Kantara Initiative Privacy & Public Policy Teleconference

Date and Time

• Date: Thursday, Aug. 6, 2009
• Time: 8:00 PDT |11:00 EDT |15:00 UTC

Meeting Minute Status

This page is a Working Draft subject to further revision and has not yet been approved by the Privacy & Public Policy Work Group.

Attendees

• J. Trent Adams
• Patrick Curry
• Britta Glade
• Ian Glazer
• Iain Henderson
• Susan Landau
• Georgia Marsh
• Brett McDowell
• Bob Pinheiro
• Darrell Shull
• Toby Stevens
• Jeff Stollmann
• Edgar Whitley
• Robin Wilton

Apologies

• Louise Bennett
• Toshihiro Suzuki

Comments

RW - (1) Invited members to submit nominations for the posts of P3WG Chair and Vice chair (see actions, below)

PC - gave summary of last week's meetings with various US Govt bodies; general focus on high-assurance identity for USG employees (as opposed to citizen ID, e-gov access etc): however, it is appropriate for P3WG's overall strategy to be able to accommodate these use-cases as well.

Noted that ICAM co-chairs (Judith Spencer and Paul Grant) tend to focus on LoA=3 identities and higher, whereas David Temoshok's focus would be at the LoA=1, LoA=2 levels.

GM - noted that a previous assessment classified some 60% of USG applications as being in the LoA=1, LoA=2 categories.

[In general, I suggest we should seek to make sure the PIV and PIV-I strategies are clearly understandable to P3WG, including areas in which those strategies may intersect with non-US implementations 1,2 ]

PC - Suggested the development of an identity assurance/authentication framework which caters for the viewpoints of Government, Citizen and Regulated Industry stakeholders.

Discussion of 10 Aug Workshop (ICAM, Washington DC)

BM - Scope of meeting is specifically "USG <-> Privacy Advocates", to discuss e-authentication based on Government application consumption of LoA=1 consumer authentication artifacts from. eg. OpenID, InfoCard and InCommon, and to discuss the role of Trust Framework Providers 2

Suggested questions to raise:

• what measures does the strategy include to ensure that the goals of citizens/users are met, as well as those of government and public sector service providers?

• has correlation and its possible effect on user privacy been considered in the formulation of strategy? NB - a single service might be considered to have a 'low' privacy impact, but if its use can be correlated with access to other services (for instance, through use of the same e-authentication method) the over-all privacy impact may well be higher.

• has the USG classification of applications (according to appropriate LoA) been reviewed recently to take account of technical developments, changes in application and/or delivery channel (e.g. mobile access, PKI applicability etc)?

• "scope and mission creep": if the strategy is to "segment" applications according to LoA/authentication type, what plans are there for handling cases where i) the LoA pre-requisite of an application changes over time; ii) pressure grows to use a deployed 'low-assurance' credential for access to a 'medium-assurance' service rather than incur the expense of re-working for 'medium-assurance' credentials?

Closed actions from previous call:

• RW, IG to arrange meeting with US VISIT program CPO at Burton Catalyst - DONE.

Actions

(1) PC to help P3WG engage with policy-maker community - ONGOING (with RW apologies for late distribution of previous action items)

(2) Call for nominations to the posts of P3WG Chair and Vice Chair. - ONGOING

• First stage: nominations (staff at kantarainitiative dot org)
• Second stage: secret ballot (process to be determined)

(3) RW to invite Paul Hasson (CPO - US Visit) to participate in P3WG and report status.

(4) RW to post draft of "Privacy Assurance Module" concept for Identity Assurance schemes.

Document references:

• USG ICAM page, including documents on Trust Framework Providers and Identity Scheme Adoption http://www.idmanagement.gov/drilldown.cfm?action=privacy_workshop
• White House/OMB memorandum M-0404 (Levels of Assurance) http://www.whitehouse.gov/OMB/memoranda/fy04/m04-04.pdf

Next Meeting

• Date: Thursday, Aug. 20, 2009
• Time: 8:00 PDT | 11:00 EDT | 15:00 UTC (Time Chart)
  Dial-in details:
• US/Canada toll-free number: 1.866.305.1460
• Direct dial (toll) number: +1.416.620.1296
• Attendee Code: 9247530
• International toll-free numbers:
  o UK: 0800 917 5847
  o Netherlands: 08002659007
  o Belgium: 080079491
  o Japan: 00531160345
  These toll-free numbers are generously provided by BIPAC.