NSTIC draft charter August 2012 w comments

377 views

Published on

NSTIC proposed Charter from NIST, with substantial
annotations.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
377
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

NSTIC draft charter August 2012 w comments

  1. 1. NSTIC STEERING GROUP: NIST February 2012 DRAFT CHARTER with AUGUST 2012 JBC EDITS Type-set version with line numbers, and proposed corrections and comments. Note, this analysis has multiple annotations and amendments that may not be needed at the initial Steering Group meetings. For a simpler version, see the ASCII file "NSTICdraftCharterFebruary2012.txt" at Slideshare (http://www.slideshare.net/JamieXML/nstic-draft-bylaws-july-2012) or Google Docs: (http://j.mp/MVwfNC) See end of document for production information. • [Square brackets] and struckthrough text indicate proposed changes. Amendments listed at end of document. • <Angle brackets> include this editors unofficial cross-references, and <**type of amendment>. • {Curly brackets} indicate original NIST footnotes, with added hyperlinks and some abbreviations. 1 RECOMMENDED CHARTER FOR THE IDENTITY ECOSYSTEM STEERING GROUP 2 1. Identity Ecosystem Steering Group Charter. 3 The National Strategy for Trusted Identities in Cyberspace (NSTIC or Strategy), signed by President Obama in 4 April 2011, acknowledges and addresses a major weakness in cyberspace – a lack of confidence and assurance 5 that people, organizations, and businesses are who they say they are online. {NIST fn1: The full Strategy can 6 be found at: http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf.} Additionally, 7 in the current online environment, individuals are asked to maintain dozens of different usernames and 8 passwords, one for each website with which they interact. The complexity of this approach is a burden to 9 individuals, and it encourages behavior – such as the reuse of passwords – that makes online fraud and identity10 theft easier. At the same time, online businesses are faced with ever-increasing costs for managing customer11 accounts, the consequences of online fraud, and the loss of business that results from individuals’ unwillingness12 to create yet another account. Moreover, both businesses and governments are unable to offer many services13 online, because they cannot effectively identify the individuals with whom they interact. Spoofed websites, stolen14 passwords, and compromised accounts are all symptoms of inadequate authentication mechanisms. {NIST fn2:15 Strategy, April 2011, [p.] 1.} <**A: Typo.>16 The Identity Ecosystem envisioned in the NSTIC is an online environment that will enable people to validate their17 identities securely, but with minimized disclosure of personal information when they are conducting transactions.18 The vibrant marketplace created by the Identity Ecosystem will provide people with choices among multiple19 accredited identity providers, both private and public, and choices among multiple credentials. For example,20 imagine that a student could get a digital credential from her cell phone provider and another one from her21 university and use either of them to log-in to her bank’s website, her e-mail, three social networking sites, four22 online commerce sites, and so on, all without having to remember dozens of passwords. The added23 convenience, security, and privacy provided within the Identity Ecosystem will allow additional services to be put24 online to drive greater economic growth. Notwithstanding the objective to improve identification and25 authentication in cyberspace for certain types of transactions, not all Internet activities have such needs. Thus,26 the capacity for anonymity and pseudonymity will be maintained in the envisioned Identity Ecosystem.27 A core tenet of the NSTIC is that its implementation must be led by the private sector. The NSTIC calls for the28 Federal Government to work collaboratively with the private sector, advocacy groups, public sector agencies,29 and other organizations to improve the processes by which online transactions are conducted. The Strategy30 itself was developed with substantial input from both the private sector and the American public. The National31 Institute of Standards and Technology (NIST), which has been designated to establish a National Program Office32 to lead the implementation of the NSTIC, recognizes that a strong and vibrant public-private partnership is33 necessary to execute the Strategy’s vision in a way that supports the wide range of interactions that occur over34 the Internet. As such, NIST is leading the effort to fulfill the NSTIC’s call for government to work in close35 partnership with the private sector and other relevant stakeholder groups to, “(Establish a steering group to)36 administer the process for policy and standards development for the Identity Ecosystem Framework in37 accordance with the Guiding Principles in (the) Strategy. The steering group will also ensure that accreditation38 authorities validate participants’ adherence to the requirements of the Identity Ecosystem Framework.” {NIST39 fn3: Strategy, April 2011, p. 25.}
