Kantara Initiative Privacy & Public Policy Teleconference

Date and Time

Date: Thursday, Aug. 6, 2009
Time: 8:00 PDT |11:00 EDT |15:00 UTC

Meeting Minute Status

Working Draft

This page is a Working Draft subject to further revision and has not yet been approved by the Privacy & Public Policy Work Group.

Attendees

J. Trent Adams
Patrick Curry
Britta Glade
Ian Glazer
Iain Henderson
Susan Landau
Georgia Marsh
Brett McDowell
Bob Pinheiro
Darrell Shull
Toby Stevens
Jeff Stollmann
Edgar Whitley
Robin Wilton

Apologies

Louise Bennett
Toshihiro Suzuki

Comments

RW - (1) Invited members to submit nominations for the posts of P3WG Chair and Vice chair (see actions, below)

PC - gave summary of last week's meetings with various US Govt bodies; general focus on high-assurance identity for USG employees (as opposed to citizen ID, e-gov access etc): however, it is appropriate for P3WG's overall strategy to be able to accommodate these use-cases as well.

Noted that ICAM co-chairs (Judith Spencer and Paul Grant) tend to focus on LoA=3 identities and higher, whereas David Temoshok's focus would be at the LoA=1, LoA=2 levels.

GM - noted that a previous assessment classified some 60% of USG applications as being in the LoA=1, LoA=2 categories.

[In general, I suggest we should seek to make sure the PIV and PIV-I strategies are clearly understandable to P3WG, including areas in which those strategies may intersect with non-US implementations 1,2 ]

PC - Suggested the development of an identity assurance/authentication framework which caters for the viewpoints of Government, Citizen and Regulated Industry stakeholders.

Discussion of 10 Aug Workshop (ICAM, Washington DC)

BM - Scope of meeting is specifically "USG <-> Privacy Advocates", to discuss e-authentication based on Government application consumption of LoA=1 consumer authentication artifacts from. eg. OpenID, InfoCard and InCommon, and to discuss the role of Trust Framework Providers 2

Suggested questions to raise:

what measures does the strategy include to ensure that the goals of citizens/users are met, as well as those of government and public sector service providers?

has correlation and its possible effect on user privacy been considered in the formulation of strategy? NB - a single service might be considered to have a 'low' privacy impact, but if its use can be correlated with access to other services (for instance, through use of the same e-authentication method) the over-all privacy impact may well be higher.

has the USG classification of applications (according to appropriate LoA) been reviewed recently to take account of technical developments, changes in application and/or delivery channel (e.g. mobile access, PKI applicability etc)?

"scope and mission creep": if the strategy is to "segment" applications according to LoA/authentication type, what plans are there for handling cases where i) the LoA pre-requisite of an application changes over time; ii) pressure grows to use a deployed 'low-assurance' credential for access to a 'medium-assurance' service rather than incur the expense of re-working for 'medium-assurance' credentials?

Closed actions from previous call:

RW, IG to arrange meeting with US VISIT program CPO at Burton Catalyst - DONE.

Actions

(1) PC to help P3WG engage with policy-maker community - ONGOING (with RW apologies for late distribution of previous action items)

(2) Call for nominations to the posts of P3WG Chair and Vice Chair. - ONGOING

First stage: nominations (staff at kantarainitiative dot org)
Second stage: secret ballot (process to be determined)

(3) RW to invite Paul Hasson (CPO - US Visit) to participate in P3WG and report status.

(4) RW to post draft of "Privacy Assurance Module" concept for Identity Assurance schemes.

Document references:

USG ICAM page, including documents on Trust Framework Providers and Identity Scheme Adoption http://www.idmanagement.gov/drilldown.cfm?action=privacy_workshop
White House/OMB memorandum M-0404 (Levels of Assurance) http://www.whitehouse.gov/OMB/memoranda/fy04/m04-04.pdf

Next Meeting

Date: Thursday, Aug. 20, 2009
Time: 8:00 PDT | 11:00 EDT | 15:00 UTC (Time Chart)
Dial-in details:
US/Canada toll-free number: 1.866.305.1460
Direct dial (toll) number: +1.416.620.1296
Attendee Code: 9247530
International toll-free numbers:
o UK: 0800 917 5847
o Netherlands: 08002659007
o Belgium: 080079491
o Japan: 00531160345
These toll-free numbers are generously provided by BIPAC.

Browser not supported