[WG-P3] For your consideration

Robin Wilton racingsnake at fastmail.fm
Thu May 26 09:45:16 EDT 2011


Hi folks -

A couple of comments in-line... hope this helps.

R
On Thu, 26 May 2011 01:52 +1200, "Colin Wallis"
<colin_wallis at hotmail.com> wrote:

  <<AS: If it’s taken from an EU baseline, we will need to be
  careful. Many issues are in dispute between the EU and the US,
  starting with the definition of what constitutes PII. >>

  CW: We should be ok there. Sue G and others debated it ad
  infinitum several versions ago, and got to a consensus.

Though actually, the EU and Member State definitions of what
constitutes PII are still not necessarily consistent: for
instance, the UK transposition of the Data Protection Directive
defines PII as 'data about an individual which allows the
individual to be identified'; the EU definition is much more
broadly phrased, describing PII as 'data about an identifiable
individual'...


<<AS: Additionally, we need to understand how a privacy framework
would apply in the context of an identity transaction or an
identity federation. FIDIS might help, but it is, once again, a
European effort.>>

I may be wrong, but I am pretty sure the FIDIS project has ended.
It was an FP6-funded project, so I'd be surprised if its life
extended beyond 5 years.


CW: Well that's where we need to study 29101, the privacy
reference architecture. It (well the new material that's being
integrated) gives you some broad guidelines from the actor
perspectives). And it should do no more than that. As an ISO
standard it has got to fit loads of uses cases, not just
identity federation.  We ought to know enough about the message
flow and what processes, systems etc are engaged, to draw out the
necessary guidance for Trust Framework Providers (and the
assessors that will later assess them) to follow in regard to
identity federation.


I think all these issues need to be discussed on the call. I will
send out the agenda later today.


Thanks.


Anna


Anna Slomovic

Chief Privacy Officer

Equifax, Inc.

1010 N. Glebe Rd.

Suite 500

Arlington, VA 22201


P: 703.888.4620

M: 703.254.9656

F: 703.243.7576

E: Anna.Slomovic at equifax.com


From: Colin Wallis [mailto:colin_wallis at hotmail.com]
Sent: Wednesday, May 25, 2011 8:09 AM
To: Anna Slomovic; Rainer Hoerbe
Cc: sg-p3pf at kantarainitiative.org; Kantara P3 WG;
staff at kantarainitiative.org
Subject: RE: [WG-P3] For your consideration


OK, but it should. It was probably taken from an EU baseline but
the idea is that any nation could profile it as a sub set. If
it isn't able to do that, we're in trouble..given that the
co-editor for 29100 is Sue Glueck from MSFT. 29101 has an
Estonian editor with some US inputs. But what need sto be done is
a quick mapping against ISTPA and if it maps ok, we should be ok
there too..I suspect changes on that one though...
_________________________________________________________________

To: colin_wallis at hotmail.com; rainer at hoerbe.at
CC: anna.slomovic at equifax.com; sg-p3pf at kantarainitiative.org;
wg-p3 at kantarainitiative.org; staff at kantarainitiative.org
Date: Wed, 25 May 2011 08:00:08 -0400
Subject: RE: [WG-P3] For your consideration
From: anna.slomovic at equifax.com

I have not had the time to review to see whether the ISO work
would play in the US. I am cheered that it us principles-based,
so it is possible. Let's discuss on the call tomorrow.
Anna
Anna Slomovic
CPO, Equifax
Sent via DROID on Verizon Wireless

-----Original message-----

From: Colin Wallis <colin_wallis at hotmail.com>
To: Rainer Hoerbe <rainer at hoerbe.at>
Cc: Anna Slomovic <anna.slomovic at equifax.com>,
"sg-p3pf at kantarainitiative.org" <sg-p3pf at kantarainitiative.org>,
Kantara P3 WG <wg-p3 at kantarainitiative.org>,
"staff at kantarainitiative.org" <staff at kantarainitiative.org>
Sent: Wed, May 25, 2011 11:49:56 GMT+00:00
Subject: RE: [WG-P3] For your consideration

And I will try to help where I can, but the wireframe was about
as far as my knowledge runs.

