P3WG Meeting Minutes 2011-05-05

Gershon Janssen
Susan Landau
Mark Lizar
Anna Slomovic

Guests:
Rich Furr
Richard Wilsher
Hedy Kirkby – (GOVT Canada)
Aaron Titus
Colin Wallis
Bob Pinheiro
Bill Braithwaite
Leif Johansson

Apologies:
John Bradley
Joni Brennan

Staff:
Anna Ticktin

1. ADMINISTRATIVE

Roll Call
Motion of minutes approval for 11 Jan 2011 will be carried over to the next call.
Mark has announced Jeff's resignation and made a call for co-chair nominations to close on 26 May 2011

2. P3: Updates

NSTIC Update: Susan Landau

(Follow this link for a full recap of the NSTIC launch (the panel discussion commences around 21mins into the video):http://www.youtube.com/watch?v=32P-IEmBfEA)

there seems to be a commitment to oversight at a public level
she was disappointed not to see more federated since it's more private and more secure
there needs to be data accountability
Anna asks: What's the reaction to privacy issues? The incentives are not clear.
"Privacy on the books and privacy on the ground paper" :
1. Addresses FTC enforcement.
2. Seems there is a federal push for privacy. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1568385

Aaron Titus's response to NSTIC:

It's in the private sector's best interest to make it "user-friendly" in order to achieve privacy goals.
Paper: IDF-NSTIC-WP.pdf sent to the list

PF Update---Call to Action:

Our call to action for PF is something Mark will bring up at the F2F and look at combing the PF effort with other privacy efforts in Kantara

Generic/Privacy Assurance Framework: Richard Wilsher (IAWG)

Discussion : Developing an assurance framework for the P3

Idea of a "Generic" Assurance Framework---as a reference and model, not a working instantiation
Use the IAF as a model to draft a "Generic" Assurance Framework which could include the IAF, a Privacy Assurance Framework and/or an Attribute Assurance Framework
Richard explained the structure of the IAF and suggested how the "PAF" could be drafted "sideways" from the work and effort already completed by the IAWG.
Producing the GAF would be relevant to the developments in NSTIC as it makes Kantara more visible with a more complete assurance offering.

What is the IAWG — P3 bridge? The DRAC "Data Recipient Assessment Criteria"
Scopes are converging between P3 and IAWG work efforts.
The industry is working to satisfy ICAM requirements, but many feel that ICAM is a barrier, narrow in its views and not being responsive. The industry could be mustering energy to move beyond it's narrow views.
What are the market needs? To be relevant, we must tune into working into the right space and working against the right effort.

ACTION ITEM 20110505-01 Mark : send a request to the IAWG asking that they identify to what extent do the SACs address privacy / security issues? Where are we going to apply and combine issues/efforts?

P3-PFSG will focus on profiles and managing the credential
The issue at hand : "Identity Credentials" vs "Privacy Credentials"
There is an argument for separate frameworks, one issuing being not wanting to water down the IAF and derail it from being Identity-driven and specific. However, the IAF does not stack up in ICAM's eyes regarding privacy

Privacy criteria related to identity
Rich Furr : What bar of privacy do you shoot for? Do we look at different levels of assurance? We don't want to be too high or US-centric.
The P3- PFSC has drifted towards profiles.
Richard Wilsher: Does HIPPA map to the IAF 4 LOAs? A privacy impact assessment must be conducted ...enterprise context must be entered into by an agreed upon risk assessments scaled to LOAs.

3. P3 Roadmap/Road Blocks: (With the call already 30mins over time, these items were not addressed.)

Liaison with IAWG: Generic Assurance Framework an Privacy Assurance Framework
Kantara Trust Framework Summit Presentation
Face-to-face meeting in Berlin
Recruiting: Inviting participants (Privacy Community/Identity Community) Invite David Wasley to P3,

4. AOB

Archived Groups