Hi Jeff- I think you are spot-on. We can continue to define technical frameworks (and we will ;-) but the big storm brewing is: a) The convenience and pervasiveness of connected services b) Collection and monetization of data (can debate and categorize what is PII or not and how it is still usable, etc) c) Identity ownership and control s: evolution, impact, possibilities d) Challenges and impact on business models, and individuals as this battle looms.

From my perspective, there are four levels to this dilemma that should be reviewed/clarified for the audience:

1. Legacy models like the credit bureaus. They have long collecting everything, are bureaucratic, and monetize data in many ways. Facebook's monetization model isn't new just the way they collect it. 2. Opt-in relationships: Such as Facebook. We may be opted-in when we sign up (don't agree with that by the way) but we do consciously sign up for the relationship and is intended to share on some level (unlike my mortgage account or my vehicle records or services). 3. Leakage: The usage of a service that does not disclose that it is collecting data, or irresponsibly leaks your data to another service (lots of mobile apps are quite "chatty" in this way). Basically, any that are "free" apps, are doing this so (and not disclosing) it's a BIG problem. 4. Government Surveillance: PRISM, etc. For me, the debate on this is two-fold, not only the legality but the controlled usage of any collected data. Obvious, but just to point out. I am interested in collaborating and/or participating in the panel as well, up to you. Regards, Terry ------------------------------- Terry Gold iDanalyst LLC, Founder Identity, Security & Privacy t: 213-341-0433 m: 949-310-5911 tgold@IDanalyst.com www.IDanalyst.com http://www.idanalyst.com/ Twitter: @IDanalyst From: dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org] On Behalf Of j stollman Sent: Tuesday, July 02, 2013 5:50 AM To: Ingo.Friese@telekom.de Cc: Joni Brennan; dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] FW: RSA U.S. Call for Speakers Now Open! Submit Today! Ingo, My personal bias would be to have a panel discussion on the implications of IoT on privacy. (We can submit more than one proposal and hold more than one panel.) And I think some of the questions that we have already begun discussing (e.g., who controls the data for a ca?, will "things" have their own personal cloud or be part of a person's cloud?) that could provide fodder for a captivating discussion. . (We can submit more than one proposal and hold more than one panel.) I have already begun drafting a proposal for a panel for which I am interested in other panelists. I have attached a draft. If you are interested in participating, let me know. Thanks. Jeff On Tue, Jul 2, 2013 at 7:03 AM, wrote: Hi all, We'd like to propose a KI panel discussion at RSA 2014 around IDoT. This would be a great opportunity for our group to promote/discuss/get feedback for our work. Joni was as friendly as to bring up this chance. She will help us to finish a one-pager for a proposed session. I will start with a rough version putting in e.g. (Identity of Things - Access Management as usual or do we need something different We have learned a lot about identity management for subjects in the past. We have well known approaches like RBAC or ABAC developed web protocols and mechanisms like OpenID, OAuth, UMA. But is this sufficient for the internet of things? What's missing? What is so challenging about? Etc.) (just a very first draft and still rather an example).thinking about other authentication methods than username/password, more than one owner/user of a thing, new mapping approaches etc. As we are a group from different industries I'd like to ask you for other topics around Big Data, Privacy, Security etc..in conjunction with IDoT. Ideas are highly welcome! I will aggregate/integrate them to a nice paper IT would be great if you come up with few bullet points to support us. And If I get it right we also looking for panelists (correct me if I'm wrong Joni) Thank you in advance! Ingo From: jonibrennan@gmail.com [mailto:jonibrennan@gmail.com] On Behalf Of Joni Brennan Sent: Montag, 1. Juli 2013 20:42 To: Friese, Ingo Subject: Re: U.S. Call for Speakers Now Open! Submit Today! Could you start a rough draft for proposed session? IdOT can help but you'll need some staff and quick volunteers b/c the opp closes July 25. That comes fast! If you can give a one page heather and I can help. I suggest proposing a panel as the mode for session. We can help you fill the panel when time comes. Do you think its possible as a start? I hope you get the opp AND selected!! On Monday, July 1, 2013, wrote: Joni, I'd love to. Great opportunity to introduce / discuss / get feedback for IDoT! Ingo From: lc-bounces@kantarainitiative.org [mailto:lc-bounces@kantarainitiative.org] On Behalf Of Joni Brennan Sent: Donnerstag, 27. Juni 2013 18:55 To: Nat Sakimura Cc: Kantara Leadership Council Kantara; trustees@kantarainitiative.org; irb@kantarainitiative.org; arb Subject: Re: [KI-LC] [BoT] Fwd: U.S. Call for Speakers Now Open! Submit Today! In the same track of thought Nat, and in addition to Colin's well placed usual suspect assurance discussion, I think the Kantara IDoT might make some early proposal around Privacy, Big-Data and Identity of Things. Ingo would you be interested? Joni Brennan Kantara Initiative | Executive Director voice:+1 732-226-4223 tel:%2B1%20732-226-4223 email: joni @ kantarainitiative.org Building Trusted Identity Ecosystems - It takes a village! Slides: http://bit.ly/ki-june-2013 On Thu, Jun 27, 2013 at 9:21 AM, Nat Sakimura wrote: I am wondering if RSA is security only event. When you talk about Big Data etc., you cannot dodge the privacy questions. That might be another interesting topic. 2013/6/27 Colin Wallis I'm thinking there might be a play at the higher LOA approval level here.. a kind of Kantara Assurance. BBFA, MACCSA joint play. The slight problem is that *that* thinking might be slightly premature (thinking of the July MACCSA meeting) .. But I'm thinking that the RSA audience would find it interesting and offers presenting organizations a way to showcase an opportunity for the audience organizations to play in what is probably a new space for most of them... (says he choosing his words carefully..:-)) Cheers Colin _____ From: joni@ieee-isto.org Date: Wed, 26 Jun 2013 11:34:19 -0700 To: trustees@kantarainitiative.org; LC@kantarainitiative.org; arb@kantarainitiative.org; irb@kantarainitiative.org Subject: [KI-LC] Fwd: U.S. Call for Speakers Now Open! Submit Today! Dear All, Which Kantara stakeholders seek to work toward Kantara proposals for RSA SFO 2014? Which WGs / DGs will seek to submit their own proposals? The call opens now and closes July 25. Best Regards, Joni RSA <http://www.rsaconference.com/?utm_source=exacttarget&utm_medium=CFS&utm_con tent=logo-header&utm_campaign=CFSEmail1> R Conference Stay Connected LinkedIn http://www.linkedin.com/company/rsa-conference Twitter https://twitter.com/RSAconference YouTube http://www.youtube.com/rsaconference Facebook https://www.facebook.com/rsaconference Asia Pacific <http://www.rsaconference.com/events/ap13?utm_source=exacttarget&utm_medium= CFS&utm_content=apac-banner&utm_campaign=CFSEmail1> Europe <http://www.rsaconference.com/events/eu13?utm_source=exacttarget&utm_medium= CFS&utm_content=europe-banner&utm_campaign=CFSEmail1> -- Joni Brennan Kantara Initiative | Executive Director voice:+1 732-226-4223 tel:%2B1%20732-226-4223 email: joni @ kantarainitiative.org Building Trusted Identity Ecosystems - It takes a village! Slides: http://bit.ly/ki-june-2013 _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot -- Jeff Stollman stollman.j@gmail.com 1 202.683.8699 Truth never triumphs - its opponents just die out. Science advances one funeral at a time. Max Planck

