Attendees
- Abdul Sattar
- Drummond Reed
- Jan Lindquist
- Kaliya Young, WG Co-chair
- Lisa Rabenau
- Michael Becker
- Pagona Tsormpatzoudi
- Peter Davis
- Robin Renwick
- Trev Harmon
- Zsombor Szabo
Agenda Items
Time | Item | Who |
---|---|---|
2 min | Welcome & Antitrust Policy Notice | Trev |
10 min | Review of Work to Be Completed | Pagona |
Discussion on Principles | Everyone | |
3 min | Wrap up | Pagona |
Recording - Link
Notes
- Did the IP / antitrust announcement.
- The Google document is the place where everyone can put their ideas, regardless of structure. We’ll be editing the input, so don’t worry about format right now.
- We are meeting on Tuesdays and Thursdays at the same time
- We need to have all of the main ideas into the document; otherwise we won’t have enough time to edit.
- Reviewed the timeline for the next couple of months.
- Reviewed the three different zones.
- Reviewed the set of principles listed in the Google document.
- Had a discussion regarding data minimization.
- Discussing data binding, Drummond noted:
- Zone 1 is all about gathering the data regarding the event.
- Zone 2 deals with identity binding as part of the credential issuance, as Zone 3 needs to be able to know that the credential belongs to the specific person.
- The level of assurance in Zone 3 cannot be any higher than the level of assurance done in Zone1 and Zone 2. Zone 2 can add additional binding information, which may raise the level of assurance.
- Peter asked why we would want to entangle data minimization requirements with levels of assurance.
- We talked through how the principles apply across the zones:
- Zone 1: Don’t collect more information than you need.
- Zone 2: Don’t collect more information than you need to do binding.
- Zone 3: Don’t ask for more information than you need.
- Had a discussion regarding data quality.
- Peter pointed out that regulation tends to require this (e.g., GDPR requires that data be accurate, and that there is a method by which to correct incorrect data).
- Had a discussion regarding consent and the related data. It was proposed that we document requirements for the recording of notice and consent.
- The risk assessment needs to be part of the governance framework.
- Had a discussion regarding how one proves that a specific solution meets security and privacy requirements.
- The individual needs to be at the center of all of this.
- The GHPC Steering Committee has recently had conversations regarding both a certification program and a test suite.
- The Governance Framework group is also looking at a method for certifying other frameworks.
- Discussed how certification would work may apply.
Chat Log
Action Items
- All main ideas need to be in the document by Friday, April 16th.
- Jan to bring information next time regarding defining code of conduct.