Logo

Julie Bisland's Personal Meeting Room - Shared screen with speaker view
bburr
40:17
Hello all
Thomas Rickert (ISPCP)
46:42
hi all, fyi - I cannot listen, but only read atm.
Marc Anderson (Verisign / RySG)
49:04
link to the new version of F and J
Marc Anderson (Verisign / RySG)
49:05
https://docs.google.com/document/d/1-90NgBnkZt8mRL2acJUPOwoIkx5clvXlCaCC3RAOGWU/edit
Milton Mueller (NCSG)
51:46
do you conceive of the 0Auth credential as a one-off grant or as something that is given out for each request?
Milton Mueller (NCSG)
53:23
good distinction, Alex
Sarah Wyld (RrSG)
53:25
I like the idea of splitting out the Identity Cred from the Authorization Cred
Milton Mueller (NCSG)
53:35
(Revocation vs. De-accreditation)
James Bladel (RrSG)
54:08
Not sure we would be revoking the authorization vs. identity. Can you revoke someone’s identity?
Brian King (IPC)
56:11
Mostly if they're Matt Damon
Brian King (IPC)
57:27
In seriousness, yes the identity could include your role at an organization. If you retire, the identity cred could be revoked.
Mark Svancarek (BC)
58:11
You can revoke any sort of cert you like. Not different from revoking my marksv@ntdev.microsoft.com identity credentials if I leave Microsoft. Note that in Microsoft access authorizations are often separate from authorizations; anyone can access the library, not everyone can access the O365 project plans.
Alex Deacon (IPC)
58:22
OAuth credential (Authorization Credential) is newly issued per request unlike the OPenID (Identity Credential) which is more static.
Alex Deacon (IPC)
58:25
and can be "revoked"
Mark Svancarek (BC)
58:40
sorry - "Note that in Microsoft access authorizations are often separate from identity""
Amr Elsadr (NCSG)
59:38
I’m sorry…, where are we?
Sarah Wyld (RrSG)
59:51
Amr - definition of credential
Amr Elsadr (NCSG)
01:00:20
Thanks, Sarah.
Alex Deacon (IPC)
01:09:30
@Hadia - agree we should move text regarding “automation/automatic” to the NEW building block on automation.
Alex Deacon (IPC)
01:11:55
@James - you can revoke someones Identity Credential.
Sarah Wyld (RrSG)
01:15:35
If non-accredited users can make requests for non-public data via the SSAD,what is the purpose of accreditation? Accreditation should be required for all users(individuals or organizations), as part of the process to confirm their lawful basis fordata disclosure. If the Rr/Ry has a process to take direct requests (as required under Rec18 from Phase 1 Final Report) there would be no need for non-accredited entities torequest data via SSAD.
Alan Woods (RYSG)
01:15:37
I was wondering the same Sarah. Thank you for raising.
Brian King (IPC)
01:16:14
Thanks, Sarah. In particular, I really like the perspective that Marc Anderson submitted on the list.
Sarah Wyld (RrSG)
01:18:47
Brian, I'm not finding Marc's perspective that you refer to, can you link me or give more info?
Milton Mueller (NCSG)
01:18:50
good point James
Marika Konings
01:18:54
And thanks Sarah for pointing out where RrSG comments may not have been addressed yet - and of course, do feel free to re-add them to this latest version of the google doc.
Sarah Wyld (RrSG)
01:19:32
Thanks Marika, I think we will need to do that
Marika Konings
01:20:09
And it would be great if you could add them directly to to google doc - that will also allow others to respond / react to them.
Brian King (IPC)
01:20:17
@Sarah sent to you via email
Sarah Wyld (RrSG)
01:21:04
Thanks Brian
Sarah Wyld (RrSG)
01:21:15
Marika, understood! Thanks.
Alan Greenberg (ALAC)
01:21:57
SSAD access with no accreditation guarantees no autmation assistance but does ensure that requests are properly logged and tracked.
