[WG-P3] Anna Slomovic's Follow up thread (RE: IAWG P3 Agendas going into Berlin)
mark at smartspecies.com
Sun May 8 14:02:54 EDT 2011
I am moving this thread to the P3 list so that our members can have a
chance to respond and to reduce the P3 mail flow to those that have
been included in this thread. For those who are interested I
encourage you to follow and participate in this discussion on the P3
I am working on a summary of the evolved P3 and PF scope this week for
the imminent F2F. I will send this to the P3 list for discussion
asking P3 to contribute to developing a clear picture of the P3
position for other Kantara efforts to be able to engage with. Until
then I present a draft summary of the privacy framework scope.
Draft PF Scope
To provide an over arching privacy framework for Kantara efforts to be
able to integrate with. Specifically, we are now working towards
developing a privacy assurance framework that is able to utilise the
existing IAF infrastructure. In order to do this we are evaluating
privacy profiles that credentials can integrate with to transfer
privacy requirements to the recipient of the credential.
This issue falls into the realm of international policy as privacy
rules and use of principles differ from jurisdiction to jurisdiction.
As P3 is an active member in International Policy community and the
international Privacy community P3 is an ideal position to develop a
Kantara privacy framework that will have the full force of regulatory
efforts behind it.
P3 clearly advocates that a privacy by design approach to assurance is
necessary for Kantara certifications, in addition, privacy is a core
component in any trust management initiative.
In regards to Jeff's Point below, I agree that there is a need for an
independent privacy notice effort to provide indicator for federated
Identity management. A topic I will put on the Agenda. In fact, I
personally believe that a federated identity notice standard or
protocol can be explored as a tool for P3 and Kantara to interoperate
with the diverse communities that are involved in privacy and public
policy. (interoperability being a core driver for the adoption of
Best Regards / Mark
On 8 May 2011, at 13:01, j stollman wrote:
> I would suggest that perhaps too much is being bundled into the
> collective privacy principles. Perhaps these need to be broken down
> into groups that can be scored together. This would imply that
> multiple privacy "scores" would be required to be evaluated before
> an entity decides to enter into a transaction. But, at least, the
> scoring of each group would be consistent and auditable.
> For transaction X, I may require a score of 3-4-5. For transaction
> Y, I may be OK with 2-1-3. But I could always establish meaningful
> targets because the group scores are internally consistent.
> In my personal view, for example, I consider notice to be distinct
> from privacy and inclusive of elements in addition to a privacy
> policy (e.g., how information is stored and protected). I don't see
> any reason to incorporate notice into privacy. It needs its own
> scoring system.
> On Sun, May 8, 2011 at 4:41 AM, Colin Wallis
> <colin_wallis at hotmail.com> wrote:
> <<I think all entities at all levels would need to address all
> principles in some way, but how they do it will differ and depend on
> the level(s) they choose, their role on the identity ecosystem,
> their business model, and whatever else turns out to be relevant.>>
> Yes, on reflection, I think you are right Anna.
> Though that makes it that little bit harder to write too..not so
> much write, but we Kantarians are going to have to take some sort of
> position on that, or at least give guidance to assessors.
> To: colin_wallis at hotmail.com; annaticktin at me.com
> CC: rfurr at safe-biopharma.org; rgw at zygma.biz; mark at smartspecies.com; anna.slomovic at equifax.com
> ; myisha.frazier-mcelveen at truestonefed.com; dervlaoreilly at me.com; rainer at hoerbe.at
> ; jbradley at mac.com; susan.landau at privacyink.org;
> stollman.j at gmail.com; eve at xmlgrrl.com; unger at vdeskservices.com
> Date: Sat, 7 May 2011 11:24:37 -0400
> Subject: Re: Anna Slomovic's Follow up thread (RE: IAWG P3 Agendas
> going into Berlin)
> From: anna.slomovic at equifax.com
> I think your synthesis is spot on. The only point on which I would
> differ is the ability to choose Principles. I think all entities at
> all levels would need to address all principles in some way, but how
> they do it will differ and depend on the level(s) they choose,
> their role on the identity ecosystem, their business model, and
> whatever else turns out to be relevant.
> As for assessments, I agree that there will be criteria for each
> LOA, LOC, and LOP, and the assessor will check whether the entity
> complies with its chosen levels.
> Hooray for progress!
> Anna Slomovic
> CPO, Equifax
> Sent via DROID on Verizon Wireless
> -----Original message-----
> From: Colin Wallis <colin_wallis at hotmail.com>
> To: Anna Ticktin <annaticktin at me.com>
> Cc: "rfurr at safe-biopharma.org" <rfurr at safe-biopharma.org>, Richard
> Wilsher <rgw at zygma.biz>, Mark Lizar <mark at smartspecies.com>, "anna.slomovic at equifax.com
> " <anna.slomovic at equifax.com>, "myisha.frazier-mcelveen at truestonefed.com
> " <myisha.frazier-mcelveen at truestonefed.com>, "dervlaoreilly at me.com"
> <dervlaoreilly at me.com>, Rainer Hoerbe <rainer at hoerbe.at>, John
> Bradley <jbradley at mac.com>, Susan Landau
> <susan.landau at privacyink.org>, Jeff Stollman <stollman.j at gmail.com>,
> Eve Maler <eve at xmlgrrl.com>, "unger at vdeskservices.com" <unger at vdeskservices.com
> Sent: Sat, May 7, 2011 10:13:57 GMT+00:00
> Subject: Anna Slomovic's Follow up thread (RE: IAWG P3 Agendas going
> into Berlin)
> Sorry that I am out of range of my govt.nz email now, and while I
> forwarded heaps of threads to my Hotmail, I missed Anna S's.
