So taking a step back and moving on..... :-)...
I got a reminder note today about the deadline being 25th July.
So do we have one or two submissions on the go? from Terry, Sal, Jeff Ingo?
Cheers
Colin
CC: colin_wallis@hotmail.com; joni@ieee-isto.org; dg-idot@kantarainitiative.org
From: tgold@idanalyst.comDate: Wed, 3 Jul 2013 23:17:02 -0700
Subject: Re: [DG-IDoT] FW: RSA U.S. Call for Speakers Now Open! Submit Today!
To: andrew.nash@gmail.com
Andrew, didn't mean to offend. Was intended to point out that CFP outcomes can occur aside from being rigid and to try anyway with best effort.I pointed to politics as one other factor due to my own experiences (with RSA). We can take offline if you are interested.Apologies.Terry,having been engaged as part of the RSA Conference track committee over ten years I would suggest that your allusions to political decisions are highly uninformed - if you have tried to reduce 1400 submissions to 20abstracts for a single track you may gain some appreciation of the challenges.Colins points are actually highly cogent and relevant, although there may be more leeway if you decided to submit to the privacy trackWhile the privacy aspect is important and relevant the same issues already exist in many different contexts my group at Google was already managing a billion identities with many times that number of transactions taking place monthly across 60 product areasThe management at scale of the collection of thing identities, the layering of what an identity means from very low level devices and how they may be connected to identified organizing identity such as a person (or house) the authorization and relationship management is a pretty interesting collection of security issues to deal with and could be proposed as a reasonable abstract.--Andrew
--Andrew
On Wed, Jul 3, 2013 at 9:52 PM, Terry Gold <tgold@idanalyst.com> wrote:
Hi Colin-No buzzkill or offense taken. You raise really good and valid points.I am not so convinced that RSA CFP committee however is as ruthless as they are political - am still reserving conclusions in that one.As for the InfoSec community already being aware of the points 1-4, I would like to think I know the community well, and agree there is awareness, but it is context that is lacking. How 1-4 are inter related, progressions over time, and sequential progressions that got us here, and what pieces need to be clawed back for it to start to have a trajectory of balance.There are some technical people in the RSA community, but many are not and not all are identity experts (or privacy beyond the corp enterprise) so I think there is value in discussing as long as it or not too high level and breaks things down quite more. It's easy to get lost in generalizations in panels where it's watered down and something g we wi work to avoid.Lastly, my personal opinion is that Europe in general has a far better position on privacy than we do here in the US but if we go in guns blazing on a "how to do it like Europe" it will be counterproductive. Rather compare positions to expand the border beyond the US, as our data does as well.My thoughts, although willing to accept I could be partly right or all wrong too -)/t
Please excuse spelling errors - sent from my mobile deviceAt the risk of being a kill joy, I think that Terry's list below, while worthy, won't get accepted by RSA's pretty ruthless submission acceptance process.
I expect they will say that all 4 are pretty well known..
1 and 2 have been the subject of VRM, PDEC and now Custome rCommons for some time
3 is less well known to the public, but to the RSA audience, I would have thought 'well known'.. if the panel had real answers to how to restrict or manage that, such as the European based PICOS and ABC4Trust groups have (google those with Kai Rannenburg) then we might have a chance with RSA.
4) is topical, but may not be in 6 months, and RSA may be sensitive around the topic for its own 'relationship managment' reasons .. :-). that said..yea, there is a wider Governance story to tell there..and a story about which is better? broad surveillance with very good governance? or peicemeal organically built up surveillance based on a concern from one party of another, that communicated to parties x, y, and z to enact the surveillance witha ll the risks of co-ordination, governance etc etc that that implies?...
But it's well off Kantara's patch... are you sure we are not better to start back with the IdoT problem space and build out to a place where we have both the expertise and it is relatively new territory?
No July 4th for me, you can tell, eh? :-)
Cheers
Colin
From: sal@idmachines.com
To: tgold@idanalyst.com; stollman.j@gmail.com; Ingo.Friese@telekom.de
Date: Tue, 2 Jul 2013 09:52:01 -0400
CC: joni@ieee-isto.org; dg-idot@kantarainitiative.org
Subject: Re: [DG-IDoT] FW: RSA U.S. Call for Speakers Now Open! Submit Today!
Terry, Jeff, Ingo,
Very good set of points Terry. Leakage in particular. UMA might help in that regard.
Identities of things is an interesting topic not the least in the sense that you have device, owners and users all of which bring their identities into things.
I would be interested in the panel as well. I have some experience around SCADA and transport to help bring those perspectives.
Look forward to the DG.
Sal
From: dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org] On Behalf Of Terry Gold
Sent: Tuesday, July 02, 2013 9:13 AM
To: 'j stollman'; Ingo.Friese@telekom.de
Cc: 'Joni Brennan'; dg-idot@kantarainitiative.org
Subject: Re: [DG-IDoT] FW: RSA U.S. Call for Speakers Now Open! Submit Today!
Hi Jeff-
I think you are spot-on. We can continue to define technical frameworks (and we will ;-) but the big storm brewing is:
a) The convenience and pervasiveness of connected services
b) Collection and monetization of data (can debate and categorize what is PII or not and how it is still usable, etc)
c) Identity ownership and control s: evolution, impact, possibilities
d) Challenges and impact on business models, and individuals as this battle looms.
From my perspective, there are four levels to this dilemma that should be reviewed/clarified for the audience:
1. Legacy models like the credit bureaus. They have long collecting everything, are bureaucratic, and monetize data in many ways. Facebook’s monetization model isn’t new just the way they collect it.
2. Opt-in relationships: Such as Facebook. We may be opted-in when we sign up (don’t agree with that by the way) but we do consciously sign up for the relationship and is intended to share on some level (unlike my mortgage account or my vehicle records or services).
3. Leakage: The usage of a service that does not disclose that it is collecting data, or irresponsibly leaks your data to another service (lots of mobile apps are quite “chatty” in this way). Basically, any that are “free” apps, are doing this so (and not disclosing) it’s a BIG problem.
4. Government Surveillance: PRISM, etc. For me, the debate on this is two-fold, not only the legality but the controlled usage of any collected data. Obvious, but just to point out.
I am interested in collaborating and/or participating in the panel as well, up to you.
Regards,
Terry
-------------------------------
Terry Gold
iDanalyst LLC, Founder
Identity, Security & Privacy
t: 213-341-0433
m: 949-310-5911
tgold@IDanalyst.com
www.IDanalyst.com
Twitter: @IDanalyst
From: dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org]
_______________________________________________
DG-IDoT mailing list
DG-IDoT@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idot
_______________________________________________
DG-IDoT mailing list
DG-IDoT@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idot