At the risk of being a kill joy, I think that Terry's list below, while worthy, won't get accepted by RSA's pretty ruthless submission acceptance process. I expect they will say that all 4 are pretty well known.. 1 and 2 have been the subject of VRM, PDEC and now Custome rCommons for some time 3 is less well known to the public, but to the RSA audience, I would have thought 'well known'.. if the panel had real answers to how to restrict or manage that, such as the European based PICOS and ABC4Trust groups have (google those with Kai Rannenburg) then we might have a chance with RSA. 4) is topical, but may not be in 6 months, and RSA may be sensitive around the topic for its own 'relationship managment' reasons .. :-). that said..yea, there is a wider Governance story to tell there..and a story about which is better? broad surveillance with very good governance? or peicemeal organically built up surveillance based on a concern from one party of another, that communicated to parties x, y, and z to enact the surveillance witha ll the risks of co-ordination, governance etc etc that that implies?... But it's well off Kantara's patch... are you sure we are not better to start back with the IdoT problem space and build out to a place where we have both the expertise and it is relatively new territory? No July 4th for me, you can tell, eh? :-) Cheers Colin From: sal@idmachines.com To: tgold@idanalyst.com; stollman.j@gmail.com; Ingo.Friese@telekom.de Date: Tue, 2 Jul 2013 09:52:01 -0400 CC: joni@ieee-isto.org; dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] FW: RSA U.S. Call for Speakers Now Open! Submit Today! Terry, Jeff, Ingo, Very good set of points Terry. Leakage in particular. UMA might help in that regard. Identities of things is an interesting topic not the least in the sense that you have device, owners and users all of which bring their identities into things. I would be interested in the panel as well. I have some experience around SCADA and transport to help bring those perspectives. Look forward to the DG. Sal From: dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org] On Behalf Of Terry Gold Sent: Tuesday, July 02, 2013 9:13 AM To: 'j stollman'; Ingo.Friese@telekom.de Cc: 'Joni Brennan'; dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] FW: RSA U.S. Call for Speakers Now Open! Submit Today! Hi Jeff- I think you are spot-on. We can continue to define technical frameworks (and we will ;-) but the big storm brewing is: a) The convenience and pervasiveness of connected services b) Collection and monetization of data (can debate and categorize what is PII or not and how it is still usable, etc) c) Identity ownership and control s: evolution, impact, possibilities d) Challenges and impact on business models, and individuals as this battle looms.

