplete analysis"
The problem is not the publication of data, but making it easy for data producers to upload and offer the data
Finnish/NZ approaches discussed.
Date and Time
Date: 2. February 2015
Time: 11:00 PDT | 14:00 EDT | 20:00 CET | 06:00 NZ(+1)
-------------------------------------------------------
To join the teleconference
-------------------------------------------------------
DIAL IN INFORMATION:
Skype: +99 051 000 000 481
Conference Id: 613-2898
US Dial-In: +1-805-309-2350
http://kantara.atlassian.net/wiki/display/GI/Telco+Bridge+Info