[WG-P3] For your consideration

Rainer Hörbe rainer at hoerbe.at
Mon May 23 13:56:28 EDT 2011


Am 23.05.2011 um 16:31 schrieb Anna Slomovic/Equifax:

> Please see inline.
>  
>> How does the work in P3WG done so far compare to the ISO 2910x draft? Do the principles match? To what extent is the terminology aligned? Could the Kantara PF be crafted as instance of a 29101-compatible framework?
>>  
>> On the long term Kantara will have to provide the full set of principles that reach beyond US eGovernment use cases.
>> 
> 
>             I do not have a copy of the standard or the architecture in its current state. According to the ISO website, it will be published 10/15/2011.

Kantara does have a liaison with ISO SC 27 WG 5 and can make the draft documents available to its members (but not to mere list subscribers). Please contact Kantara staff - I think that this is a must read for P3 members.


>> 
>>> 2. Should we attempt to “reverse engineer” a privacy framework from the requirements that we know already exist in NSTIC and ICAM since both have actual privacy requirements? Both NSCTIC and ICAM are US-based. In fact, ICAM is applicable only to the federal government, and the privacy profile limits the “Do Not Track” provision to visits to US government sites. Nevertheless, NSTIC covers all privacy principles, so it might be worthwhile to spend some time on expanding the definitions to include those outside US frameworks (as we have been doing) and then analyzing/interpreting how the principles apply specifically to identity transactions. This would become the principles-based Privacy Framework, which could be further developed into profiles like the one required by ICAM.
>>  
>> I suggest to take wider base, using both existing federations (e.g. R&E federations and other industries) and a few countries. Without going into too much detail, some controls beyond privacy principles like enforcement could be covered. On deciding what factors to research it might help to draw from former efforts like worldbank or EU.  
>>  
>> 
>> 
>             I suggested NSTIC and ICAM because we have two use cases. The principles are the same worldwide; the applicability and interpretation differ. Work from the EU and World Bank would still be relevant. However, the point of the Privacy Framework is privacy, so I am not sure about the relevance of “controls beyond privacy.”

It might be more clear what I meant if you take an example country from the EU report: http://www.privireal.org/content/dp/canada.php
Its lists controls like "General Powers of supervisory authority", "Who has standing to notify the supervisory authority of breaches", "penalties for breach of law", "provisions for national id number" etc. I think that these are controls that cannot be easily ranged into the principles.

- Rainer

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20110523/c9295b8c/attachment.html 


More information about the WG-P3 mailing list