  2. 2. 40 1.1. Mission. The Mission of the Steering Group shall be to govern and administer the Identity Ecosystem41 Framework in a manner that stimulates the development and sustainability of the Identity Ecosystem. The42 Steering Group will always operate in accordance with the NSTIC’s Guiding Principles.43 1.1.1. Objectives. The activities and work products of the Steering Group shall be conducted in support44 of the following objectives:45 * Ensure that the Identity Ecosystem and Identity Ecosystem Framework conform to the four NSTIC46 Guiding Principles (as detailed in section 1.3).47 * Administer the process for policy and standards development and adoption for the Identity Ecosystem48 Framework and, where necessary establish policies standards for the Identity Ecosystem Framework.49 * Adopt and, where necessary, establish standards for the Identity Ecosystem Framework.50 * Certify that accreditation authorities validate adherence to the requirements of the Identity Ecosystem51 Framework.52 1.1.2. Purpose. The purpose of the Steering Group shall be to develop and administer the process for53 policy and technical standards development for the Identity Ecosystem Framework. The Steering Group shall54 bring together all of the interested stakeholders, both in private and public sectors, to confirm that the Identity55 Ecosystem Framework provides a minimum baseline of privacy, security, interoperability, and ease-of-use56 through standards and policies, without creating unnecessary barriers to entry. The Steering Group shall57 facilitate the fulfillment of the NSTIC goals to develop a comprehensive Identity Ecosystem Framework; build58 and implement the Identity Ecosystem; enhance confidence and willingness to participate in the Identity59 Ecosystem; and, support the long-term success and sustainability of the Identity Ecosystem. {NIST fn4:60 Strategy, April 2011, p. 31.} ¶ The Steering Group shall not be a standards development body, but rather an61 organization that promotes the development of standards and develops policies that serve to accelerate the62 development and adoption of the Identity Ecosystem.63 1.2. Scope of Activities. The activities of the Steering Group shall be limited to achievement of the64 objectives listed in this charter. Additional activities that are not considered essential to completion of these65 objectives may be conducted when determined appropriate through Steering Group consensus. The scope of66 the Steering Group’s activities is summarized in the sections that follow.67 1.2.1. Adopt and Establish Standards. The Steering Group shall establish forums and procedures to68 review applicable standards and adopt those that support achievement of the NSTIC vision, conform to the69 Guiding Principles, and meet other established requirements. Additionally, the Steering Group will recommend70 standards be established when gaps are identified. The Steering Group shall advocate for standards to be71 established and adopted in a timely manner and be sufficient to keep pace with emerging technology and market72 trends.73 1.2.2. Develop and Maintain Policies. The Steering Group shall establish the mechanisms necessary to74 develop, implement, and maintain policies that are appropriate for use in the Identity Ecosystem and conform to75 the NSTIC Guiding Principles. The Steering Group shall support the timely development and implementation of76 policies.77 1.2.3. Develop and Maintain Processes for the Accreditation of Identity Ecosystem Entities. The78 Steering Group shall develop, foster, and implement a clear process for accrediting entities within the Identity79 Ecosystem as well as develop clear testing and certification criteria by which adherence to the recommended80 standards and policies may be measured. ¶ The Steering Group shall ensure that this accreditation process is81 applied fairly to all Identity Ecosystem participants.82 1.2.4. Develop and Maintain Identity Ecosystem Operating Procedures. The Steering Group shall83 develop, administer, and maintain Identity Ecosystem Operating Procedures to facilitate interoperability between84 and among the Identity Ecosystem participants. Operating Procedures refers to the set of policies and standards85 created by the Steering Group as accepted baseline requirements for participating in the Identity Ecosystem86 Framework.
