Comparison of Certification Requirements
Draft
IDEF v.1 Baseline Requirement ReferenceIDEF Baseline Requirement TextMapping -- Kantara IAF 1400 SAC Reference Number and TitleMapping -- Kantara IAF US Federal Privacy Profile Reference Number and TitleConformance Disposition F=Full, P=Partial, NE=Not Equivalent, NCR=No Comparable Requirement, N/A=not Applicable Rationale for Partial Disposition Scope Gap?CommentsIDESG & Kantara Requirements Mapping and Conformance Disposition Confirmation
PRIVACY-1. DATA MINIMIZATION Entities MUST limit the collection, use, transmission and storage of personal information to the minimum necessary to fulfill that transaction’s purpose and related legal requirements. Entities providing claims or attributes MUST NOT provide any more personal information than what is requested. Where feasible, IDENTITY-PROVIDERS MUST provide technical mechanisms to accommodate information requests of variable granularity, to support data minimization. CO_ESM#030 Legal & Contractual compliance CO_NUI#020 Service Definition Inclusions CO_ESM#050 Data retention and Protection2.1 Informed Consent 2.3 Minimalism 2.5 No Activity TrackingFKantara IAF 1400 requirements do not specify data minimization, but Kantara requirement of legal conformity would include data minimization for specific jurisdictions under FIPPs-based laws. Kantara Privacy Profile addresses data minimization for the use and transmission of attribute information from the CSP to RP and restricts data collection to information needed to support operation of the identity service. Kantara requires compliance with laws. Where data minimization is part of law, there may be partial coverage in the requirements.None of the IAF 1400 SACs address data minimization specifically. It would be dependent upon the Kantara assessor to determine which contractual/legal requirements would need to be reviewed/audited, this may or may not include any legal data minimization laws/rules for the jurisdiction. Kantara Privacy Profile addresses data minimization for the use and transmission of attribute information from the CSP to RP and restricts data collection to information needed to support operation of the identity service or as required by law. This addresses scope of PRIVACY-1 for the IDP/CSP functions covered by Kantara IAF. Confirmed.
PRIVACY-2. PURPOSE LIMITATION Entities MUST limit the use of personal information that is collected, used, transmitted, or stored to the specified purposes of that transaction. Persistent records of contracts, assurances, consent, or legal authority MUST be established by entities collecting, generating, using, transmitting, or storing personal information, so that the information, consistently is used in the same manner originally specified and permitted. 2.1 Informed Consent 2.3 Minimalism 2.5 No Activity TrackingFThe Kanatara Privacy Profile limits the use and transmission of PII/attributes to those needed to support the AuthN/AuthR transaction and the operations needed to support the ID service. In addition, However, the Kanatara Privacy Profile requires informed consent for any PII that is collected and released for AuthN/AuthR. such consent may also include the expression of preferences for continuing approval/denial of release of PII? Attributes as indicated at registration. The Kanatara Privacy Profile limits the use and transmission of PII/attributes to those needed to support the AuthN/AuthR transaction and the operations needed to support the ID service. In addition, However, the Kanatara Privacy Profile requires informed consent for any PII that is collected and released for AuthN/AuthR. such consent may also include the expression of preferences for continuing approval/denial of release of PII/Attributes as indicated at registration. Confirmed.
PRIVACY-3. ATTRIBUTE MINIMIZATION Entities requesting attributes MUST evaluate the need to collect specific attributes in a transaction, as opposed to claims regarding those attributes. Wherever feasible, entities MUST collect, generate, use, transmit, and store claims about USERS rather than attributes. Wherever feasible, attributes MUST be transmitted as claims, and transmitted credentials and identities MUST be bound to claims instead of actual attribute values. 2.1 Informed Consent 2.3 Minimalism 2.5 No Activity TrackingPThe Kanatara Privacy Profile limits the use and transmission of PII/attributes to those needed to support the AuthN/AuthR transaction and the operations needed to support the ID service. In addition, However, the Kanatara Privacy Profile requires informed consent for any PII that is collected and released for AuthN/AuthR. such consent may also include the expression of preferences for continuing approval/denial of release of PII/Attributes as indicated at registration. The Kanatara Privacy Profile limits the use and transmission of PII/attributes to those needed to support the AuthN/AuthR transaction and the operations needed to support the ID service. However, the Kanatara Privacy Profile does not address the additional requirement in PRIVACY-3 to collect, use, transmit claim information rather than PII/attribute information. Confirmed.
