P3WG Meeting Minutes 2012-10-18

P3WG Plenary Meeting 18 October 2012

Date and Time

  • Date: Thursday, 18 October 2012
  • Time: 08:00 PT | 11:00 ET | 15:00 UTC (time chart)
  • Dial in info:
    Skype: +99051000000481 North American Dial-In: +1-805-309-2350
    Conference ID: 402-2737

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Minutes for approval
      1. P3WG Meeting Minutes 2012-10-04
  2. Discussion
    1. Privacy Assessment Criteria
    2. Document Editor
      1. Appreciation for Ann Geyer and her role as editor.
    3. Call for new Editor.
  3. AOB
    1. Face to face meeting in Washington, DC
  4. Adjourn

 

Attendees

Voting

  • Myisha Frazier-McElveen
  • Colin Soutar
  • Anna Slomovic
  • Susan Landau

Quorum was attained with 4 of 7 voting members present.

Non-Voting

  • Tom Smedinghoff
  • Nathan Faut

Minutes & Notes

  • Anna Slomovic makes motion to approve minutes; Colin seconds - no discussion, minutes approved

Administration

Discussion

Privacy Assessment Criteria

  • Document Editor
  • Appreciation for Ann Geyer and her role as editor
    • Unfortunately, Ann has had to step down as editor for PAC due to other commitments.
    • Call for new Editor. to go out to the P3WG mailing list
  • Notes re: status and next steps for the PAC (email below from Colin Soutar to the P3WG mailing list 18-Oct-2012)
  1. PAC Work Charter

http://kantarainitiative.org/confluence/pages/viewpage.action?pageId=1081487

  1. Link to PAC material

http://kantarainitiative.org/confluence/pages/viewpage.action?pageId=49775195

  1. Kantara Additional Requirements for CSP’s: US Federal Privacy Criteria

http://kantarainitiative.org/confluence/download/attachments/49775195/Kantara+Initiative_IAWG_US+FPC+Report_v2.0+%281%29.doc?version=1&modificationDate=1339086931000

 

Notes on topics covered to date:

Informed consent #2.1

Apr 4, 2012

Optional Participation #2.2

Jun 7, 2012

Minimalism #2.3 and Unique Identity #2.4

July 5, 2012 PAC minutes 2012-6-7.docx

Adequate Notice #2.6

http://kantarainitiative.org/confluence/display/p3wg/P3WG+Meeting+Notes+2012-09-20

Termination #2.7 and Changes in Service #2.8

http://kantarainitiative.org/confluence/display/p3wg/P3WG+Meeting+Minutes+2012-10-04

 

I note that we have not yet discussed the items below:

2.5   No Activity Tracking – CSPs must not disclose information regarding Subject activities with any Federal application to any other party or use the information for any purpose other than problem resolution to support proper operation of the identity service, or as required by law.

2.9   Dispute Resolution – CSP’s must have a dispute resolution process for addressing any dispute resulting from a complaint filed by a Subject utilizing its service who notifies the CSP regarding a failure to comply with any terms in the CSP Service Definition required by the SAC, and/or any additional criteria defined in this document. The CSP must provide evidence to their Kantara Initiative Accredited Assessor both of the existence of this process and its compliance thereto.

2.10   Technology Requirements – CSP’s must use one or more of the ICAM-approved identity assertion protocol profiles when engaged in any identity transaction with government applications.  (See http://www.idmanagement.gov for the current list of protocol profiles from which to choose.)

