...
Attribute Management is a hot topic in the Internet world today. The goal of the Attribute Management discussion group is to determine what Attribute Management actually means to the players in this spaceKantara Initiative (KI) stakeholders, what areas need further discussion or development, and to make recommendations for further work. The charter states:
...
The purpose of this report is to fulfill the goals defined in the charter, setting the stage for the next area of workProvide a high-level look at the current state of the Attribute Management space and make recommendations on where further work would provide the most value to KI stakeholders.
Introduction
Note: full charter of the discussion group is available online
With a variety of government, commercial, and research initiatives around Internet Identity, the question on if and how to create a common methodology for managing the bits of information about an entity on the Internet is in urgent need of an answer. The Kantara Initiative has sponsored a discussion group to look at the attribute management space and make recommendations on where focused effort from the Kantara Initiative might help move this space forward.
This report and associated recommendations has been developed out of several months of reviewing and discussing the attribute space across a broad range of sectors and interests. The wiki space for the discussion group includes a repository of links to information in government, commercial industry, and higher education in the United States, Canada, Europe, and New Zealand. From that base, we have identified the following gaps and made a set of recommendations for further work.
Identifying Requirements for Attribute Management
http://kantarainitiative.org/confluence/display/AMDG/Attribute+Requirements
After several weeks of discussion and collecting information from sources across a variety of sectors, the members of the Discussion Group condensed the requirements for what is needed for Attribute Management as follows:
1. There must be a base set of attributes and associated definitions and representations available to all interested and involved parties.
2. There must be a catalog of vertical specific attribute set (i.e. extensions).
3. There must be a list of authoritative sources for attribute sets.
3 4. Individuals and service providers must have the ability to protect and share these attributes.
4 5. There must be coordination among the groups creating and using these attributes.
5 6. A framework to address privacy, trust and level of assurance of attributes is necessary.
6 7. There must be a process to allow for ongoing evaluation of where the attribute ecosystem stands (i.e. governance)
| Anchor | ||||
|---|---|---|---|---|
|
Gap Analysis
As the group discussed requirements, identifying where those requirements had no cohesive, supporting effort behind them guided the definition of gaps in the Attribute Management space. Some areas had some work associated with them, but the effort behind that work either addressed only a small section of the problem space or seemed to be working in a vacuum. The list below highlights the significant gaps and where efforts exist (if any) that start to fill those gaps.
The attribute space - Areas of interest, summary of efforts, categorization of gaps
| Info | ||
|---|---|---|
| ||
Information bound to a subject identity that specifies a characteristic of the subject. – Derived from the ITU-T X.1252 definition of "attribute" |
- The missing document we'd all like to read: Attribute Management and The Attribute Ecosystem--The Players, Their Work, The Issues
Common core business activity (and matching process) sets
Discussions around attribute management extend in to discussing specific industry classifications and activity classifications. More work is needed, however, to find the bridge between industry and activity and look at classication on a process level. For interoperability, we need an agreed upon taxonomy and semantics for these process patterns just as much as we need the agreement for the sets of attributes that are managed down in the bowels of these generic processes.
Example:
While Enterprise Architecture Frameworks like the US FEAF (and the Australian and NZ EAF's are based on the US FEAF) segment down to Services and Functions, there is no work (known to me) going on to standardise the terms to describe generic business process patterns. For example in NZ govt Internal Affairs Dept, if you look across our services, you can distil the process patterns supporting those services down to: Grant, Register, Monitor, Advise, Enforce, Legislate, Collect.
Each of these functional process patterns, contains a sub-sets and super-sets of attributes.
Efforts in this space:
- SEMIC.EU was a starter project but closed in 2009, now kind of replaced by ISA
Common Semantics and terminology
A common, accepted list of attributes and associated definitions is currently not achievable in its entirety. The goal, however, of publishing code lists and meanings to a public directory should be possible. There is a need for local profiles to be published to a central URN/URL namespace repository so other parties/metadata interoperating with the attribute provider can get the applicable 'set'.
Consider a common 'attributes of an attribute' - the properties of an attribute (e.g unique, authoritative or self reported, time since verified, last time changed, last time accessed, last time consented) that would be released and provide an audit trail.
The local definition of attributes in any given global schema, the interpretation of metadata and trust frameworks, all of this creates a space where it is very difficult to share information that will meet the expectation of relying parties.
Efforts in this space:
Context
Perhaps a subset of Semantics and Terminology, the question of context is significant in its own right. From an electronic identity perspective, what information is expressed about an individual will almost certainly vary according to the context in which it is requested or presented. An identity is expressed differently with different attributes under different contexts. Different contexts may include:
- individual as citizen
- individual as social group member
- individual as employee
- individual as researcher, student, or faculty
How should attributes be categorized or expressed in different contexts? Is this a question that can be rolled in to the questions around Attribute Semantics? Governance? Schema? It overlaps all of the above.