Sarah Wyld (RrSG)
01:23:02
I liked what Janis suggested, that the first step of the request needs to be getting accredited.
Alan Woods (RYSG)
01:23:32
Based on what is being said, is of course just bolstering the fact that the RrSG comments relating to this specific conundrum, should be considered formally …
Amr Elsadr (NCSG)
01:23:38
@Sarah: +1
Hadia Elminiawi (ALAC)
01:24:35
Why not also allow the data subjects to access their data through the SSAD, why do we need multiple paths?
Alan Woods (RYSG)
01:25:03
...because the law....
Sarah Wyld (RrSG)
01:25:09
Hadia we have discussed that before, the SSAD is intended for disclosure to third parties
James Bladel (RrSG)
01:25:17
@Chris - agree. It would be moving the non-uniform use cases from existing facilities in to SSAD
Amr Elsadr (NCSG)
01:25:53
@Hadia: Why would registrants want to deal with anybody other than their chosen registrar or reseller?
Amr Elsadr (NCSG)
01:26:17
I’m honestly wondering if there is some perk for registrants to do this? Any incentive?
Alan Woods (RYSG)
01:26:56
apologies … flippancy aside. it is a legal duty of the controller of data (speaking abut EU data as an example) to address a data subject's data access request.
Hadia Elminiawi (ALAC)
01:27:02
@Alan no law says that data subjects cannot obtain their data through the SSAD. Within the SSAD we have multiple paths for compliant with law
Hadia Elminiawi (ALAC)
01:27:34
compliance wih
Alan Woods (RYSG)
01:28:19
no but it does say that the must be able to exercise their rights against ALL controllers.... nothing us few folk discussing this will change that.
Hadia Elminiawi (ALAC)
01:28:36
In all cases the use of the SSAD bt data subjects is certainly not necessary
Amr Elsadr (NCSG)
01:29:04
Apart from it being unnecessary, is it desirable for some reason that I’m missing?
Alan Woods (RYSG)
01:29:12
nope...… but if the SSAD is a controller … then it has a legal obligation to do so also.
Amr Elsadr (NCSG)
01:29:40
SSAD is a system, not a Controller, right?! :-)
Milton Mueller (NCSG)
01:30:20
No one is talking about "Not having" a SSAD, Laureen. We are just saying they should all be accredited
Brian King (IPC)
01:30:20
agreed, Laureen
Mark Svancarek (BC)
01:30:31
SSAD is a system connecting requestors to controllers
Margie Milam (BC)
01:30:57
+1 Laureen
Milton Mueller (NCSG)
01:31:13
all _users_ should be accredited, that is.
Sarah Wyld (RrSG)
01:31:17
I would think that everyone needing to be accredited makes this a MORE uniform experience for everyone?
James Bladel (RrSG)
01:31:27
The first “S” in SSAD is for Standardized.
Brian King (IPC)
01:31:45
"accreditation" for one-off users could be as minimal as confirming one's email address
Milton Mueller (NCSG)
01:32:16
and signing a AUP
Brian King (IPC)
01:32:19
some de minimis accreditation criteria for anyone
Brian King (IPC)
01:32:27
and signing an AUP of course
Alex Deacon (IPC)
01:33:17
@James - the charter describes what we are describing as a system. “System for Standardized Access to Non-Public Registration Data “ Page 7
Sarah Wyld (RrSG)
01:33:43
Either way, one of the two S's in SSAD is for "Standardized" :)
Amr Elsadr (NCSG)
01:33:50
I’m confused. Even if a requestor is not accredited, the first steps to processing the disclosure request would include whatever is already in the accreditation process. What’s the problem we’re trying to fix?
James Bladel (RrSG)
01:34:14
Ah, second “S” then. But the point of my snark is that allowing uncredentialed requestors to access SSAD would introduce non-standard uses
Milton Mueller (NCSG)
01:36:22
A minimal charge for a one-off accreditation for individual users could be worked out
Milton Mueller (NCSG)
01:37:31
all users accredited: Yes.
