LC telecon Minutes 2013-03-27

Owned by
Former user (Deleted)
Last updated: Apr 03, 2013Version comment
6 min read

DRAFT minutes pending IAWG review

LC telecon 2013-03-27

Date and Time

Agenda

  1. Roll Call
  2. Approve Minutes: LC telecon Minutes 2013-01-09
  3. Administration:
    1. Action Item Review
    2. Quarterly Reports
  4. WG Updates - 2013 plans
  5. BoT Liaison Representative Update
  6. AOB
  7. Adjourn

Attendees

  • Myisha Frazier-McElveen
  • Nate Klingenstein
  • Colin Wallis
  • Pete Palmer
  • Eve Maler

Quorum is 5 of 9 as of 13 March 2013.

Staff:

  • Heather Flanagan (scribe)
  • Andrew Hughes

Apologies:

  • John Bradley
  • Allan Foster

Minutes & Notes

MotionIDMotionMovedSecondDiscussion / ObjectionStatus
      

Action Item Review

Action

Assigned To

Status

Description

Comments

20120530-04Patrick Curry, Colin Wallis, Joni Brennan, Ken Dagg*OBE*Come up with first pass of industry classification and Venn diagramAdded: Sal D'Agostino, Andrew Hughes, Rainer Hoerbe
20121107-01Pete Palmer, Heather FlanaganOpenWork with WG chairs for quarterly reports update.All overdue WG and DG chairs notified
20121219-04Heather FlanaganCompleteCreate a zip file of all current, normative documents in the IAFWill complete after Ballot has concluded

Discussion of Action Items

Quarterly Reports

See Quarterly Reports

  • Several groups are fairly behind in reports

WG Updates - 2013 Plans

HIAWG (Pete Palmer)

  • the Kantara Initiative and DirectTrust.org signed a MOU that programs would be coordinated to recognize each others audits
  • there has been a tiger team to work with DirectTrust and that effort is going to be rolled back in to the active WG
  • the goal is to enable ID proofing as few times as possible, with Direct Trust and Kantara CSPs being recognized
  • Pete Palmer wrote a high level article for the IEEE about this effort (link?)
  • a great deal of money is at stake to get this space sorted out - see e-prescription effort
  • yesterday, Health and Human Services announced a contract to DirectTrust for their new accreditation program, and Kantara is called out heavily in the criteria for that; there will be a press conference on this next Wednesday
  • (Colin) seen a shift in the last 6 months that nearly all the WG are discussing aspects of the same thing; there is so much crossover right now is huge, is there a way we can help the collaboration further?
  • (Myisha) any implications as it relates to profiling of the IAF? we will need a profile for protected health information exchanges (probably not for all of health care) and associated special concerns; for instance Medicare has a program around electronic signing of information and for that use case the physicians need to come in an L3
    • (Colin) how would a profile be funded? there are different opportunities to solicit funds here; (Pete) Question is, how do we get the programs to be working together so the same person that does the audit for ENAC does it for Kantara and DirectTrust? the collaboration of these groups will come up with the money to do this; the Office of the National Coordinator will look at the need for this and can be approached for a grant

UMA (Eve Maler)

  • our spec has been fairly stable for a while; a few modular pieces have gotten some notice; the most interesting thing are conversations with the OpenID Connect people; as Oauth and OpenID used to be too complicated to use together and so work went in to making it easier, OpenID Connect and UMA is complicated so work is going in to figuring out how to make that easier to work together
  • the roadmap for this will be discussed tomorrow @ noon Eastern in UMA's regular weekly call
  • (Colin) as we update the NZ government standards, we are penciling in a profile for UMA; not sure if we could drop it straight into our consent service scope, but some lightweight profiling might be needed.
    • UMA is trying out a higher ed profile

IAWG (Myisha Frazier-McElveen)

  • recently worked on putting in place a ticketing system so we could more easily manage updates to the IAF; previously it was just email but now we have a place to compile this and keep track of what's been done and what has not
  • also looking at making the IAF more agile; the certification piece has been broken apart so that an entity can determine what criteria they can be assessed against, but a complete service is required; what if we want to do something before the service is complete? also, what about non-FICAM profiles?
  • also looking at updating the IAF against 800-63-2 and other international standards

eGovernment (Colin Wallis)

