...
This report and associated recommendations have been developed out of several months of reviewing and discussing the attribute space across a broad range of sectors and interests. The wiki space for the discussion group includes a repository of links to information in government, commercial industry, and higher education in the United States, Canada, Europe, and New Zealand. From that base of information we have identified the following gaps and made a set of recommendations for further work.
Identifying Requirements for Attribute Management
http://kantarainitiative.org/confluence/display/AMDG/Attribute+Requirements
The members of the Discussion Group condensed the requirements of what is needed for Attribute Management as follows:
1. There must be a base set of attributes and associated definitions and representations available to all interested and involved parties.
2. There must be a catalog of vertical specific attribute sets (i.e. extensions).
3. There must be a list of authoritative sources for attribute sets.
4. Individuals and service providers must have the ability to protect and share these attributes.
5. There must be coordination among the bodies working on and the initiatives underway on entity attributes as well as of the groups creating and using these attributes.
6. A framework to address privacy, trust and level of confidence/assurance of attributes is necessary.
7. There must be a process to allow for ongoing evaluation of where the attribute ecosystem stands (i.e. governance)
...
Gap Analysis
As the group discussed requirements, identifying where those requirements had no cohesive, supporting effort behind them guided the definition and prioritization of gaps in the Attribute Management space. Some areas had limited work associated with them, but the effort behind that work either addressed only a small section of the problem space or seemed to be working in a vacuum. The list below highlights the major gaps and what work, if any, is happening in that area.
...
| Anchor | ||||
|---|---|---|---|---|
|
Gap Analysis
During the work conducted by the Discussion Group it identified areas that had no cohesive, supporting effort behind them. Analysis of these areas identified the following gaps in the Attribute Management space:
- Definitions in the Attribute Space
- Identification of common core business activity (and matching process) sets
- Establishing common semantics and terminology
- Identification and definition of contexts
- Agreement on a common language - Schema and Metadata
- Agreement on a standard query Language
- Interoperability between protocols
- Trust frameworks
- Defining and implementing consent
- Governance around use of attributes
The following elaborates each of these gaps including the work, if any, that Discussion Group members were aware was happening in the area.
Gap #1: Terminology in the attribute space
| Info | ||
|---|---|---|
| ||
Information bound to a subject identity that specifies a characteristic of the subject. – Derived from the ITU-T X.1252 definition of "attribute" |
...
- SEMIC.EU was a starter project but closed in 2009, now partly replaced by ISA
- The Government of Canada strategy of federating credential and then federating identity
Gap #3:
...
Normalization and categorization of identity attributes
A common, accepted list of attributes and associated definitions is currently not achievable in its entirety. The goal, however, of publishing code lists and meanings to a public directory should be possible. There is a need for local profiles to be published to a central URN/URL namespace repository so other parties and metadata interoperating with the attribute provider can get the applicable 'set'.
...
- Finland's Suomi.fi
- British Columbia, Canada attributes about people and their relationships with others in a government context and an initial set of attributes or claims
- Austria's eGov-cooperation /local/state/federal): Specification of "eGov token" (pdf, German)
- Relevant??: UK government Data standards http://interim.cabinetoffice.gov.uk/govtalk/schemasstandards/e-gif/datastandards.aspx
Gap #6
...
With no standard/normative query language, there is no way to ask a broad set of identity providers anything about the entities they are authoritative for. When a service provider needs to ask dozens of identity providers across the globe "Is this person of legal age to use my service?" the attribute space has no answer.
...
:
...
- OpenID Connect
- SAML Attribute Query (profiled)?
...
Interoperability between protocols
The protocol space around attributes is comparatively stable. Protocols such as SAML and OAuth are in broad use and fairly well understood. PKI certificates and web services also have strong community support and understanding. What is missing, however, is better guidance on how exactly to use those protocols to carry attributes and their associated metadata in a secure and interoperable fashion. In particular, how to use these protocols in the mobile device market is an issue. In addition, a means is needed to ask a broad set of identity providers anything about the identities for which they are authoritative. When a service provider needs to ask dozens of identity providers across the globe "Is this person of legal age to use my service?" the attribute space has no answer.
Efforts in this space:
- SAML
- SAML Attribute Query (profiled)?
- OAuth
- PKI certificates
- OASIS Web Services over SOAP
- OpenID Connect
- SCIM
Gap
...
#7: Trust frameworks
With regard to attribute management and governance in Trust Frameworks, quite a bit of work has gone into the Identity Confidence/Assurance aspect, with different levels of confidence/assurance certifications described by different standards bodies, auditors trained, and a general understanding of the concept shared. That said, finding a trust framework that extends down to the level of the attributes themselves is still a work in progress. An individual could have a mix of self-asserted and proofed attributes describing them, and a consumer of those attributes should be able to choose which attribute to use, depending on the context of the activity or transaction. The question of how a cohesive Trust Framework could handle information at the attribute level is still an open question and will be a critical component of attribute management. The complexity of attribute management is multiplied many times in the case of inter-federation. Trust framework governance becomes a critical dependency for cohesive attribute management.
The notion of levels of assurance applying to attributes has been recently challenged (see http://blog.idmanagement.gov/2012/03/to-loa-or-not-to-loa-for-attributes-not.html ) since the measure of confidence/level of confidence one can have in an attribute (and how that is determined) is likely to be different than the generally understood notion of Level of Assurance which derived from the context of OMB -04-04 and NSIT SP-800-63. Work needs to be done to resolve any further confusion or misunderstanding through defining the components that constitute this 'LoC', and to confirm the need to differentiate this context from the context of identity proofing and credential strength that is applied to 'LoA' of identity.
Efforts in this space:
- OIX Attribute Working Group
- Kantara's Business Cases for Trust Frameworks: http://kantarainitiative.org/confluence/display/bctf/Home
- ProtectNetwork: www.protectnetwork.org
Gap
...
#8: Defining and implementing consent
The legal definition and implementation around consent is reaching a stable point in the EU. That said, there is still some concern that implementing consent in the federation space is still problematic. Consent management will undoubtedly involve consent-related attributes and attribute sets in the consent process. Consent needs to be 'designed in' either as in band or as a service but implemented in a standardized way so you get consistent UX.
Efforts in this space:
- EU Data Protection
- ABC4Trust: https://abc4trust.eu/
Gap
...
#9: Governance around use of attributes
A driver for the exploration of attribute management is the growing economy behind the mining and exchange of attribute information. We see here the overlap of financial reward and privacy regulation; overlaps such as this generally see the creation of some kind of governance model. That governance may be formal regulation, it may be accepted industry standards groups, or some other model. Different sectors of society and industry are looking at what governance is necessary in the world of Internet Identity and the attribute economy. Each group, however, has a fairly narrow view of how governance is required in their particular sector.
Efforts in this space:
- Federal PKI and PKI Bridge Certification Authority: http://www.idmanagement.gov/
- APEC Privacy Framework, in particular the Cross Border Privacy enforecement Arrangement: www.apec.org/Groups/Committee-on-Trade-andInvestment/Electronic-Commerce-Steering-Group/Cross-border-Privacy-Enforcement-Arrangement.aspx
- An emerging effort is the ISOC initiative 'Moving forward with an Internet Attribute Infrastructure', that spawned from the main gap identified in the 2011 workshop 'Mapping the Identity Ecosystem' ( http://tid.isoc.org/trac/ideco )
...