[Wg-p3] Wg-p3 Digest, Vol 3, Issue 22

Patrick Curry patrick.curry at clarionidentity.com
Mon Sep 21 13:16:57 PDT 2009


Mark

I see things in an international, multijurisdictional world where privacy
has strict legal definitions that make no meaningful legal distinction
between Open and Closed ID systems with regard to rights and policy; that
distinction is not regulatory (today) but probably contractual.  To my mind
(and most of the government folks I work with internationally), Levels of
Assurance only work in a federated environment where they relate to the risk
mitigation policies, procedures and measures for multiple policy domains.
i.e. each organisation will put in place a set of measures etc to satisfy
multiple policy domains  (it has no choice), where each nation's privacy
legislation/regulation is a single policy domain.  So, I would argue that
the LoA stack (M0404 or whatever) covers all policy domains including
privacy, or the LoA doesn't work.

Interestingly, in the UK, the national technical security authority CESG
(equivalent to NSA in USA) is now responsible for all regulatory policy
domains, including privacy. So, is there someone in the US NSA who is
responsible for technical security policy with regard to privacy?  And could
they join P3WG?  (note that UK CESG has just been invited).

In reality, the bigger problems we face are:
- the differences between European and US privacy legislation
- the relative lack of US government push for privacy in the Kantara
Initiative (judging by recent KI correspondence) although DHS has been vocal
and it might be good to get their input. 

How do we fix these? (Robin W?- ;-)

Tuppence/two pence worth...


yours sincerely

Patrick

Patrick Curry
Director
Clarion Identity Ltd
M:   +44 786 024 9074
T:   +44 1980 620606
patrick.curry at clarionidentity.com 
Disclaimer
Internet communications are not secure and therefore Clarion
Identity Limited, Rock House, SP3 4JY does not accept legal responsibility
for the contents of this message. Any views or opinions presented are solely
those of the author and do not necessarily represent those of Clarion
Identity Limited unless otherwise specifically stated. If this message is
received by anyone other than the addressee, please notify the sender and
then delete the message and any attachments from your computer.



-----Original Message-----
From: wg-p3-bounces at kantarainitiative.org
[mailto:wg-p3-bounces at kantarainitiative.org] On Behalf Of
wg-p3-request at kantarainitiative.org
Sent: 21 September 2009 20:00
To: wg-p3 at kantarainitiative.org
Subject: Wg-p3 Digest, Vol 3, Issue 22

Send Wg-p3 mailing list submissions to
	wg-p3 at kantarainitiative.org

To subscribe or unsubscribe via the World Wide Web, visit
	
http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org

or, via email, send a message with subject or body 'help' to
	wg-p3-request at kantarainitiative.org

You can reach the person managing the list at
	wg-p3-owner at kantarainitiative.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wg-p3 digest..."


Today's Topics:

   1. A Suggested Policy Demarkation Point: Open Vs. Closed
      Identity Systems (Mark Lizar)
   2. Re: A Suggested Policy Demarkation Point: Open Vs. Closed
      Identity Systems (Brett McDowell)


----------------------------------------------------------------------

Message: 1
Date: Mon, 21 Sep 2009 11:55:31 +0100
From: Mark Lizar <info at smartspecies.com>
Subject: [Wg-p3] A Suggested Policy Demarkation Point: Open Vs. Closed
	Identity Systems
To: wg-p3 at kantarainitiative.org
Message-ID: <880B404E-0F39-4EDC-B906-28D70465CFC9 at smartspecies.com>
Content-Type: text/plain; charset="windows-1252"; Format="flowed";
	DelSp="yes"

Hello All,

I have been pondering the merits of a more explicit policy paradigm  
between open vs closed id systems, and a discussion about this for the  
working group.

The issue being that public policy in closed identity systems or  
systems with limited user driven/managed/volunteered access, needs a  
different type of policy than open, user controlled systems.  In  
addition, I wonder if this type of conversation may actually provide a  
very useful distinction for Kantara driven activities?

Behind the distinction of open and closed there is a great deal of  
ideological, philosophical, technical, jurisprudence, and sociological  
thought that can be sorted and contributed to both sides of the open  
and closed identity paradigm. A discussion in this light might reveal  
a significant difference in public/privacy policy needed for these  
very different types of applied identity technologies.  From what I  
understand a great deal of the work done in Kantara is for open ID  
systems?   Does an open identity system need different levels or types  
of assurance for privacy than closed identity systems?

  Eg. Open Id systems, social networking is user controlled, adequate  
tools need to be in place for the user to control the policies and  
these policies need to be enforceable by the user.  Even against the  
owner of the social networking site.

  Eg. Closed ID systems, enterprise, healthcare, id cards, drivers  
licenses, phone numbers, direct marketing. A policy explicit example  
for the use of a closed id system may be the need to mandate against   
function creep and designed around very specific to purpose etc. (use  
Uprove technology etc.) With risk management, different types of  
public usable transparency, access, and control is more specific to  
constitutional rights, rather then contract rights.

