January162008

Liberty Alliance Project
ID Theft SIG
Conference Call
Meeting Notes
Wednesday, January 16, 2008
9:00 AM PT / 12:00 PM ET / 17:00 UTC
Author: Kurt Kolok

Attendees:

• Bob Pinheiro, Independent Contributor (Chair)
• Abhilasha Bhargav-Spantzel, Purdue University
• Paul Biciunas, Fidelity Investments
• Steve Bramson, Omnibranch
• Kevin O’Neill, CYVA
• John Hopkinson, EWA Information & Infrastructure Technologies, Inc.
• Britta Glade, Liberty Staff
• Kurt Kolok, Liberty Staff

Following was excerpted from the email introduction sent out by the SIG Chair (Bob Pinheiro): John P. Hopkinson, Security Strategist at EWA Information & Infrastructure Technologies Inc., and Chief Technical Officer (and Past President) of ISSEA, the International Systems Security Engineering Association, will provide a short overview of information security and privacy standards developed by ISO (the International Organization for Standardization). John will also provide some additional perspective about the relationship of Canadian Information and Privacy Commissioners to standards, as well as how standards support the work of the Privacy Commissioners.

John joined /IIT in May 2001 and is responsible for /IIT’s Standards and Consortia activities and liaison. He develops strategies with regard to standards and consortia activities, and action plans to fulfill those strategies. John has over 35 years of experience in the security field in the military and commercial sectors. He has conducted research in many areas related to information technology security, with a particular focus on assurance, risk analysis, risk management, and security metrics. John was a key contributor to the development of the SSE-CMM, and responsible for its conversion into an ISO/IEC standard, 21827.

Liberty has the new Identity Assurance Expert Group (IAEG) that is looking at existing federations right now (medical, auto industry, etc…). This group is looking at privacy issues, standards being discussed, etc… The eGov SIG would like to be able to make a recommendation to Liberty based on some of these implementations/standards.

Only three (3) organizations are recognized under the WTO and TBTT. The joint body of ISO and ITC produces base standards (non-business domain specific). These standards are neutral and intended to be used on any of those domains. JDC1 is linked by liaison into a large number of external organizations (for example; LAP, IEEE, W3C, etc…).

SC27 was recently reorganized and currently has five (5) working groups. Working group #5 (WG5) is dealing with privacy protection standards and identity management. ISO is driven by consensus but not unanimity. The representatives at ISO are 149 nation members. Each WG has 10-50 different projects that they are working on. ITU has not yet issued a project (standard) to develop. It is highly probable that the identity project of WG5 will become a joint activity of ITU and ISO.

How do you manage identity across a Nokia handset in a wireless scenario? ITU is the backbone and JDC1 is the local networking aspect. ITU adopts JDC1 standards and they work together. Most of SC27’s standards take into account both physical and personnel aspects of security even though they are not the target of the standards.

How is it incorporated if something is considered out of scope? Do you point to another document? There is no other technical committee in ISO or ITC so it would not be passed off to another group. There is an internal liaison that would work to produce a standard with another standards body. SC27 has 30 or so internal liaisons to different technical communities.

The group might establish the frames of PII but would not establish all of the actual pieces of data that made up PII. That would vary depending upon the various domains.

Is that framework described in a standard itself? Yes. Slide 31 is not up-to-date. The newer standards (all the WG work would not be published in the presentation sent out). There is a public website http://www.jtc1sc27.din.de/en. Document 6117 is in the catalog.

Re: Authorization language: How do you authenticate? How do you authorize? Look at the identity project, they are not currently getting into a rights expression language.

What is the relationship between ISO standards and the data and privacy commissioners? It is the privacy commissioner’s function to uphold the laws of their country. Each country has a written law related to the protection of privacy within their country and the external flow of information. Standards are not part of that information. Standards may be empowered by regulation. Within the privacy domain, there are not many international standards that are enforced or empowered by regulation. The function of the standards is to support the legislation. The privacy rules/requirements are different within the EU and Canada. They may be related to the OECD or similar from one country to another, but they are not the same. There is no consistent set of principles that they can work against. The data commissioners have been asked to assist. There is a privacy framework and privacy reference architecture. These are new projects (works in progress). Not all of the items in the catalog are works in progress, some have been published. Where there is a ‘WD’ that means the document is in the early stages of development and has not yet been published. There are some standards available at no cost (go to www.JDC1.org and follow the link to ‘fully available’). ISO will sell some standards that are available through JDC1 for free and may be on the JDC1 website. ANSI sells some of the standards for a lower price. If you look up the number of the standard you are looking for then its price will come up. ISO is supported by the development and sale of the standards (thus the need to charge for them).

There is a lot that lies outside of privacy protection that SC27 cannot deal with. There are a greater number of aspects that fall into the work of JDC1. They could create a subcommittee that would develop standards that relate to privacy, but not privacy protection (that is being dealt with by SC27). There is an ongoing national level of activity in Canada to look at how to tackle privacy standards in a broader context. ICT represents 60-70% of total specifications from privacy standards.