Sarah Wyld (RrSG)
01:37:41
+1 to all users being accredited.
Milton Mueller (NCSG)
01:37:43
Those without accreditation cannot use SSAD, full stop
Brian King (IPC)
01:37:55
or free accreditation allows for only a small number of queries, anything more requires "advanced accreditation"
Mark Svancarek (BC)
01:37:57
Consensus
Sarah Wyld (RrSG)
01:38:01
I'm not sure it even needs to be simplified? Do we have a set of what is required that we could compare for long-term vs one-time users?
Laureen Kapin (GAC)
01:38:34
I agree that the public needs to be able to establish their identity and meet certain standards -- but the one-off public request would require different standards (likely simpler and less onerous than formal user groups).
Alex Deacon (IPC)
01:38:49
Those without accreditation can continue to use Phase 1 Rec 18 process. That doesn’t go away when SSAD appears.
Sarah Wyld (RrSG)
01:38:53
Laureen, I'm open to that but I don't think we've really defined it yet
Sarah Wyld (RrSG)
01:39:10
So far, it looks like the info we are considering for accreditation would be what we need for any user
Milton Mueller (NCSG)
01:39:24
No Laureen, any difference in standards will be heavily and aggressively arbitraged.
Laureen Kapin (GAC)
01:39:29
Sarah, I agree -- that would need to fleshed out.
Milton Mueller (NCSG)
01:39:35
Accreditation processes and standards must be uniform
Sarah Wyld (RrSG)
01:39:35
Thanks Laureen, sounds good
Sarah Wyld (RrSG)
01:40:04
Alex re the Phase 1 Rec 18 process - yes, but I'd rather have this SSAD be the single central point for disclusre requests wherever possible. That should be an exception, not a general standard for a group of users
Brian King (IPC)
01:40:20
It seems we might have consensus that in general we should require all users to be accredited?
Mark Svancarek (BC)
01:41:42
+1 same AUP
Amr Elsadr (NCSG)
01:41:44
@Janis: I don’t see how those safeguards would not be applicable to a one-time Requestor. If the Requestor doesn’t want to keep the login credentials, up to him/her/it.
Sarah Wyld (RrSG)
01:41:50
+1 Amr
Amr Elsadr (NCSG)
01:42:20
One time Requestor, or repeat offender (joke) should be subject to the same safeguards.
Amr Elsadr (NCSG)
01:43:07
@Greg: +1
Sarah Wyld (RrSG)
01:43:57
Shouldn't we try to funnel all requests through SSAD?
Sarah Wyld (RrSG)
01:44:03
our goal here is one system to rule them all
James Bladel (RrSG)
01:44:06
Sounds like we’re hovering around consensus on this. Perhaps we should make some recommendation about providing facilities to serve one off users and then keep everything in SSAD accredited.
Milton Mueller (NCSG)
01:44:42
$1 is a large fee?
Alan Greenberg (ALAC)
01:45:12
When did we set the accred. fee at $1?
Alex Deacon (IPC)
01:47:30
how about “and data as required in Building Block A” or something?
Amr Elsadr (NCSG)
01:47:39
@Alan W: +1. We might want a comprehensive list of this in our policy recommendation.
Amr Elsadr (NCSG)
01:48:02
@Alex: Yeah…, that could work.
Alan Woods (RYSG)
01:48:26
It pure nit-picky I know! :)
Alan Woods (RYSG)
01:48:32
Yes thanks Alex!
Amr Elsadr (NCSG)
01:48:40
Actually, I’m not sure this bullet belongs in this building block at all?
Alan Woods (RYSG)
01:50:13
Based on f) the "purpose of a request" may change based on the individual request … not too comfortable with that
Amr Elsadr (NCSG)
01:53:22
@Alex: Agree that validation is necessary, but some form of verification of identity would still be necessary, right? Need to be sure that the requestors are indeed who they say they are, no?
