P3-PFSG Meeting Notes 2011-05-12

Attendees:

Anna Slomovic
Mark Lizar
Myisha Frazier McElveen
Tom Smedinghoff
Rainer Hoerbe

Apologies:
Gershon Jansen
Rich Furr

Staff:
Anna Ticktin

Notes:

F2F Meeting (hopeful) take-aways:  

  • An understanding of how privacy is integrated into the assessment criteria and who's writing which pieces for what documents. What is the practical path and flow? How is the business of assessment and certification built? How does privacy get separated? Who's privacy are we actually talking about---CSPs? RPs? End users?
  • Privacy protection needs to be built into a framework, but the sets of requirements will be different depending on which entity we are providing guidance.
  • Different incentives demand different requirements. LOAs collapse into Id verification and authentication according to NIST.
  • Anna: We wouldn't want to lump privacy protections into one number. LOA might have a different LOP (protection)? (privacy)?
  • Question : Can we apply the IAF to attributes? This topic will be carried to the Berlin F2F agenda.
  • Question: How is the IAF going to evolve (beyond just NIST level) and what are the corresponding documents that will be developed?
  • Question : How is the FICAM privacy profile to be applied?  Currently it's seemingly slapped on.
  • Privacy assurance could be a vehicle for regulatory compliance.
  • Privacy assurance cannot conflict with regulatory compliance.
  • Question : How does level of protection relate to level of privacy?

Privacy Framework Scope

  • Produce a Privacy Framework (comprised of privacy principles) for Kantara that provides a Privacy Assurance Framework/Profiles for integration with IAF and that can be used to assert the privacy assurance efforts in the ISWG and UMA.
  • The PF is exploring the development of privacy profiles that can anchor credentials and attributes so to integrate technical privacy rules for the recipient and privacy assurance in the use of credentials from the provider.  

F2F topics to consider :

  • Socialize the PF effort with UMA, IAWG, ISWG and others WG's
  • Discuss the privacy aspects from IAF, UMA, ISWG as to provide a description of the privacy components and to outline an initial understanding of privacy service assessment criteria.
  • Discuss a re-write of the IAF into a "Generic " Assurance Framework (IAWG action) whereby the IAF structure is used as a template for the development of PAF.
  • Extrapolate from these two efforts an outline of a Privacy Profile Requirement for input into the P3 Privacy Framework process.
  • Submit these assurance requirements into the analysis of Privacy Principles and discovery efforts at P3.
  • Develop a draft of a privacy profile from the Privacy Assurance Framework with attributes as a use case. (HIPPA was mentioned again as the first use case. Note: Interesting observation that health data across the internet has no privacy or regulatory protection. )

Adjourned