From my perspective, there are four levels to this dilemma that should be reviewed/clarified for the audience:

1. Legacy models like the credit bureaus. They have long collecting everything, are bureaucratic, and monetize data in many ways. Facebook’s monetization model isn’t new just the way they collect it. 2. Opt-in relationships: Such as Facebook. We may be opted-in when we sign up (don’t agree with that by the way) but we do consciously sign up for the relationship and is intended to share on some level (unlike my mortgage account or my vehicle records or services). 3. Leakage: The usage of a service that does not disclose that it is collecting data, or irresponsibly leaks your data to another service (lots of mobile apps are quite “chatty” in this way). Basically, any that are “free” apps, are doing this so (and not disclosing) it’s a BIG problem. 4. Government Surveillance: PRISM, etc. For me, the debate on this is two-fold, not only the legality but the controlled usage of any collected data. Obvious, but just to point out. I am interested in collaborating and/or participating in the panel as well, up to you. Regards, Terry ------------------------------- Terry Gold iDanalyst LLC, Founder Identity, Security & Privacy t: 213-341-0433 m: 949-310-5911 tgold@IDanalyst.com www.IDanalyst.com Twitter: @IDanalyst From: dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org] On Behalf Of j stollman Sent: Tuesday, July 02, 2013 5:50 AM To: Ingo.Friese@telekom.de Cc: Joni Brennan; dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] FW: RSA U.S. Call for Speakers Now Open! Submit Today! Ingo, My personal bias would be to have a panel discussion on the implications of IoT on privacy. (We can submit more than one proposal and hold more than one panel.) And I think some of the questions that we have already begun discussing (e.g., who controls the data for a ca?, will "things" have their own personal cloud or be part of a person's cloud?) that could provide fodder for a captivating discussion. . (We can submit more than one proposal and hold more than one panel.) I have already begun drafting a proposal for a panel for which I am interested in other panelists. I have attached a draft. If you are interested in participating, let me know. Thanks. Jeff On Tue, Jul 2, 2013 at 7:03 AM, wrote: Hi all, We’d like to propose a KI panel discussion at RSA 2014 around IDoT. This would be a great opportunity for our group to promote/discuss/get feedback for our work. Joni was as friendly as to bring up this chance. She will help us to finish a one-pager for a proposed session. I will start with a rough version putting in e.g. (Identity of Things – Access Management as usual or do we need something different We have learned a lot about identity management for subjects in the past. We have well known approaches like RBAC or ABAC developed web protocols and mechanisms like OpenID, OAuth, UMA. But is this sufficient for the internet of things? What’s missing? What is so challenging about? Etc.) (just a very first draft and still rather an example)…thinking about other authentication methods than username/password, more than one owner/user of a thing, new mapping approaches etc. As we are a group from different industries I’d like to ask you for other topics around Big Data, Privacy, Security etc….in conjunction with IDoT. Ideas are highly welcome! I will aggregate/integrate them to a nice paper IT would be great if you come up with few bullet points to support us. And If I get it right we also looking for panelists (correct me if I’m wrong Joni) Thank you in advance! Ingo From: jonibrennan@gmail.com [mailto:jonibrennan@gmail.com] On Behalf Of Joni Brennan Sent: Montag, 1. Juli 2013 20:42 To: Friese, Ingo Subject: Re: U.S. Call for Speakers Now Open! Submit Today! Could you start a rough draft for proposed session? IdOT can help but you'll need some staff and quick volunteers b/c the opp closes July 25. That comes fast! If you can give a one page heather and I can help. I suggest proposing a panel as the mode for session. We can help you fill the panel when time comes. Do you think its possible as a start? I hope you get the opp AND selected!! On Monday, July 1, 2013, wrote: Joni, I’d love to. Great opportunity to introduce / discuss / get feedback for IDoT! Ingo From: lc-bounces@kantarainitiative.org [mailto:lc-bounces@kantarainitiative.org] On Behalf Of Joni Brennan Sent: Donnerstag, 27. Juni 2013 18:55 To: Nat Sakimura Cc: Kantara Leadership Council Kantara; trustees@kantarainitiative.org; irb@kantarainitiative.org; arb Subject: Re: [KI-LC] [BoT] Fwd: U.S. Call for Speakers Now Open! Submit Today! In the same track of thought Nat, and in addition to Colin's well placed usual suspect assurance discussion, I think the Kantara IDoT might make some early proposal around Privacy, Big-Data and Identity of Things. Ingo would you be interested? Joni Brennan Kantara Initiative | Executive Director voice:+1 732-226-4223 email: joni @ kantarainitiative.org Building Trusted Identity Ecosystems - It takes a village! Slides: http://bit.ly/ki-june-2013 On Thu, Jun 27, 2013 at 9:21 AM, Nat Sakimura wrote: I am wondering if RSA is security only event. When you talk about Big Data etc., you cannot dodge the privacy questions. That might be another interesting topic. 2013/6/27 Colin Wallis I'm thinking there might be a play at the higher LOA approval level here.. a kind of Kantara Assurance. BBFA, MACCSA joint play. The slight problem is that *that* thinking might be slightly premature (thinking of the July MACCSA meeting) .. But I'm thinking that the RSA audience would find it interesting and offers presenting organizations a way to showcase an opportunity for the audience organizations to play in what is probably a new space for most of them... (says he choosing his words carefully..:-)) Cheers Colin From: joni@ieee-isto.org Date: Wed, 26 Jun 2013 11:34:19 -0700 To: trustees@kantarainitiative.org; LC@kantarainitiative.org; arb@kantarainitiative.org; irb@kantarainitiative.org Subject: [KI-LC] Fwd: U.S. Call for Speakers Now Open! Submit Today! Dear All, Which Kantara stakeholders seek to work toward Kantara proposals for RSA SFO 2014? Which WGs / DGs will seek to submit their own proposals? The call opens now and closes July 25. Best Regards, Joni RSA® Conference Stay Connected LinkedIn Twitter YouTube Facebook Asia Pacific Europe -- Joni Brennan Kantara Initiative | Executive Director voice:+1 732-226-4223 email: joni @ kantarainitiative.org Building Trusted Identity Ecosystems - It takes a village! Slides: http://bit.ly/ki-june-2013 _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot -- Jeff Stollman stollman.j@gmail.com 1 202.683.8699 Truth never triumphs — its opponents just die out. Science advances one funeral at a time. Max Planck _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

