Kantara Initiative Identity Assurance WG Teleconference
DRAFT Meeting Minutes - IAWG approval required
Date and Time
- Date: Thursday, 2016-04-07
- Time: 12:00 PST | 15:00 EST
- United States Toll +1 (805) 309-2350
- Alternate Toll +1 (714) 551-9842
- Conference ID: 613-2898
- International Dial-In Numbers
- Privacy Criteria development - discussion of approach
- Approve statement of requirements for SAC update task
- Review of IAWG Charter
- Status update on AL2_ID_RPV#020 change
Link to IAWG Roster
As of 2015-11-05, quorum is 5 of 9
Meeting achieved || did not achieve quorum
- Andrew Hughes
- Rene McIver
- Ken Dagg
- Russ Weiser
- Scott Shorter
- Lee Aber
- Adam Madlin
- Paul Casley
- Christine Abruzzi
- Colin Wallis
Notes & Minutes
Motion to approve minutes of 2016-03-10: Andrew Hughes
Seconded: Adam Madlin
Action Item Review
- Scott to Add link to the action items page to the meeting minute template, and to figure out how to use the action items page.
Director's Corner Link
- Organizational updates, Kantara funding is coming along.
- Discussion of connected life, IOT, UMA, etc. what else would Kantara get involved in (e.g. Block Chain). Ken and Andrew discussed starting a relying party working group to focus on their needs. There are funded projects in UMA and consent and information sharing working groups. We will talk about the IAWG project. Kantara will be well represented at IIW, European identity conference and the cloud identity summit. Email Andrew, Ken or Colin for a discount coupon.
- Next call
Privacy Criteria development - discussion of approach
how do we develop privacy criteria? Are the criteria associated with levels of assurance or cut across all loa? Should we create content or follow standards group that have created guidelines?
there are federal privacy criteria that are an add on to the core criteria of the SAC. this work came to the IAWG when the privacy working group of Kantara shut down. What set of privacy criteria should go into Kantara service assessment criteria.
adam asks if there's a request to do this. Ken reports that the P3 working group (privacy principles/psomething??) group did some work and contributed it to IAWG. IAWG agreed to start the conversation on do we need them and if so what.
Adam responds that other jurisdictions may have different requirements. Paul responds that safe harbor and other issues have been a big deal due to InCommon's global reach. FERPA information release has to be described in privacy policies. Students need to give permission to take a course, that turns out not to be consent. There were issues on the research side with federated partners in Europe
russ Weiser agrees with that point, agrees there need to be privacy statements available. FICAM and connect.gov want consent on every attribute share, there are ways to do it once instead. This crosses multiple areas. IS THERE A WAY TO KNOW THAT THE Attributes have been shared before, Paul points out there's a NSTIC grantee that's working on, including finer granularity and revocable consent. InCommon ecosystem is straining with lack of data sharing, so consent approach would be helping.
consent and organization sharing group is trying to solve the same problem with consent receipts.
andrew summarizes that there does need to seem to be a need. Do we need a white paper first? Do we need research Into privacy frameworks? Do we need to recruit new folks that are more privacy oriented in their work lives?
ken agrees with the need. Is this possibly a new discussion group? Andrew isn't sure that would result in quick action. If the objective is to help CSPs demonstrate compliance to privacy requirements.
paul says that this seems right for a trust mark to him
csps do have to answer a lot of personal questions, a trust mark could help.
russ Weiser observes that older generations would not understand trust marks. Suggests someone put together a spreadsheet of the approaches being followed
google research on data rprivacy laws - compendium of privacy laws available
scott to ping Jenn Behrens to inquire about a survey of privacy law requirements
Status update on AL2_ID_RPV#020 change
There was a discussion of this in January on new working for the criteria in question. Has to do with evidence checks and verifying information. Russ had put forward a question resulting in a proposed change, saying that dynamic verification of personal information previously provided by or likely to be known by the applicant.
russ restates the problem- current practices and 800-63, Verizon must collect government I'd and account number for LOA2. Then it says verify against one or the other. If csp do not verify the account number information the. There shouldn't be a requirement as a KBA at LOA2.
Russ makes a motion to update the u]evaluation criteria to collect and approve the minor changes in the SAC so we can get them approved. Andrew seconds that motion. The motion carries.
Approve statement of requirements for SAC update task
update task has been around to rewrite the document in objective oriented terms. Once IAWG approves the reu8qments, the leadership council and then the board of directors. If approved all the way up, a request for proposals will go out.
action for Ken to send it in the current version. Next week's agenda will have a vote on it.
Review of IAWG Charter
Each working group should look at charters each year. We're overdue by a number of months, so Andrew is looking for volunteers to read the charter and see if they make sense, barring that, one or two people to help Andrew read that. Scott will participate. Ken calls for participation by non leadership. Andrew clarifies that the. Changes will come to the group for endorsement.
For the groups knowledge. E-gov is working with InCommon to develop a new egov profile, should have something to evaluate in a week or two. Colin clarifies that InCommon built a profile, a mapping was done, asking InCommon to incorporate the gaps.