[WG-P3] [WG-FI] Potential Framework for Relying Party/Data Recipient Guidelines

Rainer Hörbe rainer at hoerbe.at
Wed Mar 16 04:35:17 EDT 2011

Am 16.03.2011 um 09:03 schrieb Ben Wilson:

> When in doubt … cross-post. 

I think that we have list list for Trust Framework discussions soon.

> Here is a slash and replace of IAF-1400 to convert it into IAF-1800.  I am interested in people’s thoughts about the first few pages – beyond that, I just left in language from IAF-1400 that would be replaced.    

In a nutshell, the paper introduces Sensitivity Categories that, in a risk management terminology, categorize PII assets. A few thoughts on this:
This type of categorization is already canonized in various laws, like the EU Data Protection Directive (public, personal and sensitive PII), or in government/police/military (like restricted, confidential, secret and top secret)
The primary aspect is confidentiality; integrity, availability and other user-centric domains are not addressed
Not all data that needs to be protected is PII. Emergency evacuation plans are no PII at all, but we do not want Al Qaida to obtain them. (And let's pray Tokyo won't need them)
The IAF, like SP 800-63 provides only an assurance view: Independent of the risk assessment at the RP side each LoA provides some baseline security policy. The other side needs to assess the risk and map it to assertion levels. This is the counterpart the the IAF (OMB 0404 is such a guideline), so I wonder how that side actually fits into the IAF.

- Rainer

> Benjamin T. Wilson, JD CISSP 
> General Counsel and SVP Industry Relations
> DigiCert, Inc.
> <image001.gif>
> Online: www.DigiCert.com
> Email: ben at digicert.com
> Toll Free: 1-800-896-7973 (US & Canada)
> Direct: 1-801-701-9678
> Fax: 1-866-842-0223 (Toll Free if calling from the US or Canada)
> The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Thank You
> <Kantara IAF-1800-Assertion Recipient and Data Recipient Guidelines.doc>_______________________________________________
> WG-FI mailing list
> WG-FI at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-fi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20110316/c1b52c2b/attachment.html 

More information about the WG-P3 mailing list