Assurance

["Michael R. Gettes" <>]

Kind people,

Ann and I had a lengthy phone conversation today.  I'm sure she would never 
admit to it.  :-)

I have long held the IAP and IAAF are good documents (especially where 1.2 is 
ending up) but
there is a fundamental flaw in the documents in that they do not sufficiently 
explain the
thinking leading up to what is in the documents.  I have had lengthy 
discussions with the
team who did silver and I have been peripherally involved in the process of 
these documents
from the beginning and I do appreciate why they have not documented their 
deliberations.
I don't think we should get into their reasoning and so on at this time but I 
do think we
need some companion "documentation" to the IAAF and IAP to help people think 
through the
meaning behind the items in these documents which in turn will lead to 
implementations of
bronze and silver.

So, here is the idea.  The community (this group) should have a series of 
discussions and
document those discussions to come to a common understanding of minimal 
perspectives to help
others with this process - cuz these documents are complicated.  For example, 
the issues raised
today regarding identity proofing and data involved by RA/CSP and retention.  
There are multiple
sections of the document where all this relates and we should have some 
explanation of the
relationship and issues at play for public versus private institutions and 
other gotchas or
cautions.  We could do this on our conference calls (which I think we would 
need to have much
more often in order to achieve this work in a reasonable time frame) and 
hopefully with a little
documentation of who attended the call and what was discussed on the call and 
a collaborative
edit of the call minutes we could achieve what is being suggested here.  Once 
we tackle proofing
we could move on to other aspects of assurance - physical controls, blah blah 
etc.

The real advantage of doing it this way is we don't need permission from 
anyone as it is a
community activity.  No real legal implications because we are just 
documenting discussions
and not providing any official advice saying "do things this way".  And, we 
help the
community do federation better and make InCommon more useful to us all.

Now the challenge… how do we determine this is a good idea and then execute 
it?

What say you?  Don't be bashful, speak up!

/mrg