2014-06-02 eGov Meeting Minutes

1. Administration

5 participants - quorate

May minutes - Thomas moved, Denny second 

2. Update on WG Leadership eBallot 

eBallot has been done for the leadership election. The ballot closed last week, but we haven’t heard the announcement form the staff yet. We should hear back soon.

4. Conference Report Europe

Brief report back of Kantara European F2F, workshop and items of interest arising from the European Identity and Cloud Conference 2014 in Munich

Kantara European F2F: Most discussion was about the vision and mission, to make it slightly more commercially oriented. Presentation from the IoT DG, also F2F meeting of IoT DG.

Identity assurance and interoperability program updats.

Kantara pre-EIC Workshop: Good workshop - 50-60 people attended

Workshops running concurrently were: OpeniD Connect + OASIS Privacy + Kantara. Good panel of speakers (e.g. Andrea Servida eIDAS legislation team), interesting questions

EIC 2014: Thomas and Colin were at EIC2014

Conference theme - lots of IoT discussion, cloud security and compliance, cyber.. see agenda here.. http://www.id-conf.com/events/eic2014/agenda

Similar to previous years, many good presentations.

Presentations on encryption in the cloud / how American cloud providers offer 'EU friendly' cross border data exchange

UMA won an award - “2014 Innovation in Information Security award“. Several UMA presentations. Congrats to UMA WG!

5. Briefing from Hans Graux on the STORK related MOU.

Hans Graux, Lawyer in Brussels, working on projects for European Commission (EC) including STORK and Regulation on electronic ID and trust services

Memorandum of Understanding (MoU) was created for Stork project because of timing issues - pilots are about to go live, but no legal framework existed.

The final EU regulation text is undergoing technical corrections, could take months or even years.

There was no clear perspective on data quality, consent etc. "Legal vacuum"

Proposal was made about 18 months ago to create a contract to outline the responsibilities of parties.

A binding contract was rejected by most parties, because the process of getting signatures from everyone would be too slow or impossible.

MoU states the obligations that parties agree to respect, common practices for id and consent, especially data quality requirements.

MoU has been approved by all STORK parties.

MoU includes a Declaration of Accession.

59 parties involved in STORK, not all involved in identity infrastructure.

Only ID infrastructure partners need to file a declaration.

Intended to allow infrastructure to be operated with a relatively legal status, with the intention that this document will be replaced by the regulation when it is adopted.

 

Q. Keith: How long is the pilot?

Starts running in June and remain operational for one year.

What will happen after?

The regulation enters into force in Jan 2016 (current estimate).

The MoU could be extended even after the STORK2 project concludes.

 

Q. When you talk about the declaration, is it a contract?

It is not a contract, because in order to have legally binding commitments 

Declaration of succession. 1 or 2 pages to say that the partner has read and understood and strives to meet the agreed standards.

By definition non-binding. Best effort commitments.

 

Q. Keith: Are there penalties for non-compliance?

No. The regulation contains liability for IDPs. 

Original intention was to include similar language, but was rejected by project members.

Not mentioned: Appointing courts for cases of dispute

Nor mentioned: Applicable law  

This doesn’t technically mean that you can not ask for compensation if something goes wrong.

It would go back to member state laws.

MoU contains annex for Data protection compliance and End user consent 

Model terms and conditions (T&Cs) that the different nodes could use.

The SP Member state may choose to use the T&Cs of the MoU, which would be mean that a citizen using an Estonian node (even if the IDP and user is Portuguese) has recourse through the local laws in the jurisdiction of the SP.  However,  nodes do not need to use the model T&Cs of the MoU.

 

Q. Keith: What did you use as a base? Where did the document begin? 

Seeds began in STORK1, 2011.

Hans has been working on this topic since 2007. First templates done.

This work was reused for STORK project.

Mix of using existing and new. 

Important to members that this had been done before.

The MoU is 10-15 pages.

The text has not been published yet on the Stork website. All parties have reviewed it and accepted, but the “Declarations of Accession” have not yet been received.

 

Q. Thomas: How do see the relationship between the EU ID regulation and the Stork project? How much of STORK will be used as input.

One of the inputs for the MoU has been the regulation. 

We expect that at some point in the future, the MoU becomes obsolete and irrelevant, because the regulation will be in force.

Implementation references that are STORK specific will become a parallel “cooperation mechanism”.

Testing it and making sure it is fit for purpose.

 

Q. Thomas: Level of Assurance (LoA) is defined in the Regulation as Low, Substantial and High. It doesn’t define how to assess these levels. Could this be a place for Kantara Identity Assurance Framework?

The member states will ultimately make this decision. There are some differences 3 levels vs 4 (STORK)

STORK uses a lot of examples to make it understandable

The solution is to create an ISO 29115 compatible LoA to support interop outside of EU.

This is the most likely outcome and opinion of the team. The member states will ultimately make this decision.

6. AOB

None.