All, You are invited to the kick-off meeting of the Privacy Framework subgroup of the Kantara Initiative (KI) Privacy and Public Policy work group (P3wg). This meeting ushers in the creation of a Privacy Framework that will allow third-party auditors to assess and certify the privacy protection practices of Identity Providers and Relying Parties. The kick-off telecon will be held this Thursday (Friday in Asia/Pacific). If, due to the short notice, you are unable to attend this kick-off, but desire to be kept updated on our next call, please let me know by reply email. Here is the dial-in information: US/Canada toll-free number: 1.866.305.1460 Direct dial (toll) number: +1.416.620.1296 Additional toll-free numbers: UK: 0800 917 5847 Netherlands: 08002659007 Belgium: 080079491 Japan: 00531160345 * Attendee Code: 9247530 +Thursday 08:00 PT / 11:00 ET / 16:00 UTC/GMT / 01:00 +1 day Japan / 05:00 + 1 day New Zealand Here is the agenda for the call: 1. Introductions and roll call 2. Description of the mission 3. Execution Plan 1. Communities of Interest 2. Leverage parallel efforts 3. Document requirements 4. Develop outline 5. Develop PF 6. Develop ICAM profile 7. Develop other profiles as clients evince interest 4. Schedule 1. Phase I: Discovery For January 2. Phase 2: Framework Development 3. Phase 3: ICAM Profile Development . *Background* In the traditional three-party internet transaction model, there are Subjects, Identity Providers (IdPs) and Relying Parties (RPs). To create trust among all three parties, a Trust Framework establishes a three-legged stool that provides (1) Assurance, (2) Protection, and (3) Control. * Assurance* is the trust a Relying Party can have in the ability of the Identity Provider to accurately represent the Subject when the Identity Provider assigns an ID to the Subject. *Protection* is the ability of the Subject to trust that his personal information is being handled “as advertised” by both the IdP and the RP. *Control* is the ability of the Subject to correct errors in the information about him/her as well as the ability specify when and how this information is disseminated. A fourth party – an Attribute Provider – also needs to be considered in this model. The US National Institute of Standards and Technology (NIST) has defined a hierarchy four Levels of Assurance and prescribed information proofing practices necessary to provide increasing levels of assurance for transactions that require them. At Level 1, an identity can be self-asserted for simple transactions such as managing one's Facebook account. Additional assurance is typically required for higher value transactions that might involve the transfer of money or confidential information. The Kantara Initiative has already created an Identity Assurance Framework (IAF). This Framework describes auditable Service Assessment Criteria (SACs) that can be used to vet an Identity Provider's ability to provide identities at different Levels of Assurance. The IAF establishes these broad rules and also includes profiles that allow for variations as needed to address unique requirements that exist for different trust frameworks (typically defined by either national jurisdiction or industry sector). A profile has been created for the US government's ICAM program. The IAF provides an RP with the necessary level of trust to conduct business at various Levels of Assurance. *Privacy Framework* The next step needed in this process is to create a Privacy Framework that affords Subjects the trust they need in how their personal information will be treated to induce them to use the Trust Framework. Here is where you can find the P3WG wiki, our charter, deliverables and work in progress. http://kantarainitiative.org/confluence/display/p3wg/Home -- Jeff Stollman stollman.j@gmail.com 1 202.683.8699