[WG-P3] Research report on IdM within the EU Data Protection Directive

Rainer Hoerbe rainer at hoerbe.at
Sun Nov 13 11:44:50 EST 2011


Am 13.11.2011 um 07:06 schrieb j stollman:

> After reviewing the GINI document I was particularly disappointed in two items:
> They use the term Actor to identify the various parties to a transaction,.  I think that Role is a far better term, since any one Actor may have one or more Roles in a particular transaction.  But this technicality does not impact the overall value of the document.
OMG defines a (use case) actor as "a role played by a person or thing when interacting with the system". So in a context of IS analysis both are valid terms.
> More discouraging is that the GINI approach presupposes that same fatal error that every other organization seems to be taking:  start programming and worry about the requirements later.  I refer to Section 4.8.3 which states, "One of the first steps in the development of such a framework involves putting in place (or at least identifying) reliable identification and authentication mechanisms." I would argue that while this is exactly what people have been doing, it is a mistake to start putting in place (or, even, identifying) identification and authentication mechanisms until we have developed the requirements for the different types of identification and authentication that the framework needs to handle.  I can accept the deployment of small, special-purpose frameworks to meet specific subsets of the goals envisioned under GINI.  But these may be no more useful to the overall GINI vision than a narrow-gauge railway is to a national rail network.  
It is not quite clear from the context of section 4.8.3 if it refers to the existing legal obligation of each trust service provider, or an approach to define a new overarching generic trust framework. In the first case this is not only best practice, but even mandatory according to some DPD guidelines. Even in the second case, as we don not start from scratch, it is state of the art to have reliable identification and authN as a key requirement. The question is rather how this is plumbed skillfully into a framework as not to jeopardize general applicability and minimum requirements.  

> The problem that concerns me is that we start giving undue wait to early adopters (early trust frameworks) just because they are in place and "work" within their narrow goals and misjudge the real needs of a more ambitious global identity system.  We seem to be so enamored with leveraging what has been deployed without considering what the requirements are for what we really need.
> 
> What is really needed is a thorough mapping of the requirements for the system envisioned by GINI -- without any consideration of what exists.  Then, we can map the current deployments against this inventory and make a rational decision if there are things worth keeping (including legislation) , or if we need to start with a clean slate.
> 
> The paper gives some acknowledgement to one aspect of the problem in Section 8 on page 82:
> 
> Practical barriers are likely to arise due to lack of harmonization in implementation (e.g., divergent consent requirements) or legal uncertainty (e.g., determination of the legal qualification of each actor). However, the legal barriers in this area result more from sector-specific requirements rather than general data protection or privacy requirements. The most prominent examples in this regard are the regulation of use of personal data by public sector bodies and the use of identifiers of general application.
> 
> But this phrasing suggests a passive acknowledgement that problems will arise, rather than taking a proactive position and seeking to define a meta model that will allow harmonization by design, rather than by happenstance.
Acknowledgment of a lack of harmonization is the first step. Harmonization as  the second step won't come in a single project. While I agree with you point that we need to make requirements clear, I think that a meta model and work on practical trust frameworks will inevitably happen in parallel, within and even more outside Kantara.

- Rainer

> 
> Thank you.
> 
> Jeff
> 
> We’ve just released a research report which I hope may be of interest to you and others on this list. It’s available at http://www.gini-sa.eu/images/stories/2011.11.06_GINI_D3.1_Legal%20Provisions%20for%20Deploying%20INDI%20Services_FINAL.pdf
> 
>  
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20111113/0f2db236/attachment.html 


More information about the WG-P3 mailing list