[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [EXTERNAL] [pmrm] Draft Agenda - PMRM TC Meeting 12 May 2015
The link to information for this is: http://csrc.nist.gov/groups/ST/eauthentication/sp800-63-2_call-comments.html Summary from this link: NIST requests comments on SP 800-63-2,Electronic Authentication Guideline. This document describes the technical requirements necessary to meet the four Levels of Assurance (LOA) that are specified in the Office of Management and Budget (OMB) memorandum M-04-04, E-Authentication Guidance for Federal Agencies. Please send questions and comments by May 22, 2015 to eauth-comment@nist.gov. These are the comments that VA and the OASIS Trust Elevation group has come up with: Recommendation: Address privacy risks through user-centric risk assessment As a consequence of being driven by a system-centric risk assessment, NIST 800-63-2 does not sufficiently address the privacy concerns of users. For the most part the document does not address core privacy principals identified by NSTIC (the TFPAP added some to the FICAM mix), but also fail to address privacy as it relates to selection of attributes to present to the world, e.g. a persona. For example, Steve operating as a private citizen (G2C) and accessing a government service has different privacy expectations than Steve, acting as an employee of a contracting company and accessing a government system as part of a job assignment. One size does not fit all. Definition of privacy requirements and inclusion in certain profiles will enable identity services that meet a broader range of privacy needs. Recommendation: Incorporate Privacy Terms Suggest incorporating the following privacy terms in the updated model: • anonymity: the property of a service of not disclosing identifying information about users. • pseudonymity: the property of a service that permits users to identify themselves by aliases and other unverified names. • reversible pseudonymity: the property of a service that performs identity proofing during registration but permits users to identify themselves by aliases and other unverified names. Identified authorities are permitted to obtain the verified name of the user under controlled circumstances. • unlinkability: the property of a service that prevents disclosure of multiple accesses of a service or resource by the same user. Recommendation: Add a privacy component for each of the LOAs. Diana Proud-Madruga, CISSP, GSEC Veterans Health Administration, Security Analyst Engility Corporation (619) 467-5568 (Office) dproud-madruga@drc.com diana.proud-madruga@va.gov -----Original Message----- PMRM TC Members: Here is the draft agenda for the TC Meeting of 12 May 2015. Please let me know if you have an additions. Thanks. Welcome and Introductions Report on EIC 2015 and privacy/IoT track Update on OASIS London Conference 8-9 July 2015 Update on Use Case - Gershon Janssen Discussion: PRIPARE Methodology Draft - John Sabo Possible Comments on Revision of NIST SP-800-63 - Diana Proud-Madruga Further Discussion: PMRM Revision (Glossary, Committee Notes, etc.) and Outreach Member Reports and Other Business John John Sabo Chair, PMRM TC --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]