Yeaup, all fair points. So if this was one submission where would the cross-over between known identity issues and IDoT be? 'Who owns and/or manages the light bulb's identity? (not being deliberatelty flippant!) If we can find that cross-over, great. Otherwise it's probably two submissions..and nothing wrong in that of course.. Cheers Colin CC: sal@idmachines.com; stollman.j@gmail.com; ingo.friese@telekom.de; joni@ieee-isto.org; dg-idot@kantarainitiative.org From: tgold@idanalyst.com Subject: Re: [DG-IDoT] FW: RSA U.S. Call for Speakers Now Open! Submit Today! Date: Wed, 3 Jul 2013 21:52:13 -0700 To: colin_wallis@hotmail.com Hi Colin- No buzzkill or offense taken. You raise really good and valid points. I am not so convinced that RSA CFP committee however is as ruthless as they are political - am still reserving conclusions in that one. As for the InfoSec community already being aware of the points 1-4, I would like to think I know the community well, and agree there is awareness, but it is context that is lacking. How 1-4 are inter related, progressions over time, and sequential progressions that got us here, and what pieces need to be clawed back for it to start to have a trajectory of balance. There are some technical people in the RSA community, but many are not and not all are identity experts (or privacy beyond the corp enterprise) so I think there is value in discussing as long as it or not too high level and breaks things down quite more. It's easy to get lost in generalizations in panels where it's watered down and something g we wi work to avoid. Lastly, my personal opinion is that Europe in general has a far better position on privacy than we do here in the US but if we go in guns blazing on a "how to do it like Europe" it will be counterproductive. Rather compare positions to expand the border beyond the US, as our data does as well. My thoughts, although willing to accept I could be partly right or all wrong too -) /t Please excuse spelling errors - sent from my mobile device On Jul 3, 2013, at 9:25 PM, Colin Wallis wrote: At the risk of being a kill joy, I think that Terry's list below, while worthy, won't get accepted by RSA's pretty ruthless submission acceptance process. I expect they will say that all 4 are pretty well known.. 1 and 2 have been the subject of VRM, PDEC and now Customer Commons for some time 3 is less well known to the public, but to the RSA audience, I would have thought 'well known'.. if the panel had real answers to how to restrict or manage that, such as the European based PICOS and ABC4Trust groups have (google those with Kai Rannenburg) then we might have a chance with RSA. 4) is topical, but may not be in 6 months, and RSA may be sensitive around the topic for its own 'relationship managment' reasons .. :-). that said..yea, there is a wider Governance story to tell there..and a story about which is better? broad surveillance with very good governance? or piecemeal organically built up surveillance based on a concern from one party of another, that communicated to parties x, y, and z to enact the surveillance with all the risks of co-ordination, governance etc etc that that implies?... But it's well off Kantara's patch... are you sure we are not better to start back with the IdoT problem space and build out to a place where we have both the expertise and it is relatively new territory? No July 4th for me, you can tell, eh? :-) Cheers Colin From: sal@idmachines.com To: tgold@idanalyst.com; stollman.j@gmail.com; Ingo.Friese@telekom.de Date: Tue, 2 Jul 2013 09:52:01 -0400 CC: joni@ieee-isto.org; dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] FW: RSA U.S. Call for Speakers Now Open! Submit Today! Terry, Jeff, Ingo, Very good set of points Terry. Leakage in particular. UMA might help in that regard. Identities of things is an interesting topic not the least in the sense that you have device, owners and users all of which bring their identities into things. I would be interested in the panel as well. I have some experience around SCADA and transport to help bring those perspectives. Look forward to the DG. Sal From: dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org] On Behalf Of Terry Gold Sent: Tuesday, July 02, 2013 9:13 AM To: 'j stollman'; Ingo.Friese@telekom.de Cc: 'Joni Brennan'; dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] FW: RSA U.S. Call for Speakers Now Open! Submit Today! Hi Jeff- I think you are spot-on. We can continue to define technical frameworks (and we will ;-) but the big storm brewing is: a) The convenience and pervasiveness of connected services b) Collection and monetization of data (can debate and categorize what is PII or not and how it is still usable, etc) c) Identity ownership and control s: evolution, impact, possibilities d) Challenges and impact on business models, and individuals as this battle looms.

From my perspective, there are four levels to this dilemma that should be reviewed/clarified for the audience:

1. Legacy models like the credit bureaus. They have long collecting everything, are bureaucratic, and monetize data in many ways. Facebook’s monetization model isn’t new just the way they collect it. 2. Opt-in relationships: Such as Facebook. We may be opted-in when we sign up (don’t agree with that by the way) but we do consciously sign up for the relationship and is intended to share on some level (unlike my mortgage account or my vehicle records or services). 3. Leakage: The usage of a service that does not disclose that it is collecting data, or irresponsibly leaks your data to another service (lots of mobile apps are quite “chatty” in this way). Basically, any that are “free” apps, are doing this so (and not disclosing) it’s a BIG problem. 4. Government Surveillance: PRISM, etc. For me, the debate on this is two-fold, not only the legality but the controlled usage of any collected data. Obvious, but just to point out. I am interested in collaborating and/or participating in the panel as well, up to you. Regards, Terry ------------------------------- Terry Gold iDanalyst LLC, Founder Identity, Security & Privacy t: 213-341-0433 m: 949-310-5911 tgold@IDanalyst.com www.IDanalyst.com Twitter: @IDanalyst From: dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org]