  3. 3. 87 1.3. Adherence to the NSTIC Guiding Principles. The Identity Ecosystem Steering Group, its components, 88 and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. 89 They are: 90 * Identity solutions will be privacy-enhancing and voluntary. The Identity Ecosystem will be 91 grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the 92 creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the 93 capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the 94 Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related 95 transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity 96 Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem 97 credential nor that companies require Identity Ecosystem credentials from consumers as the only means to 98 interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the 99 credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem100 mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day101 – or even a transaction-to-transaction – choice.102 * Identity solutions will be secure and resilient. Identity solutions within the Identity Ecosystem will103 provide secure and reliable methods of electronic authentication by being grounded in technology and security104 standards that are open and collaboratively developed with auditable security processes. Credentials within the105 Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices;106 resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the107 necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely108 restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be109 capable of adapting to the dynamic nature of technology[.] <**B: Typo>110 * Identity solutions will be interoperable. Interoperability encourages and enables service providers to111 accept a wide variety of credentials and enables users to take advantage of different credentials to assert their112 identity online. Two types of interoperability are recognized in the Identity Ecosystem: there will be standardized,113 reliable credentials and identity media in widespread use in both the public and private sectors; and if an114 individual, device, or system presents a valid and appropriate credential, any qualified relying party is capable of115 accepting and verifying the credential as proof of identity and attributes.116 * Identity solutions will be cost-effective and easy to use. The Identity Ecosystem will promote117 identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of118 service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and119 relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and120 enabled by technology that requires minimal user training. {NIST fn5: Strategy, April 2011, [pp.] 25, 11-14.}121 <**Typo.>122 1.4. Operating Principles. The Steering Group shall adhere to the following four operating principles.123 1.4.1. Openness and Transparency. The work of the Steering Group, including all working groups and124 committees, shall facilitate broad participation and be publiclypublically accessible. <**D: Typo.> The Identity125 Ecosystem Steering Group shall take the following steps to provide openness and transparency in all its126 proceedings:127 * All documents, drafts, and minutes of meetings shall be posted on a publicly available Internet site.128 * All meetings of all governing bodies shall be open to public attendance and leverage virtual129 attendance options to maximize broad and public participation.130 * Technologies should be leveraged to create user-friendly and broad avenues for participation in all131 proceedings and administrative functions.132 1.4.2. Balance. The Steering Group shall strive to achieve balanced representation among all133 stakeholder groups regardless of their size, financial status, or sector alignment/affiliation.
  4. 4. 134 1.4.3. Consensus. Consensus – general agreement among members – shall be a core value of the135 Steering Group. All processes instituted by the Steering Group shall require participants to consider all views,136 proposals and objections, and endeavor to reconcile them. Although positions of leadership, such as committee137 chairs, are likely to serve as the primary drivers of consensus, all Steering Group participants must be138 (1) cooperative in the consensus process; (2) constructive; and (3) respectful when providing feedback or139 dissenting opinions. In the event that consensus cannot be reached, voting, by an established method, shall be140 used to make Steering Group decisions.141 1.4.4. Harmonization. The Steering Group shall encourage harmonization of standards and policies and142 shall always strive to recognize the impacts of policy and standards on all stakeholders in the Identity143 Ecosystem.144 1.5. Membership. Membership in the Steering Group shall be open to organizations and unaffiliated145 individuals (Members) that have an interest in the development of the Identity Ecosystem. A Member146 organization may have more than one individual within its organization participate in Steering Group activities;147 however, it shall designate only one individual as