Kantara Initiative Identity Assurance WG Teleconference
DRAFT Meeting Minutes - IAWG approval required
Date and Time
- Date: Thursday, 2016-03-10
- Time: 12:00 PST | 15:00 EST
- United States Toll +1 (805) 309-2350
- Alternate Toll +1 (714) 551-9842
- Conference ID: 613-2898
- International Dial-In Numbers
- Kantara IAF-1401 (Excel SAC) - ready for a vote?
- Review statement of requirements for SAC update task
- Reminder of presentation from Hannah Short of CERN
- Review of IAWG Charter
- Report out on TFS sync meeting
Link to IAWG Roster
As of 2015-11-05, quorum is 5 of 9
Meeting achieved quorum
- Scott Shorter (S)
- Ken Dagg (C)
- Andrew Hughes (VC)
- Richard Wilsher
- Lee Aber
- Paul Kaskey
- Christine Abruzzi
- Ruth Puente
Notes & Minutes
Motion to approve minutes of 2016-02-25: Andrew Hughes
Seconded: Lee Aber
Discussion: Andrew suggests minutes need Confluence artifacts removed, Scott agrees.
Action Item Review
- Scott to find link to action items and add to template for future coordination
Director's Corner Link
- Kantara Initiative has been incorporated, in the process of obtaining non-profit status.
- Colin Wallis has moved to UK and will serve as the executive director of KI
- UMA-DEV group is looking for funding under the CCICADA project.
- We should look for an email from Alan today about the incorporation.
1. Excel service assessment criteria - any new comments? Ken Proposes that we as IAWG approve the work tool and put it out for 45 day review. Scott seconds. Action item - Scott Shorter to follow up with Ruth on getting it out for 45 day review.
2. Statement of requirements update forthcoming, Ken apologizes for delay. Thanks for the comments thus far.
3. Presentation from Hannah Short from CERN April 7th 10am PST 1PM EST. Authentication and authorization for research security and incident response. Don't forget clocks change soon.
4. Take a look at IAWG charter and bring discussion forward with that. If no changes to make, please let us know. Last Charter
5. TFS solutions synch meeting. Frustration expressed that government people were not attending the meeting. KI and InCommon and SBP will be sending note to FICAM and NIST. If not the monthly meetings will be put on hold.
Discussion of the privacy audit criteria. OECD has privacy criteria, eight principles, collection limitation , data quality purpose specification, use limitation, security safeguards, openness participation, accountability. AI: Ken to send the text and the link to the test. "The privacy of the subject is respected" - high level mission statement.
RGW: we should keep an open mind whether existing criteria can simply be used as is, many existing criteria can be used for privacy when viewed correctly.
Andrew: a quick survey of what's out there, gap analysis, begin work.
Ken: what others do we know of?
Andrew mentions privacy by designengineering principles, FIPPS, FICAM, FCC's privacy rules.
Scott: is this worth trying to get KI funding for?
Andrew: do we need a scope or charter for this? Ken: will undertake to do that.
RGW: doesn't see the need for it. IS there a call from the marketplace for such a thing?
RGW: do agree that there needs to ba focus on how to interpret generic controls when you have privacy as a focus. Maybe approach is not to have privacy criteria per se, but to profile the criteria. Did the FIPPS principles, repurpose of existing SAC criteria. There's a gap in KI's ability to meet FICAM requirements,
Ken cites the reference to privacy requirements in TFPAP 2.0.2, 2014: https://www.idmanagement.gov/IDM/servlet/fileField?entityId=ka0t0000000TNKRAA4&field=File__Body__s
Andrew: controlling documents - ICAM approved submission page: ICAM Approved Submission
Scott and RGW mention that privacy criteria are part of CSPs responsibility to cover compliance since that is not covered by the SAC. RGW creating a profile, to apply criteria in a specific context. Doesn't diminish criteria, shows how to use them In a particular context. Maximizes reuse.
Christine: IDESG is looking at complementary programs such as KI, for each program, come up with a way of on boarding the participants that are certified at a certain level.