Andrew, didn't mean to offend. Was intended to point out that CFP outcomes can occur aside from being rigid and to try anyway with best effort. I pointed to politics as one other factor due to my own experiences (with RSA). We can take offline if you are interested. Apologies. On Jul 3, 2013, at 10:19 PM, Andrew Nash wrote:

Terry,

having been engaged as part of the RSA Conference track committee over ten years I would suggest that your allusions to political decisions are highly uninformed - if you have tried to reduce 1400 submissions to 20abstracts for a single track you may gain some appreciation of the challenges.

Colins points are actually highly cogent and relevant, although there may be more leeway if you decided to submit to the privacy track

While the privacy aspect is important and relevant the same issues already exist in many different contexts my group at Google was already managing a billion identities with many times that number of transactions taking place monthly across 60 product areas

The management at scale of the collection of thing identities, the layering of what an identity means from very low level devices and how they may be connected to identified organizing identity such as a person (or house) the authorization and relationship management is a pretty interesting collection of security issues to deal with and could be proposed as a reasonable abstract.

--Andrew

--Andrew

On Wed, Jul 3, 2013 at 9:52 PM, Terry Gold wrote:

...

Hi Colin-

No buzzkill or offense taken. You raise really good and valid points.

I am not so convinced that RSA CFP committee however is as ruthless as they are political - am still reserving conclusions in that one.

As for the InfoSec community already being aware of the points 1-4, I would like to think I know the community well, and agree there is awareness, but it is context that is lacking. How 1-4 are inter related, progressions over time, and sequential progressions that got us here, and what pieces need to be clawed back for it to start to have a trajectory of balance.

There are some technical people in the RSA community, but many are not and not all are identity experts (or privacy beyond the corp enterprise) so I think there is value in discussing as long as it or not too high level and breaks things down quite more. It's easy to get lost in generalizations in panels where it's watered down and something g we wi work to avoid.

Lastly, my personal opinion is that Europe in general has a far better position on privacy than we do here in the US but if we go in guns blazing on a "how to do it like Europe" it will be counterproductive. Rather compare positions to expand the border beyond the US, as our data does as well.

My thoughts, although willing to accept I could be partly right or all wrong too -)

/t

Please excuse spelling errors - sent from my mobile device

On Jul 3, 2013, at 9:25 PM, Colin Wallis wrote:

...

At the risk of being a kill joy, I think that Terry's list below, while worthy, won't get accepted by RSA's pretty ruthless submission acceptance process.

I expect they will say that all 4 are pretty well known..

1 and 2 have been the subject of VRM, PDEC and now Custome rCommons for some time

3 is less well known to the public, but to the RSA audience, I would have thought 'well known'.. if the panel had real answers to how to restrict or manage that, such as the European based PICOS and ABC4Trust groups have (google those with Kai Rannenburg) then we might have a chance with RSA.

4) is topical, but may not be in 6 months, and RSA may be sensitive around the topic for its own 'relationship managment' reasons .. :-). that said..yea, there is a wider Governance story to tell there..and a story about which is better? broad surveillance with very good governance? or peicemeal organically built up surveillance based on a concern from one party of another, that communicated to parties x, y, and z to enact the surveillance witha ll the risks of co-ordination, governance etc etc that that implies?...

But it's well off Kantara's patch... are you sure we are not better to start back with the IdoT problem space and build out to a place where we have both the expertise and it is relatively new territory?

No July 4th for me, you can tell, eh? :-)

Cheers Colin

From: sal@idmachines.com To: tgold@idanalyst.com; stollman.j@gmail.com; Ingo.Friese@telekom.de Date: Tue, 2 Jul 2013 09:52:01 -0400 CC: joni@ieee-isto.org; dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] FW: RSA U.S. Call for Speakers Now Open! Submit Today!

Terry, Jeff, Ingo,

Very good set of points Terry. Leakage in particular. UMA might help in that regard.

Identities of things is an interesting topic not the least in the sense that you have device, owners and users all of which bring their identities into things.

I would be interested in the panel as well. I have some experience around SCADA and transport to help bring those perspectives.

Look forward to the DG.

Sal

From: dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org] On Behalf Of Terry Gold Sent: Tuesday, July 02, 2013 9:13 AM To: 'j stollman'; Ingo.Friese@telekom.de Cc: 'Joni Brennan'; dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] FW: RSA U.S. Call for Speakers Now Open! Submit Today!

Hi Jeff-

I think you are spot-on. We can continue to define technical frameworks (and we will ;-) but the big storm brewing is:

a) The convenience and pervasiveness of connected services

b) Collection and monetization of data (can debate and categorize what is PII or not and how it is still usable, etc)

c) Identity ownership and control s: evolution, impact, possibilities

d) Challenges and impact on business models, and individuals as this battle looms.

From my perspective, there are four levels to this dilemma that should be reviewed/clarified for the audience:

1. Legacy models like the credit bureaus. They have long collecting everything, are bureaucratic, and monetize data in many ways. Facebook’s monetization model isn’t new just the way they collect it.