its representative for the purposes of voting in Plenary148 proceedings. ¶ A Member shall join as a Participating or Observer Member as defined below:149 * Participating Members. Participating Members are those stakeholders who actively participate in the150 Steering Group and the work of the Plenary, its Standing Committees, and Working Groups. The criteria for151 active participation such as attendance quotas or other measurable conduct shall be defined in the By-laws.152 Participating Members shall have a vote in all Plenary proceedings.153 * Observing Members. Observing Members are those stakeholders who do not meet the criteria for154 active participation, but want to maintain a presence in the Steering Group. Observing Members may still155 contribute to the work of the Plenary, its Standing Committees, and Working Groups, but they shall not be156 permitted to vote in Plenary proceedings.157 1.6. Organizational Structure. The Steering Group shall be composed of two bodies: the Identity158 Ecosystem Plenary and the Identity Ecosystem Management Council. The Plenary and the Management Council159 shall be collectively responsible for achieving the Steering Groups objectives.160 1.7. Establishment. The NSTIC, which was signed by President Obama in April 2011, called for the161 establishment of a private sector-led steering group to administer the development and adoption of the Identity162 Ecosystem Framework. The Steering Group receives its authority to operate from the active participation of its163 membership. . <**E; Typo.>164 1.7.1. Resources and Duration. The Steering Group shall be initiated with the support of NIST.165 Following the initiation period, the Steering Group will transition to a self-sustaining organization. The166 Management Council shall be responsible for managing the Steering Group’s resources and procuring services167 once the Steering Group is self-sustaining, as necessary.. <**F: Typo.>168 2. Identity Ecosystem Plenary.169 Participation in the Plenary shall be open to all Members. The primary responsibilities of the Plenary shall be to170 review and recommend technical standards for adoption establish and maintain the procedures/policies that171 govern the Identity Ecosystem, develop, and establish accountability measures to promote broad adherence to172 these procedures, and facilitate the ongoing operation of the Steering Group. The Plenary will consist of173 Standing Committees, Working Groups, and individual members. The Participating Members (as defined in174 section 1.5 and in associated By-laws) of the Plenary shall be responsible for voting on recommendations175 provided by the Standing Committees and Working Groups and will participate in elections for Management176 Council Delegates, Management Council Officers, and the Plenary Chair.177 [2.1.] 2.1.1. The Plenary Chair. <**G: Numbering typo.> The Plenary shall be headed by the Plenary Chair.178 The Chair shall be responsible for directing the actions, managing the votes, and providing general leadership to179 the Plenary. Nominees for this position shall be approved by the Nominations Committee and selected by simple180 majority vote of the Participating Members that comprise the Plenary.
  5. 5. 181 [2.2.] 2.1.2. Plenary Standing Committees. <**H: Numbering typo.> Standing Committees shall be182 responsible for addressing and coordinating ongoing/permanent issues. Standing Committees shall produce183 their own charters and voting procedures which shall be [circulated for comment to the Plenary and then]184 approved by the Management Council. <**I: Overcentralization.> Additional measures may be taken by the185 Management Council to provide balanced and experienced representation on the Standing Committees [by186 modifying the participation and voting rights in a Standing Committees charter, subject to Section 1.4.1].187 <**J: Rule hygiene.> All recommendations proposed by the Committees shall be reviewed and approved by the188 Privacy Standing Committee prior to submission to the Plenary for approval. ¶ The designated Standing189 Committees shall be:190 * Policy Coordination Committee. The Policy Coordination Committee is responsible for coordinating191 policies to facilitate and promote the establishment of the Identity Ecosystem and the rules for participation.192 <** See sec. 1.2.1.>193 * Standards Coordination Committee. The Standards Coordination Committee is responsible for194 coordinating, reviewing, and recommending the adoption of technical standards to facilitate interoperability within195 the Identity Ecosystem. <** See sec. 1.2.2.>196 * Accreditation Coordination Committee. The Accreditation Coordination Committee is responsible for197 coordinating accreditation requirements for Identity Ecosystem participants. <** See secs. 1.2.1 and 1.3 (third198 bullet).