[Wg-p3] Wg-p3 Digest, Vol 2, Issue 27

georgia-marsh at sbcglobal.net georgia-marsh at sbcglobal.net
Mon Aug 17 15:21:35 PDT 2009


Leave it to the US government to create "magic"- with or without wizards- black magic!

(A little levity from an ex-fed)

Georgia
Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: "Patrick Curry" <patrick.curry at clarionidentity.com>

Date: Mon, 17 Aug 2009 22:16:33 
To: <wg-p3 at kantarainitiative.org>
Subject: Re: [Wg-p3] Wg-p3 Digest, Vol 2, Issue 27


Guys,
The US M-0404 originated from a UK Cabinet Office document sometime before
Harry Potter.  Whilst USG did some magic with M-0404, the wizards in London
didn't have the right ingredients. Consequently, the original document has
been replaced in UK by something more complicated.  UK has 4 Levels of
assurance particularly for the Government Gateway, but these do not map
properly to M-0404.  To my mind, the UK version is weaker and never reaches
0404 level 4, or possibly even 3, because its technology specification is
too weak.  This is a discussion yet to be had.  

Whereas US is predominantly rule centric eg. NIST instruction, UK is ISO
27001 risk management centric.  Problem is that ISO 27001 doesn't fit well
with federation, whereas NIST documents assume federation in many areas.
The UK focus on risk is measured in Impact Levels (ILs) which are the main
currency for assessing local business systems, and EALs which are the
Evaluation Assurance Level for a technical solution.  

I may be able to shortcut the problem you describe as I am with the PMA for
the UK Government Gateway tomorrow and will ask him for the definitive UK
policy documents and also for guidance on how to deal with the problem we
face ie. Rule compliance (US view) vs local risk assessment (UK view), in
order that (1) UK could accept a US credential and (2) international
federation could work.  

Interesting times.  I really hope Kantara is going to help with some golden
solutions to these sorts of problems.

yours sincerely

Patrick

Patrick Curry
Director
Clarion Identity Ltd
M:   +44 786 024 9074
T:   +44 1980 620606
patrick.curry at clarionidentity.com 
Disclaimer
Internet communications are not secure and therefore Clarion
Identity Limited, Rock House, SP3 4JY does not accept legal responsibility
for the contents of this message. Any views or opinions presented are solely
those of the author and do not necessarily represent those of Clarion
Identity Limited unless otherwise specifically stated. If this message is
received by anyone other than the addressee, please notify the sender and
then delete the message and any attachments from your computer.



-----Original Message-----
From: wg-p3-bounces at kantarainitiative.org
[mailto:wg-p3-bounces at kantarainitiative.org] On Behalf Of
wg-p3-request at kantarainitiative.org
Sent: 17 August 2009 20:00
To: wg-p3 at kantarainitiative.org
Subject: Wg-p3 Digest, Vol 2, Issue 27

Send Wg-p3 mailing list submissions to
	wg-p3 at kantarainitiative.org

To subscribe or unsubscribe via the World Wide Web, visit
	
http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org

or, via email, send a message with subject or body 'help' to
	wg-p3-request at kantarainitiative.org

You can reach the person managing the list at
	wg-p3-owner at kantarainitiative.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wg-p3 digest..."


Today's Topics:

   1. Re: Conference call reminder: Thursday 20th August (Robin Wilton)
   2. Re: LoA and other cross-WG topics... (Robin Wilton)


----------------------------------------------------------------------

Message: 1
Date: Mon, 17 Aug 2009 19:13:54 +0100
From: "Robin Wilton" <futureidentity at fastmail.fm>
Subject: Re: [Wg-p3] Conference call reminder: Thursday 20th August
To: "Kantara P3WG" <wg-p3 at kantarainitiative.org>
Message-ID: <1250532834.25572.1330259845 at webmail.messagingengine.com>
Content-Type: text/plain; charset="us-ascii"

Thanks Bob -

If you have a link to that Cabinet Office document on LoA, please
can you forward a URL? I have failed to find it on the Cabinet
Office site, despite searching for a while :^(

That said, I am sure that the Cabinet Office strategy is based on
an appreciation of more than one LoA. For instance, for the UK
Government Gateway architecture, I have seen a full 4-layer model
which I am sure corresponds closely to the US one.

However, you raise an entirely legitimate question, of what P3WG
should do about cases where our discussion spans this kind of
boundary and reveals some inconsistency between a model in one
country and another (or one industry and another, or whatever).

I am very reluctant to suggest that we should, in that case,
define a third, "P3WG", model which tries to iron out the
differences: the odds of either of the other parties ditching
their own model and adopting ours would seem negligible. My
favoured approach would be that we

1) write a clear summary of the difference/inconsistency, citing
as appropriate;

2) note what we think are the implications, and - if we can -
suggest how the difference/inconsistency might be resolved.

We need to bear in mind that if that suggestion boils down to
"either or both parties have to change their policies", again, we
are unlikely to have much effect. On the other hand, if we
approach it from the point of view of a stakeholder trying to
comply with both systems (for instance, one of Patrick's defence
contractors which has to operate under the UK and US systems),
and if we can offer them advice about how to manage the "step
up"/"step down" required in either direction, that would be
exactly the kind of thing worth publishing and making available
via our P3WG site for future reference.


Yrs.,
Robin
Robin Wilton

Director, Future Identity
Director of Privacy and Public Policy, Liberty Alliance


www.futureidentity.eu
+44 (0)705 005 2931
====================================================================
Structured consulting on digital identity, privacy and public policy
====================================================================
Future Identity is a limited company number 6777002, registered in England &
Wales

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://kantarainitiative.org/pipermail/wg-p3_kantarainitiative.org/attachme
nts/20090817/1af642b1/attachment-0001.html>

------------------------------

Message: 2
Date: Mon, 17 Aug 2009 19:36:30 +0100
From: "Robin Wilton" <futureidentity at fastmail.fm>
Subject: Re: [Wg-p3] LoA and other cross-WG topics...
To: "Bob Pinheiro" <kantara at bobpinheiro.com>
Cc: Kantara P3WG <wg-p3 at kantarainitiative.org>
Message-ID: <1250534190.29187.1330267433 at webmail.messagingengine.com>
Content-Type: text/plain; charset="us-ascii"

 Bob, Patrick  -

Sorry - I didn't want to make my previous response any longer -
but I also agree that the whole LoA question (whether for govt.,
commercial, social networking, VPI use or combinations of the
above) raises issues which would best be addressed
collaboratively by the Kantara WG/DG community... and look
forward to working out how we do that.

Yrs.,
Robin

On Mon, 17 Aug 2009 13:07 -0400, "Bob Pinheiro"
<kantara at bobpinheiro.com> wrote:

...
I've raised a number of points here that I think are also
relevant to other WGs such as the Identity Assurance WG, Consumer
Identity WG, and the (proposed) User Login Experience WG.
Robin Wilton

Director, Future Identity
Director of Privacy and Public Policy, Liberty Alliance


www.futureidentity.eu
+44 (0)705 005 2931
====================================================================
Structured consulting on digital identity, privacy and public policy
====================================================================
Future Identity is a limited company number 6777002, registered in England &
Wales

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://kantarainitiative.org/pipermail/wg-p3_kantarainitiative.org/attachme
nts/20090817/95d925b6/attachment-0001.html>

------------------------------

_______________________________________________
Wg-p3 mailing list
Wg-p3 at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org


End of Wg-p3 Digest, Vol 2, Issue 27
************************************



_______________________________________________
Wg-p3 mailing list
Wg-p3 at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org


More information about the Wg-p3 mailing list