[WG-P3] REMINDER!! P3WG Telecon Thursday 23 Feb 2012 8h PT / 11h ET / 16h UTC

David L. Wasley dlwasley at earthlink.net
Thu Feb 23 12:55:09 EST 2012 

Yes.  That is exactly what we (I anyway) tried to suggest on our joint conference call several months ago.

The FICAM TFPAP states privacy principles.  The IAWG Federal Privacy Requirements restates those principles.  The FICAM "Privacy Guidelines" document suggests a number of questions that assessors might ask when evaluating compliance with the principles.  None of that provides concrete statements that an assessor must use.

What Colin and Anna describe would bring the issues down to earth.  It would not be easy since there are so many possibilities and different use case constraints as well as, currently, technology constraints.  

Reality should also involve RP responsibilities at some point...

	David

On Feb 23, 2012, at 6:57 AM, Anna Slomovic/Equifax wrote:

> I agree with Colin's points. I do not think it makes sense to simply hand a pile of documents to someone and tell them to figure it out.
>  
> We need to have a document for privacy that states requirements for a Kantara-certified service. E.g IAWG Service Provider Criteria document doesn't just point to NIST 800-63 for different LOAs and tell IDPs to go do that. Also, the SPC  document incorporates more than just legal requirements. For example, there is no legal requirement that IDP be an independently managed entity, but there is such a requirement for LOA 3 Kantara certification:
>  
> 671 AL3_CO_ESM#070 Independent management and operations
> 672 Demonstrate that, for the purposes of providing the specified service, its
> 673 management and operational structures are distinct, autonomous, have discrete
> 674 legal accountability, and operate according to separate policies, procedures, and
> 675 controls.
>  
> Once we have a set of normative requirements for privacy, assessors need a document that they can use to determine whether requirements are being met. FICAM assessor guidance provides some of that, but unless Kantara adopts it and puts the Kantara name on the document, it's simply a FICAM suggestion.
>  
> At the moment, I know how to build an IDP that complies with Service Provider Criteria but not what privacy requirements need to be built in or how I would be assessed against those requirements. I think that's the document set we need.
>  
> Anna
>  
> Anna Slomovic
> Chief Privacy Officer
> Equifax
> 1010 N. Glebe Road, Suite 500
> Arlington, VA 22205
> O: 703.888.4620
> C: 703.254.9656
>  
> From: wg-p3-bounces at kantarainitiative.org [mailto:wg-p3-bounces at kantarainitiative.org] On Behalf Of Colin Wallis
> Sent: Wednesday, February 22, 2012 10:08 PM
> To: Kantara P3 WG
> Cc: Patrick Curry; Dave Wasley
> Subject: Re: [WG-P3] REMINDER!! P3WG Telecon Thursday 23 Feb 2012 8h PT / 11h ET / 16h UTC
> Importance: High
>  
> Folks 
>  
> I have (as may some others) a call conflict at this time (with the OASIS Trust elevation TC).
> I'll try to join at some stage.
> Colin S: thanks for your efforts. Greatly appreciated.
> In case I'm not on the call to say this, I have 3 main main comments about the proposed PAC framework. 
>  
> 1) There seems to be an ongoing confusion between 'requirements' and 'assessment' of the requirements to determine if they are (partially, or fully) met.  There is no clearer example of this if you look at the title of Part 1, then look at the intended audience for Part 1 in Section 6.  Requirements have either been made explicit (as they have been in the normative references in mentioned in Part 2), or they appear in applicable laws. 
>  
> I do not believe the *primary* intention of this doc was to draw out the requirements from legislation or fed privacy criteria, useful as this might be.  I thought the *primary* purpose was to guide assessors on where and how to look for compliance with the requirements - how they have been (partially or fully) met.  Example (remembering I an *not* a privacy expert..so apologies in advance for strangling..) : Consent. We might advise the assessors to look for a policy note on the front web page, and check it for readability. Then suggest they use the said service to determine if the notice is repeated when an attribute is about to be passed to a third party, check how the user would give that consent, (radio button?/ some other way e.g. a user agent?). 
>  
> 2) Section 6: Sure, Federation component suppliers, IdPs etc will make use of the assessor guidelines, just as today, vendors use the SAML eGov Profile test plan (the test used to see if the requirement are met) to modify their products, rather than going to the SAML eGov Implementation Profile where the requirements live.  The test plan is not designed as a way for a developer to tick off the features in his product are present, but that is an unfortunate outcome of making an 'assessor guiidelines' public.
>  
> 3)Section 3: Exclusions. I do not agree with restricting the scope to IdPs only. What benefit are we offering the end user if the IDP is doing a great privacy aware/compliant job but the Fed broker or RP is crap?   It may be that in some trust frameworks a business decision may be made to restrict the scope of the assessors to IDPs (as FICAM has sort of done so far), but the PAC should self enforce such a restriction and leave everyone involved, with no guidance.
> 
> Now, I may well be mistaken and maybe I have not understood the objective correctly. If so, please please shoot me down! A double check with the ARB/IAWG about what they expect will put the matter to rest.
>  
> Cheers
> Colin
>  
> From: annaticktin at me.com
> Date: Wed, 22 Feb 2012 17:49:35 -0800
> To: wg-p3 at kantarainitiative.org
> CC: patrick.curry at federatedbusiness.org
> Subject: [WG-P3] REMINDER!! P3WG Telecon Thursday 23 Feb 2012 8h PT / 11h ET / 16h UTC
> 
> DIAL-IN:
>  
> LINE  A
> * Skype:+99051000000481
> * US Dial-In: +1-805-309-2350 | Conference ID: 402-2737
>  
>  
>  
> DATE:
> Thursday 23 Feb 2012
>  
> TIME:
> 8h PT / 11h ET / 16h UTC
>  
>  
> AGENDA:
>  
>  
> 1. Administrative:
>  
> Roll Call
>  
> Motion for minutes approval: 09 Feb 2012
>  
> (To review notes from last week's adhoc : 16 Feb 2012)
>  
> Open call for P3 Secretary nominations
>  
> Agenda confirmation
>  
> Action item review: 
> Ad hoc meeting with Bob Gelman on Privacy Assessment Criteria 
> Review of potential NSTIC proposal - Overcome By Events - see Kantara staff note 
>  
>  
> 2.  Privacy Assessment Criteria 
>  http://kantarainitiative.org/confluence/display/p3wg/Privacy+Assessment+Criteria+%28PAC%29  
> 
> [1] Review of proposed framework  (see attached)
> Editor's discussion on comments to date. 
> Next Steps 
> 
>  
> 3. Review of IAWG Report Additional Requirements for CSPs: US Federal Privacy Criteria 
> 
> [2] Recommendation to Leadership Council  (see attached)
> 
>  
> 4. Munich F2F 
> 
>  
> 5.AOB 
> 
> Adjourn 
>  
>  
>  
> [1]
>  
>  
>  
> [2]
>  
>  
>  
>  
> 
> _______________________________________________ WG-P3 mailing list WG-P3 at kantarainitiative.orghttp://kantarainitiative.org/mailman/listinfo/wg-p3
> 
> This message contains information from Equifax Inc. which may be confidential and privileged. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e- mailpostmaster at equifax.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20120223/1af15045/attachment-0001.html

More information about the WG-P3 mailing list