>199 * Privacy Coordination Committee. The Privacy Coordination Committee is responsible for seeing that200 other Committees’ and Working Groups’ work products adhere to the Privacy-enhancing and Voluntary Guiding201 Principle. To that end, this group should have a “gatekeeper” function; meaning no recommendations on policies,202 standards or other work products should be reviewed or approved by the Plenary unless first approved by the203 Privacy Coordination Committee. This committee should be staffed by individuals with extensive experience in204 the privacy field, and comprising a balance of viewpoints across a spectrum of experience, including advocacy205 organizations and the private sector. <** See sec. 1.3 (first bullet).>206 * Nominations Committee. The Nominations Committee is responsible for evaluating candidate207 qualifications to serve as the Chair on the Plenary and Management Council or as a Delegate (Stakeholder208 group and At-Large). Selection criteria outlined in this Charter will enable the selection of persons that can work209 for the welfare of the Identity Ecosystem as a whole, while minimizing self-interested conduct that could hinder210 the effectiveness and legitimacy of the Steering Group.211 The Management Council may establish more Standing Committees as necessary to accomplish the work of212 the Steering Group.213 2.3. 2.1.3. Plenary Working Groups. <**K: Numbering typo.> Members shall establish domain expert214 Working Groups as necessary to accomplish the work of the Steering Group. Working Groups may be proposed215 by the Plenary or the Management Council and shall be officially established by the Management Council.216 Participation in and meetings of the Plenary Working Groups shall be open to Participating and Observing217 Members; however, only Participating Members may vote on work products and recommendations. ¶ Working218 Groups shall produce their own charters and voting procedures which shall be approved by the Management219 Council. Based on their work, Working Groups may propose recommendations and work products for220 consideration by the Plenary. All recommendations proposed by the Working Groups shall be reviewed and221 approved by the Privacy Standing Committee prior to submission to the Plenary for approval. ¶ The following222 Working Groups shall be established by the Plenary and Management Council:223 * Usability and Accessibility Working Group. This working group is responsible for evaluating224 technologies and identity solutions within the Identity Ecosystem to confirm that they are easy-to-use and225 accessible for all potential users, in accordance with the NSTIC Guiding Principles. <** See sec. 1.3 (fourth226 bullet).>227 * Security Working Group. This working group is responsible for evaluating technologies and identity228 solutions within the Identity Ecosystem to confirm that they meet applicable requirements for confidentiality,229 integrity, and availability, and are capable of timely restoration after any disruption. The work of this group should
  6. 6. 230 be conducted in accordance with the NSTIC Guiding Principle for the security and resilience of identity solutions231 <** See sec. 1.3 (second bullet).>232 * International Coordination Working Group. This working group is rResponsible for reviewing and,233 where appropriate, coordinating alignment with similar international identity standards and policies.234 <**L: Typo.>235 Additional Working Groups may be established by the Management Council or the Plenary as necessary to236 accomplish the work of the Steering Group.237 3. Identity Ecosystem Management Council.238 The Management Council Management Council shall provide guidance to the Plenary on the broad objectives239 envisioned by the Strategy; produce workplans to prioritize work items and monitor progress; procure necessary240 resources; and ensure that Steering Group work activities align with the NSTIC Guiding Principles and Goals.241 All recommendations from the Plenary Working Groups and Standing Committees shall be voted on by the242 stakeholder group delegates elected to the Management Council. <**M: Rule hygiene.> The voting process will243 be structured and defined in the Steering Group By-laws established during the initial meeting of the Steering244 Group. The Management Council shall also be the final ratification authority in the Steering Group.245 <**N: Overcentralization.>246 3.1. Management Council Composition. The Management Council shall be composed of 14 delegates,247 who are elected from the stakeholder groups and two at-large delegates. The Management Council may include248 additional stakeholder groups at any time as necessary. ¶ In addition to Management Council Delegates, the249 Management Council shall have three (3) officers:250 * The Chair: This position shall provide general leadership to the Management Council; oversee votes,251 and direct meetings of the Management Council. The Chair shall be a non-voting officer.252 * The Vice-Chair: This position shall assist the Steering Group in maintaining alignment with NSTIC253 objectives and the NSTIC Guiding Principles. The Vice-Chair shall be a non-voting officer.254 * The Ombudsman: This position shall be responsible for upholding the NSTIC Guiding Principles and255 Steering Group charter, representing and advocating for consumers or other