[WG-P3] For your consideration

Colin Wallis colin_wallis at hotmail.com
Wed May 25 06:58:06 EDT 2011

And I will try to help where I can, but the wireframe was about as far as my knowledge runs.
It will be a tight fit for me to get on the call tomorrow between other calls and jetlag but I'll try...


Subject: Re: [WG-P3] For your consideration
From: rainer at hoerbe.at
Date: Wed, 25 May 2011 12:48:43 +0200
CC: anna.slomovic at equifax.com; sg-p3pf at kantarainitiative.org; wg-p3 at kantarainitiative.org; staff at kantarainitiative.org
To: colin_wallis at hotmail.com

I agree. For my part, I hope to help with assurance metrics. 

Am 25.05.2011 um 12:20 schrieb Colin Wallis:

So to summarise the input from Anna, Jeff and Rainer as I understand it..
1) We continue with a (global) Principles based approach
2) We agree to adopting definitions from ISO 29100 A privacy Framework (also used in 29101 a privacy reference archictecure), though we have to be careful as these can't be publicly released at this stage 
3) We leverage the architecture-to-principles mapping proposed in the latest 29101 drafts (still being worked on in the ad hoc) to help us contruct that part of our framework
4) We leverage the LoP and LoC concepts, but do not try to make any sort of direct binding of LoAs to LoPrivacy (yuk)
5) We aim towards an assurance metric.
I didn't get any response on my early wireframe on how the doc might look (remember that we have to give advice to Trust Framework deployers and also to Privacy Framework Assessors, so it is at least a two part doc).
Are we good to go then?

From: rainer at hoerbe.at
Date: Mon, 23 May 2011 19:56:28 +0200
To: anna.slomovic at equifax.com
CC: SG-P3PF at kantarainitiative.org; wg-p3 at kantarainitiative.org; staff at kantarainitiative.org
Subject: Re: [WG-P3] For your consideration

Am 23.05.2011 um 16:31 schrieb Anna Slomovic/Equifax:

Please see inline.

How does the work in P3WG done so far compare to the ISO 2910x draft? Do the principles match? To what extent is the terminology aligned? Could the Kantara PF be crafted as instance of a 29101-compatible framework?


On the long term Kantara will have to provide the full set of principles that reach beyond US eGovernment use cases.

            I do not have a copy of the standard or the architecture in its current state. According to the ISO website, it will be published 10/15/2011.

Kantara does have a liaison with ISO SC 27 WG 5 and can make the draft documents available to its members (but not to mere list subscribers). Please contact Kantara staff - I think that this is a must read for P3 members.

2. Should we attempt to “reverse engineer” a privacy framework from the requirements that we know already exist in NSTIC and ICAM since both have actual privacy requirements? Both NSCTIC and ICAM are US-based. In fact, ICAM is applicable only to the federal government, and the privacy profile limits the “Do Not Track” provision to visits to US government sites. Nevertheless, NSTIC covers all privacy principles, so it might be worthwhile to spend some time on expanding the definitions to include those outside US frameworks (as we have been doing) and then analyzing/interpreting how the principles apply specifically to identity transactions. This would become the principles-based Privacy Framework, which could be further developed into profiles like the one required by ICAM.


I suggest to take wider base, using both existing federations (e.g. R&E federations and other industries) and a few countries. Without going into too much detail, some controls beyond privacy principles like enforcement could be covered. On deciding what factors to research it might help to draw from former efforts like worldbank or EU.  


            I suggested NSTIC and ICAM because we have two use cases. The principles are the same worldwide; the applicability and interpretation differ. Work from the EU and World Bank would still be relevant. However, the point of the Privacy Framework is privacy, so I am not sure about the relevance of “controls beyond privacy.”

It might be more clear what I meant if you take an example country from the EU report: http://www.privireal.org/content/dp/canada.php
Its lists controls like "General Powers of supervisory authority", "Who has standing to notify the supervisory authority of breaches", "penalties for breach of law", "provisions for national id number" etc. I think that these are controls that cannot be easily ranged into the principles.

- Rainer

_______________________________________________ WG-P3 mailing list WG-P3 at kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-p3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20110525/6df65805/attachment-0001.html 

More information about the WG-P3 mailing list