...
The goal of the Attribute Management discussion group Discussion Group is to determine what Attribute Management means to Kantara Initiative (KI) stakeholders, what areas need further discussion or development, and to make recommendations regarding where and how the Kantara Initiative should contribute to efforts in this space.
...
Note: the full charter of the discussion group Discussion Group is available online
With a variety of government, commercial, and research initiatives around Internet Identity, the questions around if and how to create a common methodology for managing the bits of information about an entity on the Internet is in need of answers. The Kantara Initiative has sponsored a discussion group Discussion Group to look at the attribute management space and make recommendations on where focused effort from the Kantara Initiative might help move this space forward. While attributes can apply to both individuals and devices the work here is focused on human (identity) attributes.
This report and associated recommendations have been developed out of several months of reviewing and discussing the attribute space across a broad range of sectors and interests. The wiki space for the discussion group Discussion Group includes a repository of links to information in government, commercial industry, and higher education in the United States, Canada, Europe, and New Zealand. From that base of information we have identified the following gaps and made a set of recommendations for further work.
...
During the work conducted by the Discussion Group it identified areas that it believed had no cohesive, supporting effort behind them. Analysis of these areas identified the following gaps in the Attribute Management space:
...
It should be noted that Identity Attributes are part of, but not necessarily the complete set of, the Attributes associated with an a subject or individual. Each Identity Proofing process needs to establish the set of Identity Attributes it deems necessary and sufficient to infer, with a level of assurance, who an individual is (i.e., the identity of the individual) based upon the risk / consequences of being incorrect. The Discussion Group agreed to use the above as a working definition, but there was enough discussion and confusion regarding whether or not this was sufficient to make this the first identified gap in the Attribute Management space.
...
- SEMIC.EU was a starter project but closed in 2009, now partly replaced by ISA
- The Federating Identity Management in the Government of Canada strategy of federating credential and then federating identity : A Backgrounder
Gap #3: Normalization and categorization of identity attributes
...
- The Government of British Columbia evidence of identity
- New Zealand Evidence of Identity Standard and additional guidance
Gap #5: Agreeing to a common language - Schema and Metadata
...
The legal definition and implementation around consent is reaching a stable point in the EU. That said, there is still some concern that implementing consent in the federation space is still problematic. Consent management will undoubtedly involve consent-related attributes and attribute sets in the consent process. Consent needs to be 'designed in' either as in band or as a service but implemented in a standardized way so you get consistent UXuser experience. It is also important when examining the use of attributes.
Efforts in this space:
- EU Data Protection
- ABC4Trust: https://abc4trust.eu/
- Kantara Initiative P3WG Privacy Assessment Criteria
Gap #9: Governance around use of attributes
A driver for the exploration of attribute management is the growing economy behind the mining and exchange of attribute information. We see here the overlap of financial reward and privacy regulation; overlaps such as this generally see the creation of some kind of governance model. That governance may be formal regulation, it may be accepted industry standards groups, or some other model. Different sectors of society and industry are looking at what governance is necessary in the world of Internet Identity and the attribute economy. Each group, however, has a fairly narrow view of how governance is required in their particular sector. The definition of governance needs to identify the extent to which consent is required.
Efforts in this space:
- Federal PKI and PKI Bridge Certification Authority: http://www.idmanagement.gov/
- APEC Privacy Framework, in particular the Cross Border Privacy enforcement Arrangement: www.apec.org/Groups/Committee-on-Trade-andInvestment/Electronic-Commerce-Steering-Group/Cross-border-Privacy-Enforcement-Arrangement.aspx
- An emerging effort is the ISOC initiative 'Moving forward with an Internet Attribute Infrastructure', that spawned from the main gap identified in the 2011 workshop 'Mapping the Identity Ecosystem' ( http://tid.isoc.org/trac/ideco )
...
One of the common themes found throughout the gaps identified in the attribute management space involved context. Everything from the definition of "identify identity attribute" to defining appropriate trust frameworks depends on the context in which the information is to be used. With a stronger understanding and implementation of the idea of context, the questions of automatically identifying risk and liability may be answered appropriately for all the different constituents involved in the attribute ecosystem. The normalization of language around attributes can be handled more effectively when contexts are defined and identified. Contexts turn out to be the most fundamental organizing principle in the attribute management space.
...
Recommendation #2: Clarifying the use of attributes
In response to Gaps #2, 8, 9
There needs to be effort around understanding how entity attributes will be used by Relying Parties and the criteria that need to be in place to allow Relying Parties to trust in the entity attributes, or sets of entity attributes, they receive. An understanding of these needs will drive the definition of the mechanisms that will need to exist to provide assurances about an entity attribute or a set of entity attributes
...