  • not much happening right now; many of the eGov people are in other groups making sure the eGov requirements are sitting inside the efforts of other WG
  • a leadership ballot has been concluded and all officers have been re-elected
  • Topics are on privacy protecting Web SSO, consent services, identity attribute calls and late binding of identity info to in effect, pseudonymous authentication as the default.
  • Call attendance has been an eclectic mix of the GSA FICAM contractor guys coming and observing (maybe to collect information for FCCX - pronounced F6) and other Gov reps and vendors; so a lot of compare and contrast between the New Zealand, Danish, UK and Canada and so on, basically to inform those programs (e.g. FICAM) embarking on refresh at the moment.

Federation Interop (Nate Klingenstein)

  • major topic on last call was Trust Registries; there was a presentation around a Trust Registry that could be operated by Kantara and quickly went from what the bridge could look like to why people would trust Kantara to get the information; would a formal contractual relationship be required? what could be done without one? no conclusions yet on how to convey the trust information to general deployers
  • also a lot of talk on the comparing the Kantara Trust Registry (Kantara certified IdPs) to OIX (MD aggregator), which isn't really an equivalent thing; it's a question about how they might work together
  • Rainer is developing documents about how interop has happened between federations to date and patterns that can be derived from those use cases
  • Rainer's work feeding into develoment of a SAML test harness similar to the OpenIDConnect one.

P3WG (Heather Flanagan)

  • hasn't actually met since January
  • group is a potential hot spot
  • OASIS has a couple of fairly active privacy group (PMRM and Privacy By Design for Software Engineers) ; actually a strong link between Infosharing WG and Privacy by Design

CloudID Sec WG (Heather Flanagan)

  • had their kick off call this morning and convener has enough energy to start throwing words at a google doc to get the group started

Infosharing WG (Colin Wallis)

  • Joe and Ian are doing good work there, calls are small but regular; Aleska (UX developer/specialist) has joined the group to help build out the standard labels for info sharing (the group is trying to standardize the labeling of personal information so a user can see the same words from different identity providers and have them mean the same thing) - see www.standardlabel.org
    • Eve: group might also want to look at Dazza Greenwood's work on Terms of Authorization
  • Colin: group is doing a bit of rediscovery to make sure the group is on the right track, so Eve's suggestion a good one.
  • (Pete) can any of the consent work be leveraged for the Healthcare work? there is a lot of discussion on how to roll out a consent server in the health care industry so a relying party can query something regarding consent
    • (Eve) consent management and consent server is fine, but consent is a very weak form of authorization; UMA authorization provides more functionality than that and can be considered to cover consent
    • (Colin) since that space is so driven by regulation, it does tend to limit people's thinking; should broaden the thinking to consider broader authorization along with consent. Eve: UMA consideration of whether consent can be the same as an authorization grant in OAuth)
    • Pete explains eHealth ruser equirements a bit more. (Eve): mixing authZ (policy) and identity data shouldn't always have to happen; should be able to have an authZ system based on claims, which preserves the right to have the place of federations of last resort in your head; one time use identifiers is a good technology to use in various places, but probably wouldn't hang hat on an architecture that depends on it

BoT Liason Report

  • last board meeting was at RSA and was in part driven by events of the moment, including in the international coordination wg of the IDESG, they wanted to create an inventory of NSTIC IDESG-like initiatives, and given Kantara had already done that in the Business Case for Trusted Federations, Kantara forwarded a copy of that with our IPR statement, and IDESG (inadvertently it seems) stripped off the IPR and added something of their own and presented the work as its own; Kantara was expecting their work would go in as it was as a complete work, so this was not acceptable; out of untangling that to mutual satisfaction (in progress) came an effort to create a proper liaison with IDESG; since IDESG didn't have a template for liaisons. the BoT has drafted a statement and in doing so creates a template for the IDESG to consider what kind of liaisons they might have.

AOB

  • Upcoming events: April 25 there will be an Industry Day sponsored by Experian in Washington, mostly about F6 (invitation only); EIC is in mid-May with a panel in the planning stages; there is the Cloud ID summit in July and the EIC panel work will be repurposed for this
  • Pete looking for feedback on an IEEE article; will send to the LC

New Action Items

Action

Assigned To

Description

Comments

    
    

 

Next meeting