Efforts in this space:
- none known
Common language - Schema and Metadata
Attribute metadata is another aspect of attribute management regarding the exchange of attributes. What is needed is agreement on what the semantics are for metadata. SAML has some metadata for attributes, but much more will be needed as the growth of interoperability of attributes continues. We will need registries for attribute sets/categorization (i.e. IANA), agreement about the semantics, and mappings between sets of attributes having differing semantics
Efforts in this space:
Higher Education
- the eduPerson schema
- the SCHema for ACademia effort (SCHAC) – Europe
Health Care
- ISO 21091:2011 Health Care LDAP schema
Commercial
Government
- Finland's Suomi.fi
- British Columbia, Canada attributes about people and their relationships with others in a government context and an initial set of attributes or claims
- Austria's eGov-cooperation /local/state/federal): Specification of "eGov token" (pdf, German)
Query Language
With no standard, normative query language, there is no way to ask a broad set of identity providers anything about the entities they are authoritative for. When a service provider needs to ask dozens of identity providers across the globe "Is this person of legal age to use my service?" the attribute space has no answer.
Efforts in this space:
- OpenID Connect
- Could the SAML Attribute Query be profiled to do this?
Protocols
How do you move attributes around?
Efforts in this space:
- SAML
- OAuth
Trust frameworks
Quite a bit of work has gone in to Identity Assurance, with different levels of assurance certifications described by different standards bodies, auditors trained, and a general understanding of the concept shared. That said, finding a trust framework that extends down to the level of the attributes themselves is still a work in progress. An individual could have a mix of self-asserted and proofed attributes describing them, and a consumer of those attributes should be able to choose which attribute to use, depending on the context of the activity or transaction. The question of how a cohesive Trust Framework can handle information at the attribute level is still an open question and will be a critical component of attribute management.
Efforts in this space:
Consent
The legal definition and implementation around consent is reaching a stable point in the EU. That said, there is still some concern that implementing consent in the federation space is still problematic. Consent needs to be 'designed in' either as in band or as a service but implemented in a standardized way so you get consistent UX.
Efforts in this space:
Governance
A driver for the exploration of attribute management is the growing economy behind the mining and exchange of attribute information. We see here the overlap of financial reward and privacy regulation; overlaps such as this generally see the creation of some kind of governance model. That governance may be formal regulation, it may be accepted industry standards groups, or some other model.
Recommendations
Governance
Different sectors of society and industry are looking at what governance is necessary in the world of Internet Identity and the attribute economy. Each group, however, has a fairly narrow view of how governance is required in their particular sector. Having a group that could look at the bigger picture and provide a neutral bridge between different efforts may be a space that Kantara could fill. In particular, there is a need to provide Levels of Assurance for attributes. Kantara has experience in providing and vetting an LoA framework for identity; can that be expanded in to providing LoA for attributes?
- Recommendation: Create a Kantara Discussion Group to conduct an environmental survey of groups and activities in attribute management space (there are dozens at least) and create a cohesive index and description of where they fit in the attribute management space, where they are orthogonal or overlapping (this should be a prerequisite to the attribute LoA work)
- Recommendation: Create a Kantara Working Group to establish an LoA program and associated criteria for attributes
Context
The question of context and how different contexts may modify information in and about an attribute overlaps many focus areas for attribute management. From governance to technology, this is a rich space that urgently needs understanding and direction. With a stronger understanding and implementation of the idea of context, the questions of automatically identifying risk and liability may be answered.
- Recommendation: Create a Kantara Discussion Group to describe what contexts might be and how they might be used, characterizing them and registering/exposing them.
Query Language
While the need for a query language that could handle multiple schemas and protocols is identified as a gap by this discussion group, closing that gap was determined to be outside the mandate and expertise of the Kantara Initiative. This area should be left to other organizations, such as OASIS or the W3C.
Attributes
There needs to be effort around the normalization of a base identity attribute set. While we see some work going on in the SCIM and OIX-AX arenas, work needs to bridge that and any other efforts together to make a cohesive attribute set. While this document takes a high-level, broad look at the attribute management space, finding information on all the activities and common definitions in this space to any kind of detailed level was impossible. The repository of information put together by the Attribute Management Discussion group is a start, but pulling together a more granular document should be a fundamental requirement to further work being done by Kantara. The general consensus is that it is better to take the time to find where work is going on than to duplicate effort.
Efforts in this space:
- Kantara Initiative Attribute Management Discussion Group