individuals and underrepresented256 groups, safeguarding against individual stakeholder groups exerting excessive influence, monitoring and257 reporting on Management Council activities, managing grievances from the Plenary, and facilitating public258 comment and citizen outreach. The Ombudsman shall be a non-voting officer.259 3.2. Management Council Selection. The Management Council Delegates and Officers shall be selected260 through the following processes:261 * Delegates: Management Council Delegates shall be selected through a general election held within262 each Stakeholder Group represented in the Plenary. The nomination of each candidate for the election will be263 approved by the Nomination Committee.264 * At-Large Delegates: The election or selection process of At-Large Delegates shall be determined by265 the Steering Group during its initial meetings, as with all Management Council Delegates nominees shall be266 approved by the Nominations Committee.267 * Chair: The Chair of the Management Council shall be selected through a general election of the Identity268 Ecosystem Plenary. The nomination of each candidate for election shall be approved by the Nominations269 Committee.270 * Vice-Chair: This position shall be filled by the Director of the NSTIC National Program Office271 * Ombudsman: This position shall be provided by the Secretariat. The criteria for selection shall be272 established by the Management Council.
  7. 7. 273 Management Council positions, selections, elections, and appointments shall be conducted in accordance274 with By-laws created by the Steering Group during its initial meetings. <**): Rule hygiene.>275 3.2.1. Delegate Selection Criteria. The Management Council Delegates (Stakeholder Group and At-276 Large) shall be selected in accordance with the following criteria:277 * Visionary Capability: Delegates shall be capable of understanding and contributing to the multi-278 disciplinary aspects of the Identity Ecosystem and the specific goals of the Strategy.279 * Team Effectiveness: Delegates shall be capable of working effectively as a team within the scope of280 the Management Council.281 * Outreach: Delegates shall be able to clearly communicate the actions of the Management Council to282 their individual Stakeholder Group to facilitate consensus building and support the work of the Steering Group.283 * Expertise: Delegates shall be recognized experts in their fields of endeavor.284 * Commitment: Delegates shall be able to commit to contribute sufficient time and effort to accomplish285 Management Council activities.286 3.2.2. Stakeholders. For the purposes of Management Council Delegate selections Members shall self-287 identify into one of the following 14 stakeholder groups:288 * Privacy & Civil Liberties. This group focuses on the protection of individuals’ privacy and civil289 liberties.290 * Usability & Human Factors. This group focuses on technologies and solutions that are usable and291 incorporate the human, cognitive, and social properties unique to the characteristics of humans.292 * Consumer Advocates. This group focuses on addressing the interests and accessibility of293 consumers and other individual end-user populations.294 * U.S. Federal Government. This group focuses on the interests of the departments and agencies that295 comprise the U.S. Federal Government. Under its various forms and component programs, the government acts296 as an identity provider, attribute provider, and relying party. This group’s Management Council Delegate will be297 responsible for advocating for the Federal Government as a Stakeholder; unlike the Vice-Chair who advocates298 on behalf of the NSTIC itself.299 * U.S. State, Local, Tribal, and Territorial Government. This group focuses on the interests of the300 various state, local, tribal, and territorial governments that exist within the U.S.301 * Research, Development & Innovation. This group focuses on research, teaching, and technology302 development in support of the Identity Ecosystem.303 * Identity & Attribute Providers. This group focuses on the processes and technologies associated304 with establishing, managing, and securing digital identities and attributes.305 * Interoperability. This group focuses on supporting interoperability within the Identity Ecosystem,306 inclusive of Trust Framework Providers and standards development organizations.307 * Information Technology (IT) Infrastructure. This group focuses on IT infrastructure relevant to the308 functioning of the Identity Ecosystem, inclusive of different types of communications and network traffic, as well309 as virtual and distributed functions that produce and provide hardware, software, and IT systems and services.310 * Regulated Industries. This group focuses on industries covered by sector-specific regulations that311 may be affected by the development of the Identity Ecosystem Framework.312 * Small Business & Entrepreneurs. This group focuses on the impact of the development of the313 Identity Ecosystem Framework on small businesses and individual business owners/operators.
