2014-10-06 eGov Meeting Minutes

1. Administration

5 participants - quorate

August minutes - Denny moved, Colin seconded

2. Event Report: ISOC Interfederation and Attributes Harmonization Workshop, Utrecht, The Netherlands

Report by Colin

Kantara joint IDoT, UMA, Consent and Information Sharing Workshop, Utrecht.

https://tid.isoc.org/confluence/display/interfedgen/

Meeting was run by Internet Society.
Split into 3 parts - interfederation, attributes, Kantara Workshop.
Kantara workshop - bringing together IoT, UMA, Consent and Information Sharing Groups, all which use attributes heavily
Each group presented to try to find a common ground.
Colin has a trip report, which he is happy to share with the list. See that for summary of discussion and relevant links.

Waiting on Joni to give a report on the workshop itself.
A wiki has been set up by ISOC, with extensive series of notes. See link above

Workshop was invitation only - government and academia. About 50 people took part.

Common question: Why is it that governments ignore academic federations, don’t connect with them, don’t promote them?

The basic conclusions because government was doing more transactions, they need/want higher level of assurances than what the academic federations can offer.

Colin: Why is this?
Denny: Universities refuse to use standard LoAs, instead use “Gold, Silver and Bronze authentication packages”

Issue of standard mismatch - Silver equates to about 2.5, and Bronze to 1.5. Not following the standard NIST 800-63 levels.

Main Interfed Theme: “Vectors of trust” - A discussion on alternative approaches to mitigate risk than NIST 800-63 LoA.
Colin will send the link to the mailing list and circulate the discussion on “Vectors of Trust” (author Justin Richer, Mitre)

Ken: IAWG has been discussing cross certification of various federations. Ken is following the discussions and will report.

Attributes:
Number of different presentations
Ken Klingenstein summarized the landscape well.
Attributes in Motion WG material has been used in OIX attribute exchange working group
One NSTIC pilot was on attribute exchange.
Discussed semantics, formats of attributes, Consent/Information sharing
It was left open as to what was best approach
From previous meetings, Leif Johansson had created a global IANA attribute registry for recording URNs for LOAs

UMA:
Several presentations
4 UMA use case examples shown
These included CloudIdentity (UK), Health related patient record use case and Dutch company that had used UMA for access to student work

IdoT:

Mark Lizar from InfoSharing WG and others did presentations.

Kantara is now trying to streamline the number of WGs and DGs to help improive co-ordination and synergy. Being discussed in BoT and Leadership Council.(See #4 below)

3. Your eGov identity topics are welcome

Denmark:

Thomas is assisting Danish Government with the eIDAS regulation - now that the laws have been passed.
Acts on LoAs are being operationalised, but many unanswered questions need cross MS working group meetings.
Attribute sets for Natural persons and Legal persons
Enabling the Act for interoperability, in early stages now

Colin: Operationalizing the eIDAS - PLease recall that Hans Graux presented earlier to the eGov group (June?).

NZ:

Looking for best practice exemplars for public service employee federated IAM, leveraging existing agency IAM infrastructure 

NZ has examined the Dutch implementation.

Discussion on government budgets and implemention costs, ROI calculations and project justification.

NZ has 23000 verified identities done to date (verified identity and verified address) on its RealMe service.

NZ Banks are lining up to integrate so they can consume the Identity Verification service to satisfy AML/CFT regs for opening bank accounts.

NZ is doing more development on access control and delegation. Looking for best practice, exemplars, delegation
Example use case: For a company that has been created in the company register - Director defined, Director delegates responsibility to the Company Secretary to deal with the Tax Dept for company tax matters.
Right now, NZ has only a manual system for doing that.

Ken: Industry Canada - Register of Incorporated Businesses. Check with TBS folks for more detail.

Thomas: Same concepts available in Denmark

Keith: Finnish KATSO system is equivalent, cross organizational delegation. Well documented, presented at EIC.

EU might be looking at eIDAS for cross border use cases.

4. Kantara: Reorganization or affiliations between Kantara work groups

Comments welcome on: specific groups to converge, groups to "affiliate" under themes, both convergence and themes "affiliation"

Two affiliations have been identified:
1) Connected Life
2) Trusted services

Strawman available for comment. 
- https://kantarainitiative.org/confluence/x/RQAxB The page is very much a DRAFT.  

eGov would be closer to Identity Assurance WG / Health Identity Assurance
Risk of a group doing tasks which take away from what another group is doing.

There is now time to think about the proposal.

Going forward, the eGov group would be additionally tasked with giving a global view on the Service Assessment criteria, while continuing with cross fertilization of ideas, to make sure all of the groups are contributing to the same goals.

Eg. eGov topics could be an agenda item on IAWG calls (e.g. every second week)

Board of Trustees is also looking at possible changes to By Laws and operating procedures... e.g. Currently, you can lead a group, but not be a member of Kantara...and it is possible to be on the LC but not be a member.