2. Opt-in relationships: Such as Facebook. We may be opted-in when we sign up (don’t agree with that by the way) but we do consciously sign up for the relationship and is intended to share on some level (unlike my mortgage account or my vehicle records or services).

3. Leakage: The usage of a service that does not disclose that it is collecting data, or irresponsibly leaks your data to another service (lots of mobile apps are quite “chatty” in this way). Basically, any that are “free” apps, are doing this so (and not disclosing) it’s a BIG problem.

4. Government Surveillance: PRISM, etc. For me, the debate on this is two-fold, not only the legality but the controlled usage of any collected data. Obvious, but just to point out.

I am interested in collaborating and/or participating in the panel as well, up to you.

Regards,

Terry

-------------------------------

Terry Gold

iDanalyst LLC, Founder

Identity, Security & Privacy

t: 213-341-0433

m: 949-310-5911

tgold@IDanalyst.com

www.IDanalyst.com

Twitter: @IDanalyst

From: dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org]

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

I am intending to submit a proposal. The panel I am proposing will not all be members of the Kantara IoT discussion group. Jeff On Tue, Jul 16, 2013 at 1:31 AM, Colin Wallis wrote:

So taking a step back and moving on..... :-)...

I got a reminder note today about the deadline being 25th July.

So do we have one or two submissions on the go? from Terry, Sal, Jeff Ingo?

Cheers Colin

------------------------------ CC: colin_wallis@hotmail.com; joni@ieee-isto.org; dg-idot@kantarainitiative.org From: tgold@idanalyst.com

Subject: Re: [DG-IDoT] FW: RSA U.S. Call for Speakers Now Open! Submit Today! Date: Wed, 3 Jul 2013 23:17:02 -0700 To: andrew.nash@gmail.com

Andrew, didn't mean to offend. Was intended to point out that CFP outcomes can occur aside from being rigid and to try anyway with best effort.

I pointed to politics as one other factor due to my own experiences (with RSA). We can take offline if you are interested.

Apologies.

On Jul 3, 2013, at 10:19 PM, Andrew Nash wrote:

Terry,

having been engaged as part of the RSA Conference track committee over ten years I would suggest that your allusions to political decisions are highly uninformed - if you have tried to reduce 1400 submissions to 20abstracts for a single track you may gain some appreciation of the challenges.

Colins points are actually highly cogent and relevant, although there may be more leeway if you decided to submit to the privacy track

While the privacy aspect is important and relevant the same issues already exist in many different contexts my group at Google was already managing a billion identities with many times that number of transactions taking place monthly across 60 product areas

The management at scale of the collection of thing identities, the layering of what an identity means from very low level devices and how they may be connected to identified organizing identity such as a person (or house) the authorization and relationship management is a pretty interesting collection of security issues to deal with and could be proposed as a reasonable abstract.

--Andrew

--Andrew

On Wed, Jul 3, 2013 at 9:52 PM, Terry Gold wrote:

Hi Colin-

No buzzkill or offense taken. You raise really good and valid points.

I am not so convinced that RSA CFP committee however is as ruthless as they are political - am still reserving conclusions in that one.

As for the InfoSec community already being aware of the points 1-4, I would like to think I know the community well, and agree there is awareness, but it is context that is lacking. How 1-4 are inter related, progressions over time, and sequential progressions that got us here, and what pieces need to be clawed back for it to start to have a trajectory of balance.

There are some technical people in the RSA community, but many are not and not all are identity experts (or privacy beyond the corp enterprise) so I think there is value in discussing as long as it or not too high level and breaks things down quite more. It's easy to get lost in generalizations in panels where it's watered down and something g we wi work to avoid.

Lastly, my personal opinion is that Europe in general has a far better position on privacy than we do here in the US but if we go in guns blazing on a "how to do it like Europe" it will be counterproductive. Rather compare positions to expand the border beyond the US, as our data does as well.

My thoughts, although willing to accept I could be partly right or all wrong too -)

/t

Please excuse spelling errors - sent from my mobile device

On Jul 3, 2013, at 9:25 PM, Colin Wallis wrote:

At the risk of being a kill joy, I think that Terry's list below, while worthy, won't get accepted by RSA's pretty ruthless submission acceptance process.

I expect they will say that all 4 are pretty well known..

1 and 2 have been the subject of VRM, PDEC and now Custome rCommons for some time

3 is less well known to the public, but to the RSA audience, I would have thought 'well known'.. if the panel had real answers to how to restrict or manage that, such as the European based PICOS and ABC4Trust groups have (google those with Kai Rannenburg) then we might have a chance with RSA.

4) is topical, but may not be in 6 months, and RSA may be sensitive around the topic for its own 'relationship managment' reasons .. :-). that said..yea, there is a wider Governance story to tell there..and a story about which is better? broad surveillance with very good governance? or peicemeal organically built up surveillance based on a concern from one party of another, that communicated to parties x, y, and z to enact the surveillance witha ll the risks of co-ordination, governance etc etc that that implies?...

But it's well off Kantara's patch... are you sure we are not better to start back with the IdoT problem space and build out to a place where we have both the expertise and it is relatively new territory?

No July 4th for me, you can tell, eh? :-)

Cheers Colin

------------------------------ From: sal@idmachines.com To: tgold@idanalyst.com; stollman.j@gmail.com; Ingo.Friese@telekom.de Date: Tue, 2 Jul 2013 09:52:01 -0400 CC: joni@ieee-isto.org; dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] FW: RSA U.S. Call for Speakers Now Open! Submit Today!

