...
While Enterprise Architecture Frameworks (EAFs) like the US Federal Enterprise Architecture Framework (FEAF) (and the Australian and NZ EAF's are based on the US FEAF) segment down to services and functions, there is no work going on to standardise the terms to describe generic business process patterns. For example, in the NZ government's Internal Affairs Department's public facing services the process patterns supporting those services can be distilled down to: Grant, Register, Monitor, Advise, Enforce, Legislate, Collect. Can these descriptions be standardised and can the same be done for each of these functional process patterns sub-sets and super-sets of attributes?
In addition, there is a need to understand the needs of service providers that rely upon identity attributes in order to deliver services. An understanding of these relying party needs will help drive the definition of the mechanisms process and procedures that will need to exist to provide assurances about an entity identity attribute or a set of entity identity attributes. It will also drive the definition of the criteria required to enable organizations to become an Authoritative Party authoritative party for an entity identity attribute or set of entity identity attributes.
Info | ||
---|---|---|
| ||
An organization or individual that is trusted to be an authority on the identity related attributes or roles associated with users and subjects of services. -- taken from the Government of British Columbia Identity Information Reference Model |
...
- SEMIC.EU was a starter project but closed in 2009, now partly replaced by ISA
- Federating Identity Management in the Government of Canada: A Backgrounder
Gap #3: Normalization and categorization of identity attributes
...
- Backgrounder
- North American Security Products Organization (NASPO) http://www.naspo.info/PDFiles/IDPV_PBP_WorkProgressReport.pdf
Gap #3: Normalization and categorization of identity attributes
A broad, common, accepted list of attributes and associated definitions is currently not achievable in its entirety. The goal, however, of publishing code lists and meanings to a public directory should be possible. There is a need for local profiles to Local profiles could be published to a central URN/URL namespace repository so other parties and metadata interoperating with the an attribute provider can get the applicable 'set'.
Consider a common structure for 'attributes of an attribute' - the properties of an attribute (e.g. unique, authoritative or self reported, time since verified, last time changed, last time accessed, last time consented) that would be released available and provide an audit trail.
The local definition Local definitions of attributes in any given global schema , along with the interpretation of related metadata and trust frameworks , creates a space situation where it is very difficult to efficiently share (or trust) information that will . This gap needs to be addressed in a context that can meet the expectation of relying parties working across identity and attribute providers.
Efforts in this space:
- InCommon Federation site regarding the Categorization of attributes
- The Finnish attribute profile (in Finnish but English option available of the portal front page): http://www.suomi.fi/suomifi/tyohuone/yhteiset_palvelut/verkkotunnistaminen_ja_-maksaminen_vetuma/tekninen_rajapinta/finnish_attribute_profile/FinnishAttributeProfile20110221.pdf
- UK government Data data standards http://interim.cabinetoffice.gov.uk/govtalk/schemasstandards/e-gif/datastandards.aspx
- An emerging effort is the ISOC initiative 'Moving forward with an Internet Attribute Infrastructure', that spawned from the main gap identified in the 2011 workshop 'Mapping the Identity Ecosystem' ( http://tid.isoc.org/trac/ideco) ;
Gap #4: Identifying and defining contexts
Perhaps a subset of Semantics semantics and Terminologyterminology, the question of context is significant in its own right. From an electronic identity perspective, what information is expressed about an individual will often vary according to the context in which it is requested or presented. An identity is expressed differently with different attributes under different contexts.
Info | ||
---|---|---|
| ||
the The environment or circumstances in which identity information is communicated and perceived. Individuals operate in multiple identity contexts (e.g., legal, social, employment, business, pseudonymous) and may identify themselves differently based on the context. -- taken from the Government of British Columbia Identity Information Reference Model |
...
- individual as citizen
- individual as social group member
- individual as employee
- individual acting in a business role e.g. Director
- individual as researcher, student, or faculty
How should identity attributes be categorized or expressed in different contexts? Are these different identity attributes or sub-attributes? Is this a question that can be rolled in to the questions around Attribute Semantics? Governance? Schema? attribute semantics, governance, schema? It overlaps all of the abovethese.
Efforts in this space:
- The Government of British Columbia evidence of identity
- New Zealand Evidence of Identity Standard and additional guidance
Gap #5: Agreeing to a common language - Schema and Metadata
Attribute metadata is another an aspect of attribute management concerning the exchange of attributes. What is needed is agreement on what the semantics are for metadata. For example, SAML has some metadata for attributes, but much more will be needed as the growth of interoperability of attributes continues. We will need registries for attribute sets/categorization (i.e. IANA), agreement about the semantics, and mappings between sets of attributes having differing semantics
...
- OIX (Attributes Exchange (AX) working group
Government
Government
- Finland's Suomi.fi
- British Columbia, Canada attributes about people and their relationships with others in a government context and an initial set of attributes or claims
- Austria's eGov-cooperation /local/state/federal): Specification of "eGov token" (pdf, German)
- Relevant??: UK government Data standards http://interim.cabinetoffice.gov.uk/govtalk/schemasstandards/e-gif/datastandards.aspx
See also others in Repository Current Industry Efforts
Gap #6: Interoperability between protocols
The protocol space around attributes is comparatively stable. Protocols such as SAML and OAuth (and related OpenID Connect and User Managed Access (UMA) are in broad use and fairly well understood even if they are still evolving. PKI certificates and web services also have strong community support and understanding. What is missing, however, is better guidance on how exactly to use those protocols to carry attributes and their associated metadata in a secure and interoperable an interoperable (and secure) fashion. In particular, how to use these protocols in the mobile device market context is an at issue. In addition, a A means is needed to ask a broad set of identity providers anything about the wide range of attributes that exist about the identities for which they are authoritative or trusted. When a service provider needs to ask dozens of identity providers across the globe "Is this person of legal age to use my service?" the attribute space has no easy answer.
Efforts in this space:
- SAML
- SAML Attribute Query (profiled)?
- OAuth
- PKI certificates
- OASIS Web Services over SOAP
- OpenID ConnectSCIM
- SCIM
- United States Federal Identity Credentialing and Access Managment (FICAM) profiles
Gap #7: Trust frameworks
With regard to attribute management and governance in Trust Frameworks, quite a bit of trust frameworks, substantial work has gone into the Identity Confidence/Assurance aspect, with different identity confidence/assurance. Different levels of confidence/assurance and certifications are described by different standards bodies, auditors accreditation and standards organizations. Auditors have been trained, and so a general understanding of the concept shared. That said, finding a trust framework that extends down to the level of the attributes themselves is still a work in progress. An individual could have a mix of self-asserted and proofed attributes describing them, and a consumer of those attributes should be able to choose which attribute to use, depending on the context of the activity or transaction. The question of how a cohesive Trust Framework could handle information at the attribute level is still an open question and will be a critical component of attribute management. The complexity of attribute management is multiplied many times in the case of inter-federation. Trust framework governance becomes a critical dependency for cohesive attribute management.
...