  8. 8. 314 * Security. This group focuses on IT security services that support the confidentiality, integrity, and315 availability of identity solutions316 * Relying Parties. This group focuses on transaction decisions based upon receipt, validation, and317 acceptance of an entity’s authenticated credential(s) and identity attributes.318 * Unaffiliated Individuals. This group consists of any individual who does not self-identify into one of319 the other stakeholder groups.320 The Steering Group shall periodically review the list of designated stakeholder groups to confirm that it321 accurately reflects the broad array of Identity Ecosystem stakeholders and provides balanced representation for322 all parties. The Steering Group may add, modify, remove, or otherwise alter the stakeholder groups as it deems323 necessary [by amending the By-laws]. <**P: Rule hygiene.>324 4. Secretariat.325 The Secretariat shall serve as the administrative body of the Steering Group. In this role, the Secretariat shall326 manage the internal operations of the Steering Group to include human and financial resources, meeting327 coordination, communications, and material support and interaction with external organizations. The Secretariat328 shall be responsible for maintaining transparency, openness, and alignment with the Guiding Principles in all329 Steering Group operations. The Secretariat shall appoint an individual to act as the Identity Ecosystem’s330 Ombudsman.331 END OF DRAFT CHARTER PRODUCTION INFORMATION This is file "NSTICdraftCharterAugust2012comments.pdf". There is a related ASCII document "NSTICdraftCharterFebruary2012.txt" The normative February 2012 NIST Draft Charter (PDF) is here: http://www.nist.gov/nstic/reports/SG_Draft_Charter.pdf Mirrored Charter, with internal cites (HTML) is found here: http://j.mp/NSTICchtr The source text for this document and its ASCII sistyer version is the www.nstic.us mirror of NISTs draft Charter. This text reflects the original February 2012 drafts substantive content, but is marked [like this to show change proposals]. The ASCII text was cleaned up as to format, but not content, to allow for editing and regular-expression searches. jamie.clark@oasis-open.org332 PROPOSED AMENDMENTS REFLECTED IN THIS DOCUMENT333 General comment: The proposed rules should allow reconsideration of these issues, in six months. These proposals334 distinguish the few changes that may be immediately advisable. Only the three "IMMEDIATE" proposals are reflected in335 the ASCII version of this document. Where possible, proposed amendments are located in the Bylaws, not the Charter,336 which should only be the place for overriding general principles.337 Types of amendments:338 IMMEDIATE: (3): I, N, O.339 Typos (10): A, B, C, D, E, F, G, H, K. L.340 Rule hygiene / logic (4): J, M, O, P.341 Overcentralization (2): I, N.342 A. Class of amendment: Typo. Later.343 Place: Line 15. Section 1.344 Edit: Add "p." in footnote 1 before the page number "1".345 Reason: Use same page number format as in rest of footnotes.