PRIVACY-4. CREDENTIAL LIMITATION Entities MUST NOT request USERS’ credentials unless necessary for the transaction and then only as appropriate to the risk associated with the transaction or to the risks to the parties associated with the transaction. NCR/NAIn general, PRIV-4 is intended to apply to relying parties and transaction intermediaries that may require attribute information beyond AuthN transaction for AuthR/access. This is beyond scope of IAF 1400 SAC and the Federal Privacy Profile.Confirmed.
PRIVACY-5. DATA AGGREGATION RISK Entities MUST assess the privacy risk of aggregating personal information, in systems and processes where it is collected, generated, used, transmitted, or stored, and wherever feasible, MUST design and operate their systems and processes to minimize that risk. Entities MUST assess and limit linkages of personal information across multiple transactions without the USER's explicit consent. 2.5 No Activity TrackingFThe Kantara Privacy Profile precludes activity tracking and the disclosure of information that would enable activity tracking. Confirmed.
PRIVACY-6. USAGE NOTICEEntities MUST provide concise, meaningful, and timely communication to USERS describing how they collect, generate, use, transmit, and store personal information. CO_NUI#010 General Service Definition CO_ESMI#050 Data Retention and Protection CO_ESMI#055 Termination provisions CO_NUI#030 Due Notification CO_NUI#040 User Acceptance ID_POL#030 Published Proofing Policy 2.1 Informed Consent 2.6 Adequate Notice FKantara 1400 notice terms, taken together, do not fulfill the requirements specified in IDESG USAGE NOTICE requirement. However, Kantara Privacy profile addresses PRIVACY-6 fully.Specific IDESG requirements not all covered in related Kantara requirementsKantara 1400 notice and service description criteria are general in nature and do not represent a PII usage notice and how PII is stored, used and transmitted as specified in PRIV-6. The Kantara Privacy Profile requires adequate notice and informed consent for the ID services, PII/attributes collection, use and release, and ability to change or cancel preferences at any point.Confirmed.
PRIVACY-7. USER DATA CONTROL Entities MUST provide appropriate mechanisms to enable USERS to access, correct, and delete personal information. CO_NUI#070 Change of Subscriber Information CM_IDP#010 Revision to Subscriber informationFKantara IAF 1400 LOA 2,3 4 address PRIVACY-7 fully.Confirmed.
PRIVACY-8. THIRD-PARTY LIMITATIONSWherever USERS make choices regarding the treatment of their personal information, those choices MUST be communicated effectively by that entity to any THIRD-PARTIES to which it transmits the personal information. CO_ESC#010 Contracted policies and procedures2.1 Informed ConsentPIf USERS "choices regarding the treatment of their personal information" under IDESG requirement is considered "critical policies, procedures, and practices sub-contractors are required to fulfill" under Kantara, then this PRIV-8 may be addressed by CO_ESC #010 otherwise this requirement is not addressed in IAF 1400 or the Kantara Privacy Profile.PRIV-8 may be addressed by SAC CO_ESC#010 to the extent that there are clear contracts/agreements that among federated entities that specifically address this requirement, otherwise this is not addressed in IAF 1400 or the Kantara Privacy Profile. The Kantara Privacy Profile requires policy/agreement between CSP and RP on PII/Attributes needed for AuthN/AuthR, however, this does not address preferences on how such information may be used/released. PRIV-8 requires that the CSP pass on user preferences in a controlled secure manner. SACs are silent on this. Confirmed.
PRIVACY-9. USER NOTICE OF CHANGES Entities MUST, upon any material changes to a service or process that affects the prior or ongoing collection, generation, use, transmission, or storage of USERS’ personal information, notify those USERS, and provide them with compensating controls designed to mitigate privacy risks that may arise from those changes, which may include seeking express affirmative consent of USERS in accordance with relevant law or regulation. CO_NUI#030 Due notificationFRequirements are generally equivalent, but note that Kantara 1400 and Privacy Profile requirements do not include compensating controls, but instead anticipate binary decision of "accept or terminate."Requirements are generally equivalent, but note that Kantara 1400 and Privacy Profile requirements do not include compensating controls, but instead anticipate binary decision of "accept or terminate."Confirmed.
PRIVACY-10. USER OPTION TO DECLINE USERS MUST have the opportunity to decline registration; decline credential provisioning; decline the presentation of their credentials; and decline release of their attributes or claims. 2.1 Informed Consent 2.2 Optional Participation 2.6 Adequate NoticeFPRIVACY-10 is fully addressed by Kantara Privacy Profile.Confirmed.
