Agenda

1. Roll Call|confluence/display/p3wg/P3WG+Meeting+Notes+2011-09-22]

Rich Furr
Anna Slomovic
Bill Braithwaite
Peter Capek
Susan Landau
Mark Lizar

Apologies

Colin Wallis

Staff

Anna Ticktin

Adminstration
Quorum was reached and the Minutes from Sept 22 were motioned to be passed by Mark LIzar and seconded by Rich Furr.

2. PAC - Privacy Assessment Criteria - Pls Review and Comment

The call orientated upon working on the specific FICAM PAC, and there was a consensus that focusing first on the FICAM and being sure that this is the focus, as to not distract from the effort is important, because of the level of difficulty involved in just this one activity.

In this regard, Colin/David's Intro was asked to be slightly edited on the Call to keep the focus on FICAM.

Rich Furr offered to get the initial comments and the PAC together until Ann G is back from holiday (Oct 15th)

The focus of the FICAM PAC was further discussed which raised a couple of questions.

Need to put the question to Joni, David, Rich to ask the FICAM team to clarify: Exactly what is the scope of the FICAM PAC? Is the PAC relevant to this scope?Its clear that the current PAC we are working on is only applicable if FICAM applies and this narrows the scope of this effort.

Does FICAM only apply to agency outsourcing of identity services?
Does it apply to all Federal Applications? Is identity proofing out of scope?
What happens to the credentials when provided the CSP's? Does the FICAM have any restrictions on the what attributes the CSP's can collect?
So does this mean that as long as a CSP does not disclose anything on a federal site that the CSP can do anything it likes?
Is the only restriction provided to a CSP is the restriction of no activity tracking on federal sites? (but not anywhere else)
In regards to Level 3 authentication of a profile using SAML 2 - SAML does not support real time consent, yet FICAM Pushing real time consent. Is FICAM aware of this? Since there is no feasible technical solution for at this time is this still a requirement?

We want to confirm that the scope of this is very narrow. Although, in the process of doing this we can point out the generalized points that are missing but not go into detail and pass these questions to Deb Gallager.

David explained (that Deb Galleger explained to him) that it was only for federally outsourced, if this is the case. Why is the outsourced distinction important? (under the privacy act this distinction should not matter)

Looking into David's email further - David explained that this P3-PAC document can build on the Privacy guidance and profile specific criteria that assessors and auditors can used .

3. Face-to-Face Meeting in Redwood City, CA, Oct. 20-21

- PAC-P3/IAWG session at the Face to Face
- Who will be attending?
  - Jeff, Rainer, Colin, David Wasley?
- Will take the document and socialise it a the P3 meeting.
P3 Session
- Put some time in to go through the comments before the joint session
- Present the latest version and the issues raised to IAWG Joint session

4. PAC Priorities and AOB (Any Other Business)

Browser not supported