Terry, Jeff, Ingo,

Very good set of points Terry. Leakage in particular. UMA might help in that regard.

Identities of things is an interesting topic not the least in the sense that you have device, owners and users all of which bring their identities into things.

I would be interested in the panel as well. I have some experience around SCADA and transport to help bring those perspectives.

Look forward to the DG.

Sal

*From:* dg-idot-bounces@kantarainitiative.org [ mailto:dg-idot-bounces@kantarainitiative.org] *On Behalf Of *Terry Gold *Sent:* Tuesday, July 02, 2013 9:13 AM *To:* 'j stollman'; Ingo.Friese@telekom.de *Cc:* 'Joni Brennan'; dg-idot@kantarainitiative.org *Subject:* Re: [DG-IDoT] FW: RSA U.S. Call for Speakers Now Open! Submit Today!

Hi Jeff-

I think you are spot-on. We can continue to define technical frameworks (and we will ;-) but the big storm brewing is:

a) The convenience and pervasiveness of connected services b) Collection and monetization of data (can debate and categorize what is PII or not and how it is still usable, etc) c) Identity ownership and control s: evolution, impact, possibilities d) Challenges and impact on business models, and individuals as this battle looms.

From my perspective, there are four levels to this dilemma that should be reviewed/clarified for the audience:

1. Legacy models like the credit bureaus. They have long collecting everything, are bureaucratic, and monetize data in many ways. Facebook’s monetization model isn’t new just the way they collect it. 2. Opt-in relationships: Such as Facebook. We may be opted-in when we sign up (don’t agree with that by the way) but we do consciously sign up for the relationship and is intended to share on some level (unlike my mortgage account or my vehicle records or services). 3. Leakage: The usage of a service that does not disclose that it is collecting data, or irresponsibly leaks your data to another service (lots of mobile apps are quite “chatty” in this way). Basically, any that are “free” apps, are doing this so (and not disclosing) it’s a BIG problem. 4. Government Surveillance: PRISM, etc. For me, the debate on this is two-fold, not only the legality but the controlled usage of any collected data. Obvious, but just to point out.

I am interested in collaborating and/or participating in the panel as well, up to you.

Regards, Terry

------------------------------- Terry Gold *iDanalyst LLC, **Founder*** *Identity, Security & Privacy* t: 213-341-0433 m: 949-310-5911

tgold@IDanalyst.com www.IDanalyst.com http://www.idanalyst.com/ Twitter: @IDanalyst

*From:* dg-idot-bounces@kantarainitiative.org [ mailto:dg-idot-bounces@kantarainitiative.org]

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

-- Jeff Stollman stollman.j@gmail.com 1 202.683.8699 Truth never triumphs — its opponents just die out. Science advances one funeral at a time. Max Planck

