In the intro example of the user, “Hope," there is a phrase about the biometric being retained on an ephemeral basis. Is the scope intended to define a mechanism for RPs to assert or certify that they have disposed of the photo biometrics? Curious about scope, viability and policing to realize that aspiration.
requirements will be listed as "MUSTs" - there will be a requirement that in an operational circumstance where the retention of biometrics is not legally required, there will be active notice etc etc etc. Next step after this is the creation of profiles for things like using mobile credentials in bars, in stores, etc. Some requirements won't apply to some profiles. The conformance tester against the profile will go in and do what auditors/assessors do.
we need to take into consideration the boundaries of what's achievable
Possibly that we're focused on the wrong thing. What can the user actually see and have promised? The example of Joe's Bar & Grill is not the verifier, it's Stripe. Part of this is to get them to say what they're doing and make it legally binding; that more than the technology is what is important to the user. Want to know if an org is keeping the data before I give it to them.
Building a set of requirements that build policy, intent, and procedures that enable what we want to see for the end user is what we have as our ultimate goal.
maybe we need an introduction at the beginning or risk factor at the end? What if we have a wallet provider that does not adhere to any of our requirements? Do we create the requirement that the wallet provider must signal what they do? What about the RP and what requirements are set to them?
testing and conformance are postponed for now; they come after we agree to the requirements.
in order not to be surprised, there has to be some sort of expectation. Unclear how the verifier gets introduced into the flow; we're already in collection at the point of the verifier. Perhaps reorder the framing statements? The verifier has to have an understanding of the risk they're taking on. Understanding that is something that happens earlier on in the process. Maybe "the verifier must determine the risk and collect"
Framing statement - Providers
for this and other aspects of the document, John may work on a RACI (Responsible, Accountable, Consulted, Informed) diagram
Holder
would be useful to have more in this document about the holder
Tasks
will start adding content so we can iterate and report back to the group, making sure everyone has an opportunity to chime in. Final version expected by end of November.
goal to both update people on PEMC’s plans ask people for input on our work
planning on 1-2 sessions on the Tuesday/Wednesday of the unconference
Please note OpenID Foundation will have a workshop 1230-4pm Monday 11/14 before IIW. No cost, open to the public. We will have a listening session on the Government-issued credential Privacy whitepaper hosted by Heather Flanagan, as a precursor to IIW itself. Pre-registration link will be made available (and required).
Reminder: Seasonal clock skew has started; Daylight Saving Time ends in the UK/Europe on 31 October vs in the US on 6 November. Call times for the 2 November meeting may be different from what you expect.