> I re-read it again today (Saturday) and offer this - which does work
> for Anna T's call to action too I think.
> Having re-read Anna S's email, I can see her viewpoint - we can't do
> a PF split by LOA job. Why? She gave plenty of reasons. But for me
> it's because each deployment may have different objectives here.
> Some objectives cut across the whole gamit of LOAs. Others don't. By
> and large it is deployment specific.
> Anna points out the pieces of the emerging jigaw we have now..the
> LOPs the LOCs etc.
> And I agree with her, these are orthoganal with LOA. This morning I
> thought that term was not the right one, or at least she was
> overstating it. As I've mulled it over during the day, I think she's
> So what can we do with what we've got? We know we have to do
> something - and fast.
> How about this?
> We have the Principles analysis pretty much done.
> We have the concepts in the community of LOP and LOC etc. There is
> notional stuff we know that sits above this but leave that for the
> ISO frameworks of this world right now, OK?
> We know the objective is to audit the CSPs/IdPs (and RPs soon Anna
> S. The IAWG know they need to add the RP aspect to what is now only
> a CSP/IdP IAF, so assume they do that and the PF targets both).
> So let's try to assemble the Privacy Framework like this:
> We list the Principles and a brief description (put the analysis as
> an Annex), with a description of what 'full/successful deployment'
> looks like
> We list the LOP, with a description of what 'full/successful
> deployment' looks like
> We list the LOCs, with a description of what 'full/successful
> deployment' looks like ..
> ..and anything else we deem relevant here....we could kind of
> include that 'verification' notion of Jay's, to apply to the
> identity proofing parts of the IAF.
> We then REQUIRE that that party seeking conformance with the IAF's
> PF, describe its service and the PI that is to be collected/stored/
> exchanged etc, noting the actors and so on..
> We then REQUIRE that the party chooses the mix of Principles, LOPs,
> LOCs etc that it deems applicable for the service, and state
> specifically how these will be deployed.
> So when it comes to certifying these parties, the Assessors job for
> Kantara will be two fold:
> 1) to determine that the right mix has been chosen for the service
> it's being applied to
> 2) to determine that the mix has been deployed correctly.
> (Anyone fancy being the assessor..not me! But what we are saying is
> 'if you use the KI framework this our our bottom online on privacy
> for the service/s you are getting certified for)
> So I think this is greenfields stuff, and we won't get it right
> first time, but I think it may be a start.
> And I think it sits OK with Anna S's comment "..create a privacy
> structure orthogonal to the LOA structure and integrated into the
> IAF as an additional set of requirements'.
> What do you think?
> I know I couldn't write it, but I know there are folks on this list
> that could. And if they did, it would be ground-breaking work.
> CC: rfurr at safe-biopharma.org; RGW at Zygma.biz; mark at smartspecies.com; anna.slomovic at equifax.com
> ; Myisha.Frazier-McElveen at truestonefed.com; dervlaoreilly at me.com; rainer at hoerbe.at
> ; jbradley at mac.com; colin_wallis at hotmail.com
> From: annaticktin at me.com
> Subject: Re: IAWG P3 Agendas going into Berlin
> Date: Thu, 5 May 2011 22:03:37 -0700
> To: Colin.Wallis at dia.govt.nz
> Indeed, Colin.
> As you can see from my thread below, the P3 and IAWG meet in
> succession on Tuesday. Plus, they are sandwiched between two
> Assurance and Certification sync sessions, as well as a Trust
> Framework Meta Model and Business Cases for Trusted Federations
> session. These are all great opportunities for interdependent groups
> to get on the same page, as you say—
> Again, please follow on with any thoughts on firm agenda topics for
> these sessions. Let's get to talking so we can hurry up and "do"!
> Yup, I sent this from my iPad.
> On May 5, 2011, at 21:51, Colin Wallis <Colin.Wallis at dia.govt.nz>
> It would be ideal if the P3WG and IAWG folks could attend each
> others sessions to the greatest extent possible, to increase
> understanding/get on same page…
> From: Anna Ticktin [mailto:annaticktin at me.com]
> Sent: Friday, 6 May 2011 5:26 a.m.
> To: Rich Furr; Richard Wilsher; Colin Wallis; Mark Lizar; Anna
> Cc: Myisha Frazier-McElveen; Dervla O'Reilly; Hörbe Rainer; John
> Subject: IAWG P3 Agendas going into Berlin
> Hello All—
> Many thanks for your time and commitment to today's lengthy P3
> discussion. I think all would agree on it's value as a means of
> bridging the communication gap between the IAWG and P3.
> With that, I'm keen to capitalize on the freshness of the dialogue
> and channel this momentum into drafting relevant agendas for the
> upcoming F2F in Berlin. Clearly the value of having cross-
> representative discussions is apparent, so I'm asking that all of
> you (with your vocal dogs in this hunt!) weigh in.
> What comes to mind is a need for  a consensus on direction and
> next steps and  roadmaps. The IAWG has one, the TFWMM could
> easily be fleshed out, and It seems we are working toward
> identifying those paths and deliverables in the P3W with a call such
> as today's. This has been a most effective tool in other workgroups,
> and must be understood to:
> This message contains information from Equifax Inc. which may be
> confidential and privileged. If you are not an intended recipient,
> please refrain from any disclosure, copying, distribution or use of
> this information and note that such actions are prohibited. If you
> have received this transmission in error, please notify by e-mail postmaster at equifax.com
> Jeff Stollman
> stollman.j at gmail.com
> 1 202.683.8699
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the WG-P3