  9. 9. 346 B. Class of amendment: Typo. Later.347 Place: Line 109. Section 1.3, second bullet point.348 Edit: Add period to end of last sentence.349 Reason: Punctuation.350 C. Class of amendment: Typo. Later.351 Place: Line 120. Section 1.3, fourth bullet point.352 Edit: Add "pp." in NISTs footnote 5 before the number "25."353 Reason: Use same page number format as in rest of footnotes.354 D. Class of amendment: Typo. Later.355 Place: Line 124. Section 1.4.1.356 Edit: Change "publically" to "publicly."357 Reason: Use same spelling for word throughout document. (Compare to line 127.)358 E. Class of amendment: Typo. Later.359 Place: Line 163. Section 1.7.360 Edit: Delete second period at end of last sentence.361 Reason: Grammar.362 F. Class of amendment: Typo. Later.363 Place: Line 167. Section 1.7.1.364 Edit: Delete second period at end of last sentence.365 Reason: Grammar.366 G. Class of amendment: Numbering typo. Later.367 Place: Line 177. Section 2.1.1.368 Edit: Renumber as "2.1".369 Reason: Section numbers are incorrectly sequenced.370 H. Class of amendment: Numbering typo. Later.371 Place: Line 181. Section 2.1.2.372 Edit: Renumber as "2.2".373 Reason: Section numbers are incorrectly sequenced.374 I. Class of amendment: IMMEDIATE; Overcentralization.375 Place: Line 183. Section 2.1.2.376 Edit: Add "circulated for comment to the Plenary and then" before the words "approved by the Management377 Council".378 Reason: NISTs draft gives too much unchecked power to the 14-voter Management Council to override the379 entire membership. In this case, charters and charter changes should be seen by the members before approval.380 J. Class of amendment: Rule hygiene. Later.381 Place: Line 186. Section 2.1.2.382 Edit: Add "by modifying the participation and voting rights in a Standing Committees charter, subject to Section383 1.4.1" after the words "on the Standing Committees".384 Reason: When ground rules (like participant balance) are changed, they should be documented somewhere385 clearly, like the committees charter, not made as a one-off fiat.386 K. Class of amendment: Numbering typo. Later.387 Place: Line 213. Section 2.1.3.388 Edit: Renumber as "2.3".389 Reason: Section numbers are incorrectly sequenced.
  10. 10. 390 L. Class of amendment: Typo. Later.391 Place: Line 233. Section 2.1.3, third bullet point.392 Edit: Decapitalize the word "Responsible".393 Reason: Grammar. Not a defined term.394 M. Class of amendment: Rule hygiene. Later.395 Place: Line 241. Section 3.396 Edit: Delete the words "stakeholder group delegates elected to the".397 Reason: Corrects ambiguity. This should not change the intended meaning, but makes it clear that the398 Management Council acts here, not a subset of it. The deleted words might be misread to suggest that the 14399 stakeholder-class delegates vote, but the two at-large members do not, on this topic.400 N. Class of amendment: IMMEDIATE. Overcentralization.401 Place: Line 243. Section 3.402 Edit: Delete the last sentence.403 Reason: The allocation of powers of the Management Council versus the committees or Plenary should be404 specifically described. This one-sentence rule that the MC is final authority over everything may undermine or405 contradict other rules. (For example, it might be read as a veto of the review power of the Privacy Standing406 Committee, at line 201-03.) It also encourages stakeholders to focus all their work and lobbying on a relatively407 small, elite panel. This might be re-visited in six months, but is too much power to take away from the rest of the408 Steering Group at the outset, if stakeholders are to take their committee and Plenary participation seriously.409 O. Class of amendment: IMMEDIATE. Rule hygiene.410 Place: Line 273. Section 3.2.411 Edit: Delete the words "during its initial meetings".412 Reason: Corrects ambiguity. The change makes it clear that Bylaws can be changed. The deleted words might413 be misread to suggest that the original Bylaws, regardless of later changes, govern this topic.414 P. Class of amendment: Rule hygiene. Later.415 Place: Line 322. Section 3.2.2.416 Edit: Add the words "by amending the By-laws" at the end of the last sentence.417 Reason: When ground rules (like stakeholder classes) are changed, they should be documented somewhere418 clearly, like the By-laws. Otherwise it is not clear how a change would be made. This is significant, because the419 balance in NISTs suggested 14 classes may be the subject of proposed amendments later.

×