2014-05-05 eGov Meeting Minutes

1. Administration

5 participants - quorate

March minutes - Colin moved, Keith second

Ballot process - Vote process was forgotten and must be done by email private ballot. See coming announcement and instructions via the mailing list.

2. Discussion

On the REFEDS list has been interesting discussion about how IDPs and SPs establish trust

LoA seen by the UK government in relation to low, substantial and high is equivalent to a legal pre-requisite

Civil law - substantial is enough
Criminal law - needs high assurance

Discussion about the new EU data protection legislation - greater risk assessment in regard to privacy.

EU process is finishing the electronic ID in trust services legislation and plan to put it through before the elections in May.
The goal is to create interoperability and recognition across IT services across the EU. They can notify the commission of a
national IT solution and must declare an assurance level.
Three levels proposed are low, substantial and high.
They haven't defined how to map the local solutions to these levels.
They haven't decided whether to adopt the Stork scheme or ISO 29105.
Why not using the Kantara scheme? Why are they defining a new framework, when
they have one that they could reuse.
QA is on the Stork home page, similar to 800-63.
The IU standard has also been referenced. Kantara has not been referenced.
Rainer: The EU don't have any service assessment criteria.
There is a political reason behind this - when mentioning Kantara they do not want to listen.
Is it because it isn't a treaty organization? Because it is an SDO?
Maybe because Kantara is registered in the USA?

The standardization body working for the Dutch government has referenced Kantara eGov and FIWG work.

The Dutch profile is called eHerkenning. eGov profile compatible.
There is already one European assessor for the IOC, Europoint.

Existing Danish federations have been built with Kantara IAF in mind.

Thomas:
The current version of the Stork quality assurance has raised criticism, critique and feedback.

FICAM uses for the US government
Credential service providers approved by US government for government agencies
LOA1 - OIX, Kantara, Incommon, Safe biopharma , which all have slightly different profiles.
LOA2 - Kantara
LOA3 - (non.crypto) - Kantara
LOA3 crypto - PKI Bridge
LOA4 - PKI Bridge

US, Canada and Denmark are the current jurisdictions following the Kantara IAF.

AP: Colin will find the contact at Europoint to encourage them to participate.

Thomas: They want to reserve the LOA4 for devices compatibility with qualified certificates for the European Directive on Electronic Signatures. Which would mean one technical credential across Europe.

Colin: Is it because Kantara has not gone to LOA3 Crypto and LOA4 levels?
Rainer: The Kantara Service Assessment Criteria does support extensively LOA3 Crypto and LOA4 but has
not been approved in the USA.

Rainer: 99.5 percent of the service assessment criteria could be used as is.

Colin: If signatures is the only solution, it blows away the principal of proportionality - such as applying for a library card would require LOA4.

Rainer: Austrian eHealth law require qualified signature for sensitive data.

Thomas: It's up to the service provider to select the minimum level of assurance. If an Austrian
SP requires qualified certificate credentials, no Danish citizen could use the service, as
there is no credential at that level.

Even though we want to create interoperable ID, we have different legislation at the
country level. Interoperable IDs is only a little part of the solution.
Other things, such as legal frameworks need to be interoperable.

Rainer: Plans to talk to Joni about adapting or reusing the IAF, particularly the SAC for private sector work. To discuss IPR issues.
European plenary will be a good place to discuss that.

The SAC as they stand, could not be used, because we don't have such a thing as a legal name and a legal address in the EU.

The SAC for Level 1-3 has been translated to German.

Canada has given notice that a profile of the SAC would be required.
Recommendation is that the first release is a USA profile, and profiles made after that.

One of the first jobs that Europe will have to do is to look at all of the likely services
and transactions and consider what risk category they would be put in.

NZ has a service risk category for each agency service. Levels 1,2,3,4
One problem is that one agency thinks that a service from them, for example benefit payment,
is a service risk category 3. However another agency that gives money for a student loan ranks itself as a level 2.
Very difficult process, many different parties, different perspectives.

To make a coherent combined service, that consists of services from various agencies, requires
that they have a suitable alignment level on risk. There is always a pressure to go down on
risk category (accept more risk), because it is cheaper.
If one is at LoA3 and one LoA2, the push is downwards to LoA2. It is a compromise, one
service may have to introduce extra checks to satisfy their own risk management needs.
Student loans operated by social welfare and inland revenue, who do tax collection.
Service related to tax profile of user.
Before the services go live, they agree with the other party about what the level of assurance
will be and what the token assurance levels would be.

Mailing list discussion:
- Identity proofing LOA (NZ degree of confidence)
- Token level of assurance
- IAL identity assurance level

Use case examples (token/id binding):
Experian is a credit checking agency but doesn't issue tokens.
Symantec is a token issuer but doesn't verify identity.

Rainer: It doesn't make sense to measure both token level of assurance. If the identity has been strongly proofed, but the credential is a weakly managed username/password this doesn't work.

Colin: In the USA, the concepts are separated and then bound together.

Country reports:
NZ has been working on RealMe and now has a funding issue because it is election year.
Colin wrote a paper proposing the platform as a national paper that the private sector could also
use. So small businesses could get access to this.
Multi-sided markets, macro-economic theory.
Report was favorably received, praised for innovation.