[WG-P3] ICAM's PAC document

5 views
Skip to first unread message

Ann Geyer

unread,
Mar 29, 2012, 10:39:26 AM3/29/12
to Kantara P3WG
I found the ICAM Privacy Guidance for Trust Providers. It looks very
similar to what we are trying to develop for Kantara. I suggest we
look at this document and see what modifications, if any, are required
for our purpose.


http://kantarainitiative.org/confluence/download/attachments/49775195/ICAM+Privacy+Guidance+for+Trust+Providers.pdf

--
Ann Geyer, ESQ, MBA, MA, CIPP, CISSP, CISM, CPHRM
Managing Director, Tunitas Group
PO Box 278, Mountain Ranch, CA 95246
209-817-1691 (cell)
age...@tunitas.com
www.tunitas.com
_______________________________________________
WG-P3 mailing list
WG...@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-p3

j stollman

unread,
Mar 29, 2012, 1:20:21 PM3/29/12
to Ann Geyer, Kantara P3WG
All,

While I apologize for being unable to attend today's meeting, I did briefly review the ICAM document and can provide the following feedback:
  1. Adequate Notice
    1. I think that the requirements for notice need to extend well beyond what is listed in the ICAM document to include such items as how data are stored and protected from insider threats and outside hackers; how data is protected in flight between the user and the IdP and between the IdP and the RP, the retention periods of the IdP, the destruction processes of the IdP, etc.
    2. In reality, I believe that we need to establish a separate set of criteria for Notice and Consent independent of the Privacy profile.  In this way, the privacy profile will merely need to reference compliance with the Notice and Consent profile.  The Notice and Consent Profile will then need to be developed by a collaborative IAwg and P3wg team, since it addresses elements of both.
    3. As well, I would suggest that this document extend beyond the 3-party model (Subject, IdP, and RP).  It should be robust enough to address other models (e.g., separate IdP and CSP, AP, and the various UMA roles).
  2. Minimalism
    1. I suspect that trying to assess minimalism for the IdP is a fool's errand.  In ICAM's view, the IdP is the single source of truth for all attributes required by the RP.  In such a model, the IdP would need to anticipate every possible attribute required by any RP in order to fulfill its role.  This is a broken model from the start.
    2. One alternative model would be for the IdP to merely assert that the Subject is Joe313452.  Additional attributes would then be obtained from the various Attribute Providers (APs) who can substantiate each attribute claim (e.g., a credit bureau for credit worthiness, a credit-card company for authorization of a particular purchase, etc.  Of course, this can become slow and complex if many APs are required.
    3. Still other models may separate the IdP from an AP who aggregates multiple attributes along with their signed substantiation from the AP who substantiates each transaction.  Technologies such as U-Prove make this practical.
    4. Of course, once we bring APs into the picture, the same privacy profile will need to apply to them.  Otherwise it is like trying to stop a leak by patching only two of three large holes.
  3. Activity Tracking
    1. Most of the content of the ICAM document appears to deal with Notice, not with activity tracking.
    2. There is an inherent contradiction in not tracking activity and having a log available to support claims of unfair practice.  The ICAM document does not suggest tracking records not be maintained, merely that they not be disclosed to other parties.  The problem inherent in maintaining these data are that they represent a honeypot for both insiders and outside hackers who may seek to profit from the information.  We can regulate and certify business practices, but will that be enough to overcome the skepticism of the public who read continuously about PII being exposed through error or malfeasance?  So it would appear, that -- at a minimum -- there ought to be a maximum retention period established.  
    3. In addition, if users decide to stop working with an IdP, they ought to have the right to have their tracking history destroyed (after weighting some defined minimum period to provide the IdP with records needed for audit, etc.).
    4. If the same requirements for IdPs are not applicable to other parties in the interaction, have we really fixed anything?
  4. Identity Provider Bona Fides
    1. The first two items listed under this rubric appear best address in the Notice and Consent profile.
Jeff
--
Jeff Stollman
stoll...@gmail.com
1 202.683.8699

Truth never triumphs — its opponents just die out.
Science advances one funeral at a time.
                                    Max Planck

Louise Bennett

unread,
Mar 29, 2012, 1:41:21 PM3/29/12
to Kantara P3WG

Dear All

 

At the Chartered Institute for IT in the UK we have just published a Yearbook on Aspects of Identity – it chronicles the development of our views on identity assurance over the Internet in the last year as a result of running international workshops on the subject in the UK, at EURODIG in Belgrade and the UN IGF in Kenya. I thought you might find it interesting and I would appreciates any feedback

 

It can be found at:

www.bcs.org/identity

 

 

Yours,

 

Louise

 

Dr Louise Bennett

louise....@vivasltd.net

+44 (0)7786 01 25 54

vivas ltd, 30 Castelnau, SW13 9RU

Company: 4136811

 

Reply all
Reply to author
Forward
0 new messages