Do others think this would be a useful distinction to make and point  
to discuss?

Overall, it seems current events are pushing the agenda of this  
working group, starting with the Open ID/Inforcard initiative, and the  
letter this group has worked on for ICAM.  Now the news of this round  
table, the FTC roundtable can also be used as an ?agenda driver? to  
get things moving, in this sense I think it would be difficult to  
develop policy with any force or meaning, if the policy didnt first  
engage with the wider Kantara community. I propose that we use the  
roundtable as an opportunity to take the FTC questions, develop a  
survey pilot it in our working group, then vote on passing the survey  
around the working groups to start a process of developing a common  
policy platform for this working group.

My two cents worth,


- Mark Lizar
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://kantarainitiative.org/pipermail/wg-p3_kantarainitiative.org/attachme
nts/20090921/5e367cb0/attachment-0001.html>

------------------------------

Message: 2
Date: Mon, 21 Sep 2009 08:48:20 -0400
From: Brett McDowell <email at brettmcdowell.com>
Subject: Re: [Wg-p3] A Suggested Policy Demarkation Point: Open Vs.
	Closed	Identity Systems
To: Mark Lizar <info at smartspecies.com>
Cc: wg-p3 at kantarainitiative.org
Message-ID:
	<e7e278330909210548p4927ed4fxa1960bef31dba26c at mail.gmail.com>
Content-Type: text/plain; charset=windows-1252

Mark, I think you need to explicitly define the boundary between what
you refer to as "open" vs "closed".  After reading this I don't know
what you are thinking is the clear distinction between the two.

If I were to guess, it looks a bit like:

OPEN = the credential being used to access the resource was not
provisioned by either the entity managing the resource or a 3rd-party
under contract with the entity managing the resource.

CLOSED = the credential being used to access the resource was
provisioned by either the entity managing the resource or a 3rd-party
under contract with the entity managing the resource.

Is that what you mean?  If it is, I'm not sure that's a popular
definition for CLOSED.


Brett McDowell | http://info.brettmcdowell.com |
http://kantarainitiative.org



On Mon, Sep 21, 2009 at 6:55 AM, Mark Lizar <info at smartspecies.com> wrote:
> Hello All,
>
> I have been pondering the merits of a more explicit policy paradigm
between
> open vs closed id systems, and a discussion about this for the working
> group.
>
> The issue being that public policy in closed identity systems or systems
> with limited user driven/managed/volunteered access, needs a different
type
> of policy than open, user controlled systems. ?In addition, I wonder if
this
> type of conversation may actually provide a very useful distinction for
> Kantara driven activities?
>
> Behind the distinction of open and closed there is a great deal of
> ideological, philosophical, technical, jurisprudence, and sociological
> thought that can be sorted and contributed to both sides of the open and
> closed identity paradigm. A discussion in this light might reveal a
> significant difference in public/privacy policy needed for these very
> different types of applied identity technologies. ?From what I understand
a
> great deal of the work done in Kantara is for open ID systems? ??Does an
> open identity system need different levels or types of assurance for
privacy
> than closed identity systems?
>
> ?Eg. Open Id systems, social networking is user controlled, adequate tools
> need to be in place for the user to control the policies and these
policies
> need to be enforceable by the user. ?Even against the owner of the social
> networking site.
>
> ?Eg. Closed ID systems, enterprise, healthcare, id cards, drivers
licenses,
> phone numbers, direct marketing. A policy explicit example for the use of
a
> closed id system may be the need to mandate against ?function creep and
> designed around very specific to purpose etc. (use Uprove technology etc.)
> With risk management, different types of public usable transparency,
access,
> and control is more specific to constitutional rights, rather then
contract
> rights.
>
> Do others think this would be a useful distinction to make and point to
> discuss?
>
> Overall, it seems current events are pushing the agenda of this working
> group, starting with the Open ID/Inforcard initiative, and the letter this
> group has worked on for ICAM. ?Now the news of this round table, the FTC
> roundtable can also be used as an ?agenda driver? to get things moving, in
> this sense I think it would be difficult to develop policy with any force
or
> meaning, if the policy didnt first engage with the wider Kantara
> community.?I propose that we use the roundtable as an opportunity to take
> the FTC questions, develop a survey pilot it in our working group, then
vote
> on passing the survey around the working groups to start a process of
> developing a common policy platform for this working group.
>
> My two cents worth,
>
> - Mark Lizar
>
> _______________________________________________
> Wg-p3 mailing list
> Wg-p3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org
>
>



------------------------------

_______________________________________________
Wg-p3 mailing list
Wg-p3 at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org


End of Wg-p3 Digest, Vol 3, Issue 22
************************************





More information about the Wg-p3 mailing list