Hi Collin, I'll submit a 20 min speaker proposal. I thought of a panel discussion first, but it's really hard to bring friction in the discussion. To introduce concepts of "IDoT" to me a 20 min session seems to be more appropriate. Best, Ingo From: dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org] On Behalf Of Colin Wallis Sent: Dienstag, 16. Juli 2013 07:31 To: Terry Gold; Andrew Nash Cc: Joni Brennan; dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] FW: RSA U.S. Call for Speakers Now Open! Submit Today! So taking a step back and moving on..... :-)... I got a reminder note today about the deadline being 25th July. So do we have one or two submissions on the go? from Terry, Sal, Jeff Ingo? Cheers Colin ________________________________ CC: colin_wallis@hotmail.commailto:colin_wallis@hotmail.com; joni@ieee-isto.orgmailto:joni@ieee-isto.org; dg-idot@kantarainitiative.orgmailto:dg-idot@kantarainitiative.org From: tgold@idanalyst.commailto:tgold@idanalyst.com Subject: Re: [DG-IDoT] FW: RSA U.S. Call for Speakers Now Open! Submit Today! Date: Wed, 3 Jul 2013 23:17:02 -0700 To: andrew.nash@gmail.commailto:andrew.nash@gmail.com Andrew, didn't mean to offend. Was intended to point out that CFP outcomes can occur aside from being rigid and to try anyway with best effort. I pointed to politics as one other factor due to my own experiences (with RSA). We can take offline if you are interested. Apologies. On Jul 3, 2013, at 10:19 PM, Andrew Nash mailto:andrew.nash@gmail.com> wrote: Terry, having been engaged as part of the RSA Conference track committee over ten years I would suggest that your allusions to political decisions are highly uninformed - if you have tried to reduce 1400 submissions to 20abstracts for a single track you may gain some appreciation of the challenges. Colins points are actually highly cogent and relevant, although there may be more leeway if you decided to submit to the privacy track While the privacy aspect is important and relevant the same issues already exist in many different contexts my group at Google was already managing a billion identities with many times that number of transactions taking place monthly across 60 product areas The management at scale of the collection of thing identities, the layering of what an identity means from very low level devices and how they may be connected to identified organizing identity such as a person (or house) the authorization and relationship management is a pretty interesting collection of security issues to deal with and could be proposed as a reasonable abstract. --Andrew --Andrew On Wed, Jul 3, 2013 at 9:52 PM, Terry Gold mailto:tgold@idanalyst.com> wrote: Hi Colin- No buzzkill or offense taken. You raise really good and valid points. I am not so convinced that RSA CFP committee however is as ruthless as they are political - am still reserving conclusions in that one. As for the InfoSec community already being aware of the points 1-4, I would like to think I know the community well, and agree there is awareness, but it is context that is lacking. How 1-4 are inter related, progressions over time, and sequential progressions that got us here, and what pieces need to be clawed back for it to start to have a trajectory of balance. There are some technical people in the RSA community, but many are not and not all are identity experts (or privacy beyond the corp enterprise) so I think there is value in discussing as long as it or not too high level and breaks things down quite more. It's easy to get lost in generalizations in panels where it's watered down and something g we wi work to avoid. Lastly, my personal opinion is that Europe in general has a far better position on privacy than we do here in the US but if we go in guns blazing on a "how to do it like Europe" it will be counterproductive. Rather compare positions to expand the border beyond the US, as our data does as well. My thoughts, although willing to accept I could be partly right or all wrong too -) /t Please excuse spelling errors - sent from my mobile device On Jul 3, 2013, at 9:25 PM, Colin Wallis mailto:colin_wallis@hotmail.com> wrote: At the risk of being a kill joy, I think that Terry's list below, while worthy, won't get accepted by RSA's pretty ruthless submission acceptance process. I expect they will say that all 4 are pretty well known.. 1 and 2 have been the subject of VRM, PDEC and now Custome rCommons for some time 3 is less well known to the public, but to the RSA audience, I would have thought 'well known'.. if the panel had real answers to how to restrict or manage that, such as the European based PICOS and ABC4Trust groups have (google those with Kai Rannenburg) then we might have a chance with RSA. 4) is topical, but may not be in 6 months, and RSA may be sensitive around the topic for its own 'relationship managment' reasons .. :-). that said..yea, there is a wider Governance story to tell there..and a story about which is better? broad surveillance with very good governance? or peicemeal organically built up surveillance based on a concern from one party of another, that communicated to parties x, y, and z to enact the surveillance witha ll the risks of co-ordination, governance etc etc that that implies?... But it's well off Kantara's patch... are you sure we are not better to start back with the IdoT problem space and build out to a place where we have both the expertise and it is relatively new territory? No July 4th for me, you can tell, eh? :-) Cheers Colin ________________________________ From: sal@idmachines.commailto:sal@idmachines.com To: tgold@idanalyst.commailto:tgold@idanalyst.com; stollman.j@gmail.commailto:stollman.j@gmail.com; Ingo.Friese@telekom.demailto:Ingo.Friese@telekom.de Date: Tue, 2 Jul 2013 09:52:01 -0400 CC: joni@ieee-isto.orgmailto:joni@ieee-isto.org; dg-idot@kantarainitiative.orgmailto:dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] FW: RSA U.S. Call for Speakers Now Open! Submit Today! Terry, Jeff, Ingo, Very good set of points Terry. Leakage in particular. UMA might help in that regard. Identities of things is an interesting topic not the least in the sense that you have device, owners and users all of which bring their identities into things. I would be interested in the panel as well. I have some experience around SCADA and transport to help bring those perspectives. Look forward to the DG. Sal From: dg-idot-bounces@kantarainitiative.orgmailto:dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org] On Behalf Of Terry Gold Sent: Tuesday, July 02, 2013 9:13 AM To: 'j stollman'; Ingo.Friese@telekom.demailto:Ingo.Friese@telekom.de Cc: 'Joni Brennan'; dg-idot@kantarainitiative.orgmailto:dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] FW: RSA U.S. Call for Speakers Now Open! Submit Today! Hi Jeff- I think you are spot-on. We can continue to define technical frameworks (and we will ;-) but the big storm brewing is: a) The convenience and pervasiveness of connected services b) Collection and monetization of data (can debate and categorize what is PII or not and how it is still usable, etc) c) Identity ownership and control s: evolution, impact, possibilities d) Challenges and impact on business models, and individuals as this battle looms.

From my perspective, there are four levels to this dilemma that should be reviewed/clarified for the audience:

1. Legacy models like the credit bureaus. They have long collecting everything, are bureaucratic, and monetize data in many ways. Facebook's monetization model isn't new just the way they collect it. 2. Opt-in relationships: Such as Facebook. We may be opted-in when we sign up (don't agree with that by the way) but we do consciously sign up for the relationship and is intended to share on some level (unlike my mortgage account or my vehicle records or services). 3. Leakage: The usage of a service that does not disclose that it is collecting data, or irresponsibly leaks your data to another service (lots of mobile apps are quite "chatty" in this way). Basically, any that are "free" apps, are doing this so (and not disclosing) it's a BIG problem. 4. Government Surveillance: PRISM, etc. For me, the debate on this is two-fold, not only the legality but the controlled usage of any collected data. Obvious, but just to point out. I am interested in collaborating and/or participating in the panel as well, up to you. Regards, Terry ------------------------------- Terry Gold iDanalyst LLC, Founder Identity, Security & Privacy t: 213-341-0433 m: 949-310-5911 tgold@IDanalyst.commailto:tgold@IDanalyst.com www.IDanalyst.comhttp://www.idanalyst.com/ Twitter: @IDanalyst From: dg-idot-bounces@kantarainitiative.orgmailto:dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org] _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.orgmailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot