...
See also others in Repository [Current Industry Efforts\|]
Gap #6: Interoperability between protocols
The protocol space around attributes is comparatively stable. Protocols such as SAML and OAuth (and related OpenID Connect and User Managed Access (UMA) are in use and fairly well understood even if they are still evolving. PKI certificates and web services also have strong community support and understanding. What is missing, however, is better guidance on how exactly to use those protocols to carry attributes and their associated metadata in an interoperable (and secure) fashion. In particular, how to use these protocols in the mobile device context is at issue. A means is needed to ask a broad set of identity providers about the wide range of attributes that exist about the identities for which they are authoritative or trusted. When a service provider needs to ask dozens of identity providers across the globe "Is this person of legal age to use my service?" the attribute space has no easy answerpath to accomplish this.
Efforts in this space:
- SAML
- SAML Attribute Query
- OAuth
- PKI certificates
- OASIS Web Services over SOAP
- OpenID Connect
- SCIM
- United States Federal Identity Credentialing and Access Managment (FICAM) profiles
...
With regard to attribute management and governance in trust frameworks, substantial work has gone into identity confidence/assurance. Different levels of confidence/assurance and associated certifications are described by different accreditation and standards organizations. Auditors have been trained and are at work across these organizations but these do not fully address the accreditation needs around attribute management. That said, finding a trust framework that extends down to the level of the attributes themselves a widely useful set of attributes is still a work in progress. An individual can have a mix of self-asserted, derived and proofed attributes describing them, and a consumer of those attributes should be able to choose which attribute to use, depending on the context of the activity or transaction and have knowledge about how the attribute was established. The question of how a cohesive Trust Framework could handle information handles confidence at the federated attribute level (perhaps outside of higher education) is still an open question and will be . This gap and open question is a missing and a critical component of attribute management in practice. The complexity of This attribute management gap is multiplied many times in the case of inter-federation context. Trust framework governance becomes a critical dependency for cohesive for attribute management and is a challenge today across identity and attribute providers.
The notion of levels of assurance applying to attributes has been recently challenged (see http://blog.idmanagement.gov/2012/03/to-loa-or-not-to-loa-for-attributes-not.html ) since and as a result the DG has also adopted the use of the term level of confidence. Since the measure of confidence/level of confidence one can have in an attribute (and how that is determined) is likely to be different than the generally understood notion of manner in which Level of Assurance which is derived from the context of OMB M-04-04 and NSIT NIST SP-800-63-1. Work needs to be done to resolve any further confusion or misunderstanding through defining the components that constitute this 'LoC', and to confirm . There also exists the need to differentiate this context from compare and contrast this with the context of identity proofing and credential strength that is currently applied to the 'LoA' of identity.
Efforts in this space:
- OIX Attribute Working Group
- Kantara's Business Cases for Trust Frameworks: http://kantarainitiative.org/confluence/display/bctf/Home
- ProtectNetwork: www.protectnetwork.org.protectnetwork.org
- United States Federal Government Backend Attribute Exchange
Gap #8: Defining and implementing consent
The legal definition and implementation around consent is reaching a stable point in the EU. That said, there is still some concern that implementing consent in the federation space is still problematic. Consent management will undoubtedly involve consent-related attributes and attribute sets in the consent process. Consent needs to be 'designed in' either as in band or as a service but implemented in a standardized way so you get consistent user experience. It Consent is also important when examining the use of attributes.
...
- EU Data Protection
- ABC4Trust: https://abc4trust.eu/
- Kantara Initiative P3WG Privacy Assessment Criteria
- Kantara User Managed Access (UMA) Working Group
Gap #9: Governance around use of attributes
A driver for the exploration of attribute management is the growing economy behind the mining and exchange of attribute information. We see here the overlap intersection of financial reward and privacy regulation; overlaps situations such as this generally see the creation of some kind of governance model. That governance may be formal regulation, accepted industry standards groups, or some other model. Different sectors of society and industry are looking at what governance is necessary in the world of Internet Identity and the attribute economy. Each group, however, has a fairly narrow view of how governance is required in their particular sector. The definition of governance needs to identify the extent to which consent is required.
...
- Federal PKI and PKI Bridge Certification Authority: http://www.idmanagement.gov/
- APEC Privacy Framework, in particular the Cross Border Privacy enforcement Arrangement: www.apec.org/Groups/Committee-on-Trade-andInvestment/Electronic-Commerce-Steering-Group/Cross-border-Privacy-Enforcement-Arrangement.aspx
- An emerging effort is the ISOC initiative 'Moving forward with an Internet Attribute Infrastructure', that spawned from the main gap identified in the 2011 workshop 'Mapping the Identity Ecosystem' ( http://tid.isoc.org/trac/ideco )
- Open Identity Exchange
- NSTIC (potentially)
Recommendations
Recommendation #1: Defining Contexts
...
There needs to be effort around understanding how entity identity attributes will be used by Relying Parties and the criteria that need to be in place to allow Relying Parties to trust in the entity identity attributes, or sets of entity identity attributes, they receive. An understanding of these needs will drive the definition of the mechanisms that will need to exist to provide assurances about an entity identity attribute or a set of entity identity attributes.
- Recommendation: Creation of a Kantara Attributes Attribute Management Working Group or continuation of the existing Discussion Group (but rechartered) to work with across industry organizations and sectors. Work to recommend establish a means of expressing relying party needs with respect to a level of confidence in an entity identity attribute, or a set of entity identity attributes.
Recommendation #3: Definitions and general coordination
...