Rainer Hoerbe, Kismed, Austria
Sal D’Agostino, ID Machines, USA
Thomas Grundel, IT Crew, Denmark
Colin Wallis, DIA NZ Govt, NZ
Mark King, UK (Special Guest)
Minute taker: Rainer.
June minutes need approval. Minutes review/approval not done due to lack of Quorum
We are welcoming James Glennon (Delta, British Columbia) and Andre Boysen (SecureKey) both of Canada who joined in August!
Related material: http://ec.europa.eu/information_society/policy/esignature/eu_legislation/regulation
e-signature Directive did not have the wanted effect. There is only one provider for UK and just one certificate; more in Germany, Spain, Portugal, Estonia, but overall user uptake is minimal.
In general the EC can only propose items within their scope of competence. This regulation is perceived by some Member States (MS) as a “back way in” to get action in the area by requiring a specific method/approach and augmented through ‘discretionary instruments’ (enabling acts: were the EC is given permission to get off and produce something. But impowers the EC to leave a lot of stuff open and it will be sorted out in the future. It might be perfect in a context, but cost is not clear. Impact assessment is needed.). The regulation tries to impose eID-functionality by regulating what MSs are required to do for interoperability, although eID is not within their scope of competence. The proponents claim they are not requiring governments to change their local systems, which is unrealistic.
There are two parts of the regulation: eID, and provision of electronic trust services.
These are intertwined, but separate. Internal market provisions (article 4) cover trust service part, but do not include eID services, because these are national concern. The suggested benefit of “legal certainty” is irrelevant to common law countries and this is not understood by civil law countries. The UK, Cyprus, Ireland, Malta, (like US, Hong Kong common law countries that resort to the law only to resolve disputes) do not align with the civil law basis of the proposed regulation.
Government notification is optional. -> Why notify? Because their citizens (and other residents) to use their local IdPs, to vouch for their identity when transacting with other Mss, even local councils. Need to provide that for free with unlimited liability, no limit to application. Which government agency will put that risk and expense on their priority? Very tight timescales for that interop process/requirement to bed in.
The project team working on the regulation relied on expertise in Brussels. At a presentation in August for outside experts there were no opportunities for Q&A or feedback, and no new information was provided. This raised questions of whether correct process has been followed for the development.
Concern in UK, US -> uniqueness is a problem; no common citizen or organization register, will not happen in the near future. Matching to a unique identifier will be very hard or expressly forbidden.
Interop is a major issue in the regulation. It is prefaced on the assumption of national systems with a unique identifier to be federated. There is no comparable system in the UK, for example the Scottish Card might be expected to interoperate but wasn't designed to.
There is strong support in the EC to do things that support STORK. However, the risk management needs are not the same for different groups. Government imposed regulations, like KYC for banks , is not in line with their real business interest. Other industries do have interest in vetting their partners. Little information available what kind of LoA is required for their services, or adoption rates at various levels for services. Low use leads to ‘forgot password’ issues due to it only being used once per year for example. Funding issues.
Mutual recognition in the proposed EU regulation does not line up with international standards, like ISO and trust framework developers like Kantara.
Dates for consultation is closing soon. Consultations from groups that represent multiple countries and industries are better regarded than single voices. Can Kantara co-ordinate a response?
Addendum: UK originally planned a service of secure delivery of online public services. -> the agency doing it, stopped funding it and unilaterally transferred it elsewhere where it has stalled. Within the Security Policy framework there is a series of Good Practice Guides (GPGs) to assist – RSDOPS Requirements for Secure Delivery Of Public Services (43), Credentials (44), Validation and verification of People (45) Organisations (46 – not yet published). However, the LoAs in different aspects under RSDOPS are (intentionally) distinct and do not simply line up.
Status report from Colin
AI: publish it -> Colin
Status report from Colin
Letter is ready, check again for more target names, go ahead with the next F2F meeting.
Related material on this wiki.
Report from Rainer.
Report from Rainer
AI: Rainer move outside contributions.
Who is attending? Colin. Rainer, Thomas will not be able to join.
What topics will we work on? We will work with the other groups present where the work intersects. The “unofficial” F2F in August was well attended; single room; good agenda with common areas of interest. That format will be used again.