[WG-P3] Comment is here..RE: Privacy Assessment Criteria for the US Federal Privacy Profile

Anna Ticktin atick10 at me.com
Thu Sep 22 10:30:18 EDT 2011 

Mark, Anna-

Perhaps I can reach out to Dervla for some blog / tweet action broadcasting our search for PAC resources... let's discuss...

Yup, I sent this from my iPad. 

On Sep 22, 2011, at 15:28, "Mark at Identity Trust" <mark at identity-trust.com> wrote:

> 
> Some questions/ideas to consider prior to our call today;
> 
> Is there anyone who would like to volunteer as a PAC editor, PAC champion, or even Co-Chair? 
> 
> Should we have a WG announcement asking for PAC editor nominations and consider setting P3 conference calls exclusively to go through edits and PAC issues? 
> 
> or/and
> 
> Is there anyone we should approach in the industry who may be intrinsically interested in getting involved in this effort?  What efforts, groups, are set to benefit most from the PAC?  Are there work groups we are missing that we should be working with? 
> 
> Are there any suggestion for processes that we should take on to move this PAC effort forward?  (I know some of the P3 members have extensive experience in standards development and the processes that facilitate them, please suggest process or provide suggestions where appropriate.) 
> 
> Best Regards, 
> 
> Mark
> 
> On 22 Sep 2011, at 12:17, Anna Slomovic/Equifax wrote:
> 
>> Gentlemen,
>> 
>> Interesting comments,  which clearly demonstrate the need for a substantive expert from P3 to take this work forward. As you recall, our funding ended with the draft,  so we need additional resources. Please think about how these can be obtained, either on a volunteer or paid basis.
>> 
>> Anna
>> 
>> Anna Slomovic 
>> CPO, Equifax
>> 
>> Sent from my phone. Please excuse typos.
>> 
>> 
>> -----Original message-----
>> From: David Simonsen <david at wayf.dk>
>> To: Colin Wallis <colin_wallis at hotmail.com>
>> Cc: Kantara P3 WG <wg-p3 at kantarainitiative.org>
>> Sent: Thu, Sep 22, 2011 07:07:36 GMT+00:00
>> Subject: Re: [WG-P3] Comment is here..RE: Privacy Assessment Criteria for the US Federal Privacy Profile
>> 
>> Hello Colin,
>> 
>> I believe what you suggest would certainly ease the reading of the document.
>> Perhaps a figure with accompanying explanation of user/data flows ?
>> 
>> When reading through it, I felt confused - but since I'm from 'over there/here' it's hard to judge:
>> 
>> 1) what would be a reasonable level of pre-knowledge to expect of the reader
>> 2) how the various US programs, legislation etc. plays into this document
>> 
>> I also felt something was wrong with my understanding of the data flow but then thought that a misplaced comment may be better than no comment ;)
>> 
>> Regards
>> David
>> 
>> On Sep 22, 2011, at 4:50 AM, Colin Wallis wrote:
>> 
>>> the comment can only be seen in 'view'mode so have repeated here..
>>> 
>>> 4 minutes ago
>>> Colin Wallis says:
>>> 
>>> 
>>> I haven't finished my comments and in any event, I doubt they will come up to the same quality as those offered so far.
>>> But I see a trend running through Bob's questions and the answers that I should bring up now..
>>> An example: About half way through the doc, Bob qualified his comments with law enforcement issues (see 1.5, drafters note 2... 'fraud detection and subpoenas must be accomodated..' 
>>> If we start mixing legitimate law enforcement, legal interceptione etc with run-of-the-mill citizen access to government services(at least in the normative part) , I think we are really going to confuse folks.
>>> It seems like we are missing an introduction which sets FICAM's context, and its over-arching use case with some over arching principles/assumptions we agree on...
>>> Let's indicate an over arching use case as a citizen logging on, and go as far as indicating a typical message flow for this. Why? Because from the comments from Jeff and David, they have a different  view of the message flow, and who is doing what to whom and when.
>>> Another example: privacy aspects of 'identification' (is this identiity proofing that some EU states call 'initial authentication?) vs authentication (where the identity is confirmed by way of the electronic credential bound to the identity being presented to the IdP and subsequently asserted to the RP.... There we go again. More assumptions about the actors, and their roles (is the actor doing the identity proofing the same actor who knows the electronic credential and 'authenticating' the user with the logon process, before passing the user back to the RP to continue the transaction?. Where does the scope of FICAM begin and end? I don't recall it extending to identity proofing (I would be wrong). so let's not go there (at least for the normative part of the doc)
>>> Another example: Applicability of the Privacy Act:If I understand the scope of FICAM correctly it is not just a federation of federal agencies. It covers State as well (please correct me if I'm wrong). So let's be explicit up front in the introduction: 'The use case covers joint state/federal federations, so the Privacy Act will not always be applicable (but as far as possible reflective of it)'.
>>> So what do you think? Will we clear up many of these questions by matching the docs scope directly with FICAM, make that explicit in some introduction text, and only then delve into the criteria?
>>> Cheers
>>> Colin
>>> 
>>> 
>>> 
>>> 
>>> 
>>> From: colin_wallis at hotmail.com
>>> To: wg-p3 at kantarainitiative.org
>>> Date: Thu, 22 Sep 2011 14:46:31 +1200
>>> Subject: Re: [WG-P3] Privacy Assessment Criteria for the US Federal Privacy Profile
>>> 
>>> +1 from me too.
>>> 
>>> I've added a comment on the wiki (the doc on the wiki is 'read only' for me) so you should be able to see it via the P3Wiki link Mark has given below.
>>> 
>>> Cheers
>>> Colin
>>> 
>>> From: mark.lizar at gmail.com
>>> To: david at wayf.dk
>>> Date: Wed, 21 Sep 2011 11:00:54 +0100
>>> CC: wg-p3 at kantarainitiative.org
>>> Subject: Re: [WG-P3] Privacy Assessment Criteria for the US Federal Privacy Profile
>>> 
>>> Thank You David, 
>>> 
>>> These comment are now up on the P3Wiki - 
>>> 
>>> On 20 Sep 2011, at 20:22, David Simonsen wrote:
>>> 
>>> Hello all,
>>> 
>>> sitting on the other side of the pond (EU/Denmark) it seems that now could be the right time to build a harmonized (internationally interoperable) view on many of the subjects described in this good document?
>>> 
>>> The EU Article 29 working party (consisting of the many national data protection authorities) have recently reached consensus (!) on 'informed consent', described in http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp187_en.pdf . Perhaps some of this can be useful?
>>> 
>>> WAYF (the federation I mange) has had 'informed consent' operational for all connected services for >2,5 years.
>>> We have consulted both legal experts and usability gurus (Fraunhofer Institute in Stuttgart, Germany) along the way.These days I'm writing a summery of our experience, which hopefully will
>> 
>> This message contains information from Equifax Inc. which may be confidential and privileged. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster at equifax.com.
>> _______________________________________________
>> WG-P3 mailing list
>> WG-P3 at kantarainitiative.org
>> http://kantarainitiative.org/mailman/listinfo/wg-p3
> 
> _______________________________________________
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20110922/1e0f716a/attachment.html

More information about the WG-P3 mailing list