2015-03-02 eGov Meeting Notes

Owned by Former user (Deleted)
Last updated: Mar 03, 2015
1 min read

1. Roll call

Angela Rey
Colin Wallis
Ken Dagg
Rainer Hörbe (note taker)

2. Approve minutes of previous meeting
Postponed, not quorate

3. Work item "Gathering of requirements for government acting as relying parties"
Colin collected raw input from several sources (InCommon Federation Operation Procedures, Safe Biopharma, NZ RealMe MoU between IDP and RP).

Question: What is the scope of the CoP? Whose risk is mitigated?
Rainer: Under EU law, the RP is anyway obliged by privacy law's purpose limitation and due care to protect the data received in assertions from the IDP.
Ken: There are jurisdictions that may not have those legal basis, like the US. The CoP would be cross-jursidictional. It shall be complementary to the IAF, which is covers the RP's risk towards the IDP.

Possible use cases:
- A government employee using a PIV card to access a commercial service
- A citizen using a banking credential to access a public sector service
- Other cross-sector scenarios

Terena/REFEDS prepared a DP code of conduct that is very similar to this problem description:
https://wiki.refeds.org/display/CODE/Data+Protection+Code+of+Conduct+Home
This CoC is currently effective under EU law, but REFEDS are looking into expanding its scope. There could be a potential for cooperation.

Possible definition of scope:
The COP for RPs regulates the processing and use of assertions consumed by the RP across jurisdictions. 

T.b.d.: Security requirements on RP applications, e.g. XSS-protection or TLS quality? Is the CoP contractually binding, or documents based on it?

4. Reports from recent conferences
none

5. AOB
Rainer: Would like to update the WG's work in 2013 on privacy enhanced federation models. Will put this on agenda for the next meeting.