It will be a tight fit for me to get on the call tomorrow between
other calls and jetlag but I'll try...

Cheers
Colin
_________________________________________________________________

Subject: Re: [WG-P3] For your consideration
From: rainer at hoerbe.at
Date: Wed, 25 May 2011 12:48:43 +0200
CC: anna.slomovic at equifax.com; sg-p3pf at kantarainitiative.org;
wg-p3 at kantarainitiative.org; staff at kantarainitiative.org
To: colin_wallis at hotmail.com
I agree. For my part, I hope to help with assurance metrics.



Am 25.05.2011 um 12:20 schrieb Colin Wallis:


So to summarise the input from Anna, Jeff and Rainer as I
understand it..

1) We continue with a (global) Principles based approach
2) We agree to adopting definitions from ISO 29100 A privacy
Framework (also used in 29101 a privacy reference archictecure),
though we have to be careful as these can't be publicly released
at this stage
3) We leverage the architecture-to-principles mapping proposed in
the latest 29101 drafts (still being worked on in the ad hoc) to
help us contruct that part of our framework
4) We leverage the LoP and LoC concepts, but do not try to make
any sort of direct binding of LoAs to LoPrivacy (yuk)
5) We aim towards an assurance metric.

I didn't get any response on my early wireframe on how the doc
might look (remember that we have to give advice to
Trust Framework deployers and also to Privacy Framework
Assessors, so it is at least a two part doc).

Are we good to go then?

Cheers
Colin
_________________________________________________________________

From: [1]rainer at hoerbe.at
Date: Mon, 23 May 2011 19:56:28 +0200
To: [2]anna.slomovic at equifax.com
CC: [3]SG-P3PF at kantarainitiative.org; [4]wg-p3 at kantarainitiative.
org; [5]staff at kantarainitiative.org
Subject: Re: [WG-P3] For your consideration


Am 23.05.2011 um 16:31 schrieb Anna Slomovic/Equifax:


Please see inline.


How does the work in P3WG done so far compare to the ISO 2910x
draft? Do the principles match? To what extent is the terminology
aligned? Could the Kantara PF be crafted as instance of a
29101-compatible framework?


On the long term Kantara will have to provide the full set of
principles that reach beyond US eGovernment use cases.

            I do not have a copy of the standard or the
architecture in its current state. According to the ISO website,
it will be published 10/15/2011.


Kantara does have a liaison with ISO SC 27 WG 5 and can make the
draft documents available to its members (but not to mere list
subscribers). Please contact Kantara staff - I think that this is
a must read for P3 members.



_________________________________________________________________

This message contains information from Equifax Inc. which may be
confidential and privileged. If you are not an intended
recipient, please refrain from any disclosure, copying,
distribution or use of this information and note that such
actions are prohibited. If you have received this transmission in
error, please notify by e-mail postmaster at equifax.com.
    _________________________________________________________

  This message contains information from Equifax Inc. which may
  be confidential and privileged. If you are not an intended
  recipient, please refrain from any disclosure, copying,
  distribution or use of this information and note that such
  actions are prohibited. If you have received this transmission
  in error, please notify by e-mail postmaster at equifax.com.
_______________________________________________
WG-P3 mailing list
WG-P3 at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-p3

References

1. mailto:rainer at hoerbe.at
2. mailto:anna.slomovic at equifax.com
3. mailto:SG-P3PF at kantarainitiative.org
4. mailto:wg-p3 at kantarainitiative.org
5. mailto:staff at kantarainitiative.org
Robin Wilton

+44 (0)705 005 2931

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20110526/d313037c/attachment-0001.html 


More information about the WG-P3 mailing list