[WG-P3] Rough draft Intro section for the PAC (RE: P3 Agenda: Thursday, September 29th, 2011 - Delving into the Privacy Assessment Criteria)

Colin Wallis colin_wallis at hotmail.com
Tue Sep 27 22:46:03 EDT 2011 

Folks
As one who proposed the notion of an Introduction to the PAC, I have sketched out a straw-man below:
As one who is quite remote from the actual goings-on, I may have misinterpreted the precise inter-relationship of the documents and the programs, so please feel free to re-write those to make it accurate (as well as any other aspect of the text of course) 
 
Introduction
 
On September 4th 2009, the US Government's FICAM (Federated Identity Credentialing and Access Management) program published the Trust Framework Provider Adoption Process (TFPAP) for Levels of Assurance 1,2 and non -PKI 3.  
On June 29, 2011. FICAM published Version 1.0 of its Privacy Guidance for Trust Framework Assessors and Auditors.  Readers are strongly encouraged to thoroughly familiarise themselves with these publications.
 
As a Trust Framework Provider (TFP) in its own right, with its own Identity Assurance Framework and TFP assessor acrediation program, the Kantara Initiative has provisional certification as a FICAM TFP for its own Identity Assurance Framework. 
 
Kantara's Privacy and Public Policy Working Group has released this paper, the Privacy Assessment Criteria, to help CSPs/IDPs and RPs/SPs in trust frameworks seeking certification as a FICAM TFP, position themselves optimally with FICAM's June 2011 release of the Privacy Guidance for Trust Framework Assessors and Auditors.  
 
This Kantara Privacy Assessment Criteria helps address not only the baseline FICAM publications mentioned above, but also NIST SP 800-53 Appendix J 'Security and Privacy Controls for Federal Information Systems and Organizations' and reflects the privacy requirements of its own Identity Assurance Framework.  While the focus of this version of the Privacy Assessment Criteria is squarely focussed on US interests, it has been designed to be extensible for use in other jurisdictions globally. 
 
The scope of the work is directly reflective of the scope of the FICAM program itself, and although no speciifc statement of scope is set out in the FICAM publications mentioned above, several 'scope-like' passages (substantially quoted beow) offer a reasonably clear intent: 
 



FICAM trust framework cover remote electronic authentication of human users to IT systems over a network - it does not address the authentication of a person who is physically present

It serves the interest of US Government organizations as Relying Parties, and promotes interoperbaility between Federal and non Federal entities      

CSPs/IDPs and RPs/SPs both have privacy protection responsibilities, although collaboration on privacy practices between RPs and IDPs is anticipated in order to provide a seamless experience for Users and meaningful and effective implementation of the TFPAP Criteria

In some cases federal agencies may contract with external contractors or commercial third parties for certain functions. Such non-federal entities are considered agents of the federal government and therefore IDPs must interact with them as if they were interacting with a federal agency application.
 
The passges above serve to demonstrate that FICAM's scope (and therefore the Privacy Assessment Criteria scope) is limited to:
 

users of government online services logging onto and accessing those services, and does not extend to lawful interception 
confirmation (to a level of assurance) of the binding of the user's identity to a credential through the process of online authentication, and does not  extend to initial authentication, identification or other synonyms for identity proofing of the user prior to binding the credential to the identity
No specifc authentication architecture or design pattern is prescribed, so all use cases for user authentication - for example (1) either direct to the IDP or redirected from the RP to the IDP for authentication and redirected back to the RP, and (2) the use of anonymous, pseudonymous or veronymous identifiers - are applicable, though there are substantially different privacy implications with these alternatives
federal and non-federal entites are involved, so that various state privacy law is also applicable in certain transactions, with the Privacy Act applicable to federal agencies  
 
The Privacy Assessment Criteria uses the US's Fair Information Practice Principles (FIPPs) as template on which to develop the criteria, to reflect FICAMs TFPAP Privacy Criteria dependency on this.  Assessment criteria are applied to each principle in turn, along with additional notes and guidance to cover a range of possible use cases, architectures and design patterns.  
 
 
OK, go for. Hack away!
 
Cheers

Colin





From: mark.lizar at gmail.com
To: wg-p3 at kantarainitiative.org
Date: Tue, 27 Sep 2011 20:32:43 +0100
CC: wg-idassurance at kantarainitiative.org; sg-p3pf at kantarainitiative.org
Subject: [WG-P3] P3 Agenda: Thursday, September 29th, 2011 - Delving into the Privacy Assessment Criteria







Hello, everyone!


 


The Privacy and Public Policy working group of the Kantara Initiative will hold its next telecon this Thursday, September 29th, 2011 (Friday  in Asia/Pacific)  

08:00 PT / 11:00 ET / 16:00 +0100 UTC/GMT / 01:00 +1 day Japan / 05:00 + 1 day New Zealand
 
This Thursday we will be focusing on the FICAM - Privacy Assessment Criteria and its development for purpose.  There are many issues that have been raised while it was being drafted that we would like to organise and address going forward.   Please send all issues to the P3-SG (sg-p3pf at kantarainitiative.org)  list to be captured by myself (Mark Lizar) or Anna Ticktin.

 


Agenda









1. Roll Call

2. PAC -   Privacy Assessment Criteria - Pls Review and Comment
- Comments can be found on the P3 Wiki Here: - A few high level comments to address first. 

- IAF oriented comments and questions
- Drafting an introduction 'scene setting'  
- Drafting a diagram for document flow
        - Drafting a document Roadmap


3. Face-to-Face Meeting in Redwood City, CA, Oct. 20-21
- PAC session at the Face to Face 
-  Who will be attending?  
4. PAC Priorities and AOB (Any Other Business)            

 

 Dial-in information:

- Skype: +9900827043671716

- Room Code: 3671716

International Toll

- North American Dial-In: +1-201-793-9022

Austria +43 (0) 82040115470

Belgium +32 (0) 70357134

Canada +1 (201) 793-9022

France +33 (0) 826109071

Germany +49 01805009527

Ireland +353 (0) 818270968

Italy +39 848390177

Spain +34 (9) 02885791

Switzerland +41 (0) 848560397

United Kingdom +44 (0) 8454018081

 

Here is where you can find the P3WG wiki, our charter, deliverables and work in progress.
http://kantarainitiative.org/confluence/display/p3wg/Home
 _______________________________________________
WG-P3 mailing list
WG-P3 at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-p3
_______________________________________________ WG-P3 mailing list WG-P3 at kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-p3 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20110928/dc5a5999/attachment-0001.html

More information about the WG-P3 mailing list