Jiri’s Notepad

New EU working document on Passport is here (Thanks to Scott Loftesness for the link).

And I think it is a groundbreaking stuff.  But not exactly because of the Microsoft specific stuff.

Most of its content applies to any authentication service, including for example UK’s Government Gateway. As far as I know, it is for the first time when any of the European data protection authorities created something meaningful that deals with technical design and implementation aspects of privacy instead of usuall motivational stuff. So if you are interested in reading detailed 15 page long specification of issues to be covered by public authentication services so that it provides what amounts to a good degree of data protection/privacy, you cannot do worse than reading the document.

Now to the Microsoft aspects of the document. I must admit that the last time when I thought Passport was already compliant with European data protection law, I was wrong. The changes Microsoft promises to make to the authentication service to make it compliant are anything not trivial. On the other hand no such a clear specification of requirements existed before, so it was hard for anyone to comply…

Oh and I almost forgot. If you are not familiar with how normally most of the DP “requirements” look like, read the part of the document that is devoted to Liberty Alliance.