Sarah Wyld (RrSG)
01:53:38
Amr doesn't the accreditation authority do that?
Amr Elsadr (NCSG)
01:54:09
I would imagine so, Sarah. Wouldn’t some indication of that need to be included here?
Sarah Wyld (RrSG)
01:54:22
Oh! Yeah, probably a good idea :)
Alex Deacon (IPC)
01:55:33
@alan -agree - I didn’t want to sign us up to do a Code of Conduct but set the foundation to allow us to do so if we wanted to in the future.
Alex Deacon (IPC)
01:56:33
@amr - yes. I’ll try to clean that up.
Sarah Wyld (RrSG)
01:56:55
We could say "user" instead of "individual/entity"
Alan Woods (RYSG)
01:57:04
as long as we are clear we are dancing on the line here, that's absolutely fine … as in truth it would be a gold standard for us .. I would love it! :) but the EPDP will be long gone by the time we achieve it!
Brian King (IPC)
01:58:17
ICANN doesn't know what it means either (joke)
Sarah Wyld (RrSG)
01:58:30
Right - this section is a good start but needs to be fleshed out
Amr Elsadr (NCSG)
01:59:18
@Alex: It’s been pointed out to me that verification of identity is also detailed in sub-point “e”, which I missed, so we’re probably good. Thanks.
Alex Deacon (IPC)
01:59:31
@james - it is the nuclear option
Alan Woods (RYSG)
01:59:32
when dealing with data rights ….. I would think so James.
James Bladel (RrSG)
02:00:40
Let’s flag that for further work on (r). What happens to outstanding credentials if we revoke an authority?
Mark Svancarek (BC)
02:01:02
+1 Alex and AlanW. Agree with James that this should be defined.
James Bladel (RrSG)
02:03:54
Yep, this was part of the RrSG comments. Agree with Alex
Alan Woods (RYSG)
02:03:56
+1
Chris Lewis-Evans (GAC)
02:04:01
+1 alex
Alan Woods (RYSG)
02:04:28
don't think we are anywhere near that Brian.
Sarah Wyld (RrSG)
02:05:25
Footnote on the topic makes sense
Chris Lewis-Evans (GAC)
02:05:33
The accreditation service should be part of a cost-recovery system, as defined in @fees building block?
Marika Konings
02:13:53
See also: https://docs.google.com/document/d/1eZBzRclRtEXPp1EScDfftnfnv9tneD7ovxmGe84BQz4/edit
Alan Woods (RYSG)
02:19:42
we should also put in a place holder of "Who the controller is!"
Thomas Rickert (ISPCP)
02:21:49
alan +1
Thomas Rickert (ISPCP)
02:22:07
that is the first thing a pp should mention
Sarah Wyld (RrSG)
02:22:16
+1 Alan & Thomas
Hadia Elminiawi (ALAC)
02:22:39
@Margie makes sense
Alan Woods (RYSG)
02:31:52
dear all . I must drop early. Apologies. Talk to you next week.
Marika Konings
02:32:07
This was language that was developed during the LA F2F meeting (the one that Milton is quoted).
Marika Konings
02:35:58
one question we had is whether we are still talking here about purposes with a capital P (as outlined in GDPR) or is this a rationale that is provided by the third party (as this is not about purposes for the collection of data)?
Marika Konings
02:38:59
Correct, as well as the policy principles from the zero draft
Mark Svancarek (BC)
02:39:42
Dropping now, talk to you next week!
Sarah Wyld (RrSG)
02:39:59
Thanks, all
James Bladel (RrSG)
02:40:09
Thanks.
Julf Helsingius (NCSG)
02:40:13
Thanks!
Chris Lewis-Evans (GAC)
02:40:17
Thanks all
Amr Elsadr (NCSG)
02:40:41
Thanks all. Bye.