[WG-P3] REMINDER!! P3WG Telecon Thursday 23 Feb 2012 8h PT / 11h ET / 16h UTC
Anna.Slomovic at equifax.com
Thu Feb 23 09:57:28 EST 2012
I agree with Colin's points. I do not think it makes sense to simply hand a pile of documents to someone and tell them to figure it out.
We need to have a document for privacy that states requirements for a Kantara-certified service. E.g IAWG Service Provider Criteria document doesn't just point to NIST 800-63 for different LOAs and tell IDPs to go do that. Also, the SPC document incorporates more than just legal requirements. For example, there is no legal requirement that IDP be an independently managed entity, but there is such a requirement for LOA 3 Kantara certification:
671 AL3_CO_ESM#070 Independent management and operations
672 Demonstrate that, for the purposes of providing the specified service, its
673 management and operational structures are distinct, autonomous, have discrete
674 legal accountability, and operate according to separate policies, procedures, and
Once we have a set of normative requirements for privacy, assessors need a document that they can use to determine whether requirements are being met. FICAM assessor guidance provides some of that, but unless Kantara adopts it and puts the Kantara name on the document, it's simply a FICAM suggestion.
At the moment, I know how to build an IDP that complies with Service Provider Criteria but not what privacy requirements need to be built in or how I would be assessed against those requirements. I think that's the document set we need.
Chief Privacy Officer
1010 N. Glebe Road, Suite 500
Arlington, VA 22205
From: wg-p3-bounces at kantarainitiative.org [mailto:wg-p3-bounces at kantarainitiative.org] On Behalf Of Colin Wallis
Sent: Wednesday, February 22, 2012 10:08 PM
To: Kantara P3 WG
Cc: Patrick Curry; Dave Wasley
Subject: Re: [WG-P3] REMINDER!! P3WG Telecon Thursday 23 Feb 2012 8h PT / 11h ET / 16h UTC
I have (as may some others) a call conflict at this time (with the OASIS Trust elevation TC).
I'll try to join at some stage.
Colin S: thanks for your efforts. Greatly appreciated.
In case I'm not on the call to say this, I have 3 main main comments about the proposed PAC framework.
1) There seems to be an ongoing confusion between 'requirements' and 'assessment' of the requirements to determine if they are (partially, or fully) met. There is no clearer example of this if you look at the title of Part 1, then look at the intended audience for Part 1 in Section 6. Requirements have either been made explicit (as they have been in the normative references in mentioned in Part 2), or they appear in applicable laws.
I do not believe the *primary* intention of this doc was to draw out the requirements from legislation or fed privacy criteria, useful as this might be. I thought the *primary* purpose was to guide assessors on where and how to look for compliance with the requirements - how they have been (partially or fully) met. Example (remembering I an *not* a privacy expert..so apologies in advance for strangling..) : Consent. We might advise the assessors to look for a policy note on the front web page, and check it for readability. Then suggest they use the said service to determine if the notice is repeated when an attribute is about to be passed to a third party, check how the user would give that consent, (radio button?/ some other way e.g. a user agent?).
2) Section 6: Sure, Federation component suppliers, IdPs etc will make use of the assessor guidelines, just as today, vendors use the SAML eGov Profile test plan (the test used to see if the requirement are met) to modify their products, rather than going to the SAML eGov Implementation Profile where the requirements live. The test plan is not designed as a way for a developer to tick off the features in his product are present, but that is an unfortunate outcome of making an 'assessor guiidelines' public.
3)Section 3: Exclusions. I do not agree with restricting the scope to IdPs only. What benefit are we offering the end user if the IDP is doing a great privacy aware/compliant job but the Fed broker or RP is crap? It may be that in some trust frameworks a business decision may be made to restrict the scope of the assessors to IDPs (as FICAM has sort of done so far), but the PAC should self enforce such a restriction and leave everyone involved, with no guidance.
Now, I may well be mistaken and maybe I have not understood the objective correctly. If so, please please shoot me down! A double check with the ARB/IAWG about what they expect will put the matter to rest.
From: annaticktin at me.com<mailto:annaticktin at me.com>
Date: Wed, 22 Feb 2012 17:49:35 -0800
To: wg-p3 at kantarainitiative.org<mailto:wg-p3 at kantarainitiative.org>
CC: patrick.curry at federatedbusiness.org<mailto:patrick.curry at federatedbusiness.org>
Subject: [WG-P3] REMINDER!! P3WG Telecon Thursday 23 Feb 2012 8h PT / 11h ET / 16h UTC
* US Dial-In: +1-805-309-2350 | Conference ID: 402-2737
Thursday 23 Feb 2012
8h PT / 11h ET / 16h UTC
Motion for minutes approval: 09<http://kantarainitiative.org/confluence/display/p3wg/P3WG+Meeting+Minutes+2012-02-09> Feb 2012<http://kantarainitiative.org/confluence/display/p3wg/P3WG+Meeting+Minutes+2012-02-09>
(To review notes from last week's adhoc : 16 Feb 2012<http://kantarainitiative.org/confluence/display/p3wg/P3WG+Meeting+Notes+2012-02-16>)
Open call for P3 Secretary nominations
Action item review:
Ad hoc meeting with Bob Gelman on Privacy Assessment Criteria
Review of potential NSTIC proposal - Overcome By Events - see Kantara staff note
2. Privacy Assessment Criteria
 Review of proposed framework (see attached)
Editor's discussion on comments to date.
3. Review of IAWG Report Additional Requirements for CSPs: US Federal Privacy Criteria
 Recommendation to Leadership Council (see attached)
4. Munich F2F
_______________________________________________ WG-P3 mailing list WG-P3 at kantarainitiative.org<mailto:WG-P3 at kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-p3
This message contains information from Equifax Inc. which may be confidential and privileged. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e- mail postmaster at equifax.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the WG-P3