 

  • is it a good idea to go through the status of the work with the P3WG? (Nathan) yes; it would be good to resolve the question opened on the last call that the privacy guidance should just be pulled directly from FICAM; (Colin) understanding is that additional specificity is required for assessor's to actually apply that guidance - this question can be posed and the proposed answer put in the slide deck for the F2F since the question keeps coming up
  • do we feel there is value in working on the items yet to be discussed above? Yes -
    • No Activity Tracking
      • (Nathan) suggest we strike the world "Federal" with the idea that the privacy guidance will be both for federal, commercial, public/private sector; (Tom) but isn't that the limit that we are working under, that this is against the FICAM requirement? (Nathan) good question - thought this was supposed to be more general; for example, Europoint has been approved as an assessor in Sweden, and as an accredited assessor they can perform a privacy assessment; (Myisha) would agree; while the initial requirements came from FICAM, this was intended to be more general and more specificity can go in a profile similar to the model for the SAC; (Colin) the initial target was only FICAM and expectation was that it would broaden out to be more general in the future; (Tom) if we get to the point we're doing a general document, we need to do a lot more thinking about what's in and what's out, particularly on the topic of No Activity Tracking; outside of FICAM there is no law preventing tracking; (Anna) taking a position that there is no law and so we shouldn't do anything does not make sense; (Tom) that is not what was being advocated, just that it is open to debate except under FICAM; (Nathan) maybe it is a matter of testing whether they perform some sort of activity tracking, review the EUA to that tracking, and then performing tests that check the data the org gets against the EUA and whether it is anonymized - basically, follow the chain of the use; (Anna) what does that buy you if you essentially have no choice? (Nathan) words are observe, inquire, and inspect; auditor could say "would like to observe the LDAP directory and other components as they receive messages related to the credential. Would like to see the information sent to the Relying Party. Would like to see if any info is received back from the RP after they receive their information." Need to give the auditor the room/opportunity to inspect the information flow
    • Dispute Resolution
      • (Nathan) have audited against something similar to this criteria; usually moves to inquiring of the process and whether any disputes were logged over the audit period, then inspecting documentation related to disputes that were logged, and then inspecting further documentation to note when the dispute was logged, how long it took to be resolved, and was the dispute resolved to the satisfaction to party X
      • (Anna) what would the user be disputing? the credential, the data tied to the credential, other? (Tom) the CSP's handling of their information? (Anna) what would trigger them since they cannot see what the CSP is doing? (Nathan) credential suspended/revoked without notification to end user, they could get anomalous transactions they didn't approved, it could be the credential is used by someone else; (Anna) what about user being wrongly denied a credential? Or is FICAM restricted to the credential itself? we need to know what the person is able to dispute. (Tom) this struck me as similar to the EU Safe Harbor rules, where they have to provide a dispute resolution process for the data; the issues discussed so far can have privacy implications but are not privacy-focused - we should be limited to looking at privacy dispute resolution, not the broader scope of is the CSP doing their job properly? (Anna) what is in the IAF, and are we writing a new criteria or an amendment to their criteria? (Nathan) this should fall out with inquiry to management regarding the dispute resolution process; (Tom) the issue that Anna is raising is that we perhaps should not be raising this ourselves, it should be part of the IAF;
      • (Colin) what has happened is that the docs have been created in a bolt-on manner and so reflects a couple of different things; before P3WG was actively involved, the IAWG conceived a doc which we are using as a basis to this which relate to additional requirements to CSP intending to be accredited under the FICAM program; so some things need to go in the FICAM profile via IAWG work; a matrix diagram would be helpful; (Myisha) if the IAWG does take on something like Dispute Resolution, it would be along the lines of having an inappropriate credential issues, it would not capture privacy components; (Anna) then we should add an additional assessment criteria to the privacy piece, but it should be part of the overall Dispute Resolution set - it would be helpful to have this all together. A statement that says when you do  dispute resolution process, people need to be able to dispute X Y or Z. Still don't know who will be allowed to do the Dispute Resolution and whether they will be authorized to adjudicate on Privacy as well as other issues
  • Colin will summarize where things stand now, circulate that along with a summary we can present to the broader Kantara group, and see where we go from there

AOB

  • Face to face meeting in Washington, DC

 

 

Adjourn 09:05 PT / 12:05 ET