PRIVACY-11. OPTIONAL INFORMATION Entities MUST clearly indicate to USERS what personal information is mandatory and what information is optional prior to the transaction. 2.1 Informed Consent 2.6 Adequate NoticeFKantara privacy Profile does not address "optional information", however 2.1 and 2.6 clearly require clearly notice and informed consent for the collection, use, transmission of PII/attribute information, logically this would include any information that is "optional" but still required.Confirmed.
PRIVACY-12. ANONYMITYWherever feasible, entities MUST utilize identity systems and processes that enable transactions that are anonymous, anonymous with validated attributes, pseudonymous, or where appropriate, uniquely identified. Where applicable to such transactions, entities employing service providers or intermediaries MUST mitigate the risk of those THIRD-PARTIES collecting USER personal information. Organizations MUST request individuals’ credentials only when necessary for the transaction and then only as appropriate to the risk associated with the transaction or only as appropriate to the risks to the parties associated with the transaction. CM_VAS#040 No pseudonyms ID_POL#010 Unique service identity ID_POL#020 Unique service identity CM_CRN#090 Nature of Subject2.4 Unique IdentityPKantara 1400 requirements appear to be contrary to IDESG requirement. Kantara Privacy Profile requires use of unique identifier when identity/PII is not required for AuthN/AuthR. However, neither IAF 1400 nor Kantara Privacy Profile address PRIVACY-12 requirement to enable anonymity, pseudonymity. Confirmed.
PRIVACY-13. CONTROLS PROPORTIONATE TO RISK Controls on the processing or use of USERS' personal information MUST be commensurate with the degree of risk of that processing or use. A privacy risk analysis MUST be conducted by entities who conduct digital identity management functions, to establish what risks those functions pose to USERS' privacy. CO_ISM#030 Risk ManagementNCRIDESG specifies privacy risk analysis, while Kantara requirement applies more generally to security risks.PRIV-13 requires risk assessment for privacy controls. SAC CO-ISM#030 addresses risk assessment for security controls. These are different purposes and there is no assurance that risk assessment under cited SAC would address privacy risks. Kantara Privacy profile does not address privacy risk assessment.Confirmed.
PRIVACY-14. DATA RETENTION AND DISPOSAL Entities MUST limit the retention of personal information to the time necessary for providing and administering the functions and services to USERS for which the information was collected, except as otherwise required by law or regulation. When no longer needed, personal information MUST be securely disposed of in a manner aligning with appropriate industry standards and/or legal requirements. CO_ESM#050 Data Retention and Protection CO_ESM#055 Termination provisions2.7 TerminationFKantara requirement applies "legal" limit on retention as ceiling, IDESG sets legal limit on retention as floor. Kantara does not require entity to limit retention to time necessary for providing function, as does IDESG (except where that text is part of FIPPs-based law).Kantara Privacy profile adds additional requirement to IAF 1400 for the protection and destruction of any PII/sensitive information as soon as it no longer required to be retained.Confirmed.
PRIVACY-15. ATTRIBUTE SEGREGATION Wherever feasible, identifier data MUST be segregated from attribute data. CM_CRN#090 Nature of SubjectNEKantara requirement suggests linking attributes and identifiersThis BR is not addressed in Kantara Privacy Profile.Confirmed.
INTEROP-4: STANDARDIZED DATA EXCHANGESEntities that conduct digital identity management functions MUST use systems and processes to communicate and exchange identity-related data that conform to public open STANDARDS. LOA 4 - CM_CPP#020 Certificate Policy/Certification Practice Statement2.10 Technology RequirementsFAs cited in the Compare Tool, IAF 1400, CM_CPP#020 Certificate Policy/Certification Practice Statement fully addresses LOA 4 due to PKI technology and the requirement to conform to RFC 3647 based on X.509 v3. This satisfies INTEROP-4 for LOA 4, LOA 2 and 3 are non-PKI. Privacy Profile 2.10 requires conformance to the ICAM approved assertion profiles for levels 2, 3. The approved FICAM protocols -- SAML 2.0 and OpenID 2.0 -- both are public open standards. Therefore, INTEROP-4 is fully addressed at LOA 2,3, 4.Confirmed.
INTEROP-7: USER REDRESSEntities MUST provide effective mechanisms for redress of complaints or problems arising from identity transactions or the, failure of the entity to comply with the IDESG Baseline Requirements. These mechanisms MUST be easy for USERS to find and access. NCR2.9 Dispute ResolutionFKantara Privacy Profile 2.9 addresses INTEROP-7 fully.Confirmed.