Hi team, Thought it may be helpful to share the notes from Group 1's discussion. * We lose a lot in Rec 1, is that OK? most of what we lose is tied to the accreditation authority but each of us should review and think about it * Is the authentication referenced in 1.2 the same as cred-level authentication in 1.1? it should be clear somewhere (glossary?). * What does authentication get you? you can have a login with nothing else, or you can also be authenticated as part of a user group (nested tiers) * Unsure how much this group needs to define what the authenticating body criteria are but like the idea of moving 1.4 up to Policy * Can we reference existing authentication pathways o credential-level exists (RDRS), and there's the e-evidence thing that authenticates LEA - are they one of the designated user groups here or is it a separate thing? * What do we need to say with authorization? o confirmation that authentication does not equal authorization - can go in context of the rec and in the glossary o could include broader definitions - "system credentials" (login) and the "authentication" * Needs to be some way to impose consequences - part of the acceptable use process * Discussed why we are prioritizing LEA for authentication first - partly because of GAC and Board request but partly BC the LEA requests can be the most fraught / have the most consequences to getting it wrong. Also because that lets us close the loop on Urgent requests o Maybe remove "beginning with law enforcement." from 1.2 to allow for if other groups are ready to go, or to remove consideration of which LEA/how extensive it needs to be (when can it move on to other user groups? if LEA has to be "finished" what does that mean?. o however noting that this is referring to RDRS SC language we also don't want to mess with so maybe we take out the RDRS SC reference entirely and put that into the rationale and just recommend that we allow specific user groups to authenticate - you can become a Designated User Group (DUG) by meeting these criteria * Security - should be incorporated to both system creds and group creds -- *Sarah Wyld, CIPP/E* Pronouns: she/they Head, Policy & Privacy Tucows #MakingTheInternetBetter swyld@tucows.com