[WG-P3] Rough draft Intro section for the PAC (RE: P3 Agenda: Thursday, September 29th, 2011 - Delving into the Privacy Assessment Criteria)
colin_wallis at hotmail.com
Tue Sep 27 22:46:03 EDT 2011
As one who proposed the notion of an Introduction to the PAC, I have sketched out a straw-man below:
As one who is quite remote from the actual goings-on, I may have misinterpreted the precise inter-relationship of the documents and the programs, so please feel free to re-write those to make it accurate (as well as any other aspect of the text of course)
On September 4th 2009, the US Government's FICAM (Federated Identity Credentialing and Access Management) program published the Trust Framework Provider Adoption Process (TFPAP) for Levels of Assurance 1,2 and non -PKI 3.
On June 29, 2011. FICAM published Version 1.0 of its Privacy Guidance for Trust Framework Assessors and Auditors. Readers are strongly encouraged to thoroughly familiarise themselves with these publications.
As a Trust Framework Provider (TFP) in its own right, with its own Identity Assurance Framework and TFP assessor acrediation program, the Kantara Initiative has provisional certification as a FICAM TFP for its own Identity Assurance Framework.
Kantara's Privacy and Public Policy Working Group has released this paper, the Privacy Assessment Criteria, to help CSPs/IDPs and RPs/SPs in trust frameworks seeking certification as a FICAM TFP, position themselves optimally with FICAM's June 2011 release of the Privacy Guidance for Trust Framework Assessors and Auditors.
This Kantara Privacy Assessment Criteria helps address not only the baseline FICAM publications mentioned above, but also NIST SP 800-53 Appendix J 'Security and Privacy Controls for Federal Information Systems and Organizations' and reflects the privacy requirements of its own Identity Assurance Framework. While the focus of this version of the Privacy Assessment Criteria is squarely focussed on US interests, it has been designed to be extensible for use in other jurisdictions globally.
The scope of the work is directly reflective of the scope of the FICAM program itself, and although no speciifc statement of scope is set out in the FICAM publications mentioned above, several 'scope-like' passages (substantially quoted beow) offer a reasonably clear intent:
FICAM trust framework cover remote electronic authentication of human users to IT systems over a network - it does not address the authentication of a person who is physically present
It serves the interest of US Government organizations as Relying Parties, and promotes interoperbaility between Federal and non Federal entities
CSPs/IDPs and RPs/SPs both have privacy protection responsibilities, although collaboration on privacy practices between RPs and IDPs is anticipated in order to provide a seamless experience for Users and meaningful and effective implementation of the TFPAP Criteria
In some cases federal agencies may contract with external contractors or commercial third parties for certain functions. Such non-federal entities are considered agents of the federal government and therefore IDPs must interact with them as if they were interacting with a federal agency application.
The passges above serve to demonstrate that FICAM's scope (and therefore the Privacy Assessment Criteria scope) is limited to:
users of government online services logging onto and accessing those services, and does not extend to lawful interception
confirmation (to a level of assurance) of the binding of the user's identity to a credential through the process of online authentication, and does not extend to initial authentication, identification or other synonyms for identity proofing of the user prior to binding the credential to the identity
No specifc authentication architecture or design pattern is prescribed, so all use cases for user authentication - for example (1) either direct to the IDP or redirected from the RP to the IDP for authentication and redirected back to the RP, and (2) the use of anonymous, pseudonymous or veronymous identifiers - are applicable, though there are substantially different privacy implications with these alternatives
federal and non-federal entites are involved, so that various state privacy law is also applicable in certain transactions, with the Privacy Act applicable to federal agencies
The Privacy Assessment Criteria uses the US's Fair Information Practice Principles (FIPPs) as template on which to develop the criteria, to reflect FICAMs TFPAP Privacy Criteria dependency on this. Assessment criteria are applied to each principle in turn, along with additional notes and guidance to cover a range of possible use cases, architectures and design patterns.
OK, go for. Hack away!
From: mark.lizar at gmail.com
To: wg-p3 at kantarainitiative.org
Date: Tue, 27 Sep 2011 20:32:43 +0100
CC: wg-idassurance at kantarainitiative.org; sg-p3pf at kantarainitiative.org
Subject: [WG-P3] P3 Agenda: Thursday, September 29th, 2011 - Delving into the Privacy Assessment Criteria
The Privacy and Public Policy working group of the Kantara Initiative will hold its next telecon this Thursday, September 29th, 2011 (Friday in Asia/Pacific)
08:00 PT / 11:00 ET / 16:00 +0100 UTC/GMT / 01:00 +1 day Japan / 05:00 + 1 day New Zealand
This Thursday we will be focusing on the FICAM - Privacy Assessment Criteria and its development for purpose. There are many issues that have been raised while it was being drafted that we would like to organise and address going forward. Please send all issues to the P3-SG (sg-p3pf at kantarainitiative.org) list to be captured by myself (Mark Lizar) or Anna Ticktin.
1. Roll Call
2. PAC - Privacy Assessment Criteria - Pls Review and Comment
- Comments can be found on the P3 Wiki Here: - A few high level comments to address first.
- IAF oriented comments and questions
- Drafting an introduction 'scene setting'
- Drafting a diagram for document flow
- Drafting a document Roadmap
3. Face-to-Face Meeting in Redwood City, CA, Oct. 20-21
- PAC session at the Face to Face
- Who will be attending?
4. PAC Priorities and AOB (Any Other Business)
- Skype: +9900827043671716
- Room Code: 3671716
- North American Dial-In: +1-201-793-9022
Austria +43 (0) 82040115470
Belgium +32 (0) 70357134
Canada +1 (201) 793-9022
France +33 (0) 826109071
Germany +49 01805009527
Ireland +353 (0) 818270968
Italy +39 848390177
Spain +34 (9) 02885791
Switzerland +41 (0) 848560397
United Kingdom +44 (0) 8454018081
Here is where you can find the P3WG wiki, our charter, deliverables and work in progress.
WG-P3 mailing list
WG-P3 at kantarainitiative.org
_______________________________________________ WG-P3 mailing list WG-P3 at kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-p3
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the WG-P3