...
1. There must be a base set of attributes and associated definitions and representations available to all interested and involved parties.
2. There must be a catalog of vertical specific attribute sets (i.e. extensions).
3. There must be a list of authoritative sources for attribute sets.
4. Individuals and service providers must have the ability to protect and share these attributes.
5. There must be coordination among the bodies working on and the initiatives underway on entity attributes as well as of the groups creating and using these attributes.
6. A framework to address privacy, trust and level of confidence/assurance of attributes is necessary.
7. There must be a process to allow for ongoing evaluation of where the attribute ecosystem stands (i.e. governance)
...
- InCommon Federation site regarding the Categorization of attributes
- CHECK: Finland again?
- Relevant??: The Finnish attribute profile: http://www.suomi.fi/suomifi/tyohuone/yhteiset_palvelut/verkkotunnistaminen_ja_-maksaminen_vetuma/tekninen_rajapinta/finnish_attribute_profile/FinnishAttributeProfile20110221.pdf
- UK government Data standards http://interim.cabinetoffice.gov.uk/govtalk/schemasstandards/e-gif/datastandards.aspx
- An emerging effort is the ISOC initiative 'Moving forward with an Internet Attribute Infrastructure', that spawned from the main gap identified in the 2011 workshop 'Mapping the Identity Ecosystem' ( http://tid.isoc.org/trac/ideco )
Context
Perhaps a subset of Semantics and Terminology, the question of context is significant in its own right. From an electronic identity perspective, what information is expressed about an individual will almost certainly vary according to the context in which it is requested or presented. An identity is expressed differently with different attributes under different contexts.
...
With regard to attribute management and governance in Trust Frameworks, quite a bit of work has gone into the Identity Confidence/Assurance aspect, with different levels of confidence/assurance certifications described by different standards bodies, auditors trained, and a general understanding of the concept shared. That said, finding a trust framework that extends down to the level of the attributes themselves is still a work in progress . An individual could have a mix of self-asserted and proofed attributes describing them, and a consumer of those attributes should be able to choose which attribute to use, depending on the context of the activity or transaction. The question of how a cohesive Trust Framework could handle information at the attribute level is still an open question and will be a critical component of attribute management. The complexity of attribute management is multiplied many times in the case of inter-federation. Trust framework governance becomes a critical dependency for cohesive attribute management.
The notion of levels of assurance applying to attributes has been recently challenged (see http://blog.idmanagement.gov/2012/03/to-loa-or-not-to-loa-for-attributes-not.html ) since the measure of confidence/level of confidence one can have in an attribute (and how that is determined) is likely to be different than the generally understood notion of Level of Assurance which derived form the context of OMB -04-04 and NSIT SP-800-63. Work needs to be done to resolve any further confusion or misunderstanding through defining the components that constitute this 'LoC', and to confirm the need to differentiate this context from the context of identity proofing and credential strength that is applied to 'LoA' of identity.
Efforts in this space:
- OIX Attribute Working Group
- Kantara's Business Cases for Trust Frameworks: http://kantarainitiative.org/confluence/display/bctf/Home
- ProtectNetwork: www.protectnetwork.org
...