[WG-P3] [WG-UMA] NSTIC Privacy Workshop

Salvatore D'Agostino sal at idmachines.com
Thu Jun 23 08:18:54 EDT 2011



I will bring it up on the call, and I assume it got to the group in my last
reply (and copied again here).  The references you provide really are "soft
balls" for UMA and we should take advantage of this opportunity, imo. I will
also be on the NSTIC-DG call and can report in with or in support of UMA.


With regard to FICAM, the 25 February draft guidance document (aka part B)
references privacy considerations and FIPP in 6.3, is your thought that we
can build on this as best practice and supporting policy, as you mentioned,
or would you want to leverage FICAM or include it in other contexts?  There
is the references in this section to the TFPAP and since Kantara is on
board, Kantara then also has built in privacy in the Kantara TFPAP process.
In both (UMA, Kantara TFPAP) these cases privacy is fundamental, which is
really the best way to make sure it gets addressed.  So you have pointed us
to another item we can reference in a response by the NSTIC-DG.  Thanks.






From: Mark Lizar [mailto:mark at smartspecies.com] 
Sent: Thursday, June 23, 2011 7:55 AM
To: Salvatore D'Agostino
Cc: Kantara P3WG
Subject: Re: [WG-UMA] NSTIC Privacy Workshop


Hi Salvatore, 


That sounds like a great idea. The NSTIC Objectives
<http://www.nist.gov/itl/upload/objectives_nstic-privacy-workshop.pdf>   for
the workshop concludes with,


"The Strategy recognizes that privacy-enhancing technologies can play an
important role in creating a 

user-centric identity model, but there may be hurdles to developing
widespread use of such 

technologies.  In addition to hurdles to adoption, the workshop will also
consider additional challenges 

that may arise in designing or implementing privacy protections for the
Identity Ecosystem and issues 

associated with implementing those privacy protections, such as increased
operational complexity 

organizations must deal with in an environment of multiple international
privacy frameworks and 

creating enforcement mechanisms for maintaining privacy protections. "


I think it is definitely worth discussing the proposition that UMA both
address the privacy by design requirements for NSTIC and the  need to
address 'multiple international privacy frameworks'. 


A high level summary/picture may go a very long way for UMA at the workshop
next week.  In addition, P3 may be able to support UMA in advocacy of UMA as
a way to address Privacy and Public Policy in the National Strategy. 


Best Regards, 






On 23 Jun 2011, at 12:43, Salvatore D'Agostino wrote:



I will be there and would be happy to contribute, while not an active member
of p3, I am a member of UMA and believe that user control and UMA's ability
to enable this has the does enable the first guiding principle of NSTIC
"privacy enhancing and voluntary".  I am close to the FICAM process and ICAM
is part of our practice and as extend this to the enterprise as well as the
Fed, state and local infrastructures.  Let me know.


So here is pass.  I would go further in the statement below saying that UMA
by making user control a tenet of the design does (as opposed to may) build
privacy in through allowing individuals to protect personal information and
resources and control access to these resources by requesters.  UMA's use of
an authorization manager to establish the policy and manner in which
individual attributes and information are handled as protected resources, as
opposed to generally available information, in cyberspace.  There is an UMA
call today.  Perhaps the group could draft/comment on this statement and
take up your good idea.






From: wg-uma-bounces at kantarainitiative.org
[mailto:wg-uma-bounces at kantarainitiative.org] On Behalf Of Mark Lizar
Sent: Thursday, June 23, 2011 6:17 AM
To: Kantara P3WG
Cc: WG UMA; dg-nstic at kantarainitiative.org
Subject: [WG-UMA] NSTIC Privacy Workshop



Hello All, 


A reminder that there is a NSTIC Privacy Workshop on Monday.  To this end I
am wondering if P3/NSTIC-DG members would like to submit a paper or
statement to this workshop? 


I believe that there are two P3 members that will be attending who may be
able to deliver this input personally. I realise that this is very short
notice to organise input, but if members are interested in submitting I
would be happy to edit and contribute to this input on behalf of P3.    We
mentioned last week that we are not going to have a call to organise input
today.  Instead there is a NSTIC-DG call tomorrow where input can be
collated and discussed. 


Workshop Information


Start Date: Monday, June 27, 2011

End Date: Tuesday, June 28, 2011



(1) Objectives
<http://www.nist.gov/itl/upload/objectives_nstic-privacy-workshop.pdf>  of
Privacy Workshop

This workshop will discuss the privacy-enhancing objectives of the National
Strategy for Trusted Identities in Cyberspace (NSTIC) and how to effectively
implement them in the Identity Ecosystem Framework, including issues
involved with overcoming the challenges of establishing user-centric privacy
protections. The goal of this workshop is to provide a venue for discussion
about developing workable policies, practices and guidelines for privacy
protections as well as effective means of implementing these protection 


Existing Input


Some Privacy related input from last week's call may be a good place to
start.   Here is some salient points that were made in regards to Privacy. 

*	How is privacy going to be represented on the steering committee?
*	How will privacy decisions be made by the steering committee?
*	Kantara has a good model of governance to draw upon for response,
*	A Kantara response may include representing international standards
in privacy.  Suggestions were made that  the steering committee will need to
represent standards community according to particular areas of governance.
Assessment criteria and process will be needed for each of these areas.
FICAM being one of them.

In addition, last week we discussed how education was a critical part to
understanding privacy in the context of NSTIC.  Education in this respect
may be a critical point of discussion at the workshop.  In this regard,
contextual understanding of the use of identity in a national strategy may
also be very valuable for understanding the international aspects of privacy
the NSTIC strategy may need to include. 


(Maybe something along the lines of) 

Increased control of identity for individuals (an NSTIC objective) reduces
the sharing and exposure of data and in this way fundamentally provides
increased privacy protection.   Although,  once personal information is
shared, the need for privacy transcends national borders and privacy
protections will need to be considered in this context.   Emerging protocols
like UMA may also present a privacy by design approach for NSTIC that is
worth noting as a way to address some of these challenges. 


In this regard, I urge members who are interested in contributing to this
workshop to provide additional input/discussion in this thread in order to
develop a draft input for the NSTIC-DG tomorrow. 


Best Regards, 


Mark Lizar

P3 Secretary







-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20110623/8e395878/attachment.html 

More information about the WG-P3 mailing list