ANCR-SiG 081623

Owned by
Mark Lizar
Last updated: Aug 24, 2023
3 min read

Agenda

1.1 Roll Call
1.2

Mark Lizar - presence

Paul Templenan - presence

Mark Verstege - presence

Gigi Agassini - presence

Non-voting

Other

IPR Statement

Proposed Agenda

 

Time

 

 

Actions

Time

 

 

Actions

15

Agenda Setting

Introductions, IPR, Consensus Protocol -

  • Time zone and meeting planning

  • Scope - protocol agnostic - what are we not agnostic too?

    • OIDC - Consent is part of the Auth Flow

      • what does an extension look like ?

    • DiD.- identifier to attribute standards

    • OpenID - identifier to attribute standards

  • Lets Scope - what is needed for an extension or an Identity Person

    • notice and consent receipt exchange - extension to consent notice for authentication.

    • Lets Create - Transparency Code of Conduct - present to regulators

      • harmonise transparency and consent best practices for notice, notification and disclosure - with ISO/IEC 29100 for interop -

  • Time of Calls -

  • Signal - Chat -

  • Agenda Flexibility

    • Alternating

      • Thurs morning Can

        • -5 UTC

      • Friday Morning - Austriail

        • +10 UTC/GMT

        •  

    • @Gigi Agassini Doodle - support -

15

Scope of AuthC

What are the use case objectives ?

 

20

Outline

what would an extension be for OAuth

  • receipt token

  • privacy standard

  • registry function

  • how its done anonymously

    • exchange anonymous -

      •  

  • schema for presenting notice

    • verifiable notice register

      • verifiable data registry -

  • Privacy Policy - is not really a concern - its not with in the Banks scope of liability

    • subtle point - CDR - separation from consent form Authorization

      • is that consent management support ? - on the disclosure side of that data ?

        • details are not disclosud -so not able to fully understand where the data will be used

        • different why relyiong party is another org -

        • but when its a bank - are they custodian, but dont want the liability -

          • e.g. tax data - why should the gov know about using that data ? privacy in data bridging

      • explain it to the government

  •  

    •  

      •  

        •  

          •  

 

 

Use Cases

  • in the Use Case, -

    • Bank is not capturing the first consent - so that link is broken to start -

      • this can be easily fixed - with the provision of a receipt

      • consumer to bank

    • Sport -

      • org to org - with a consent token

        • how many consents ?

          • missing secondary consent - how are permissions bundled to a consent technically?

      • non-repudiable - present this claim in a tamper proof way -

        • getting a receipt back via CDR - demonstrating physical representation - like in a store

          • Google has a way to prove change logs of android images - tamper log -

          • consumer devices - to create the signature

          • consent token can be used - e.g how FIDO operaters -

          • the privacy key - of Principle is - signing the notice to give the token.

          • OVC? (code check and challenge)

          • proof that the receipt is signed by the same customer

          • FID0 - is a good model

  •  

    •  

      • Delegation - protocol components

        • break the glass the scenario (front door access for security and fraud)

          • the holder of the data is vouching

          • governed by Auz privacy regulator

          •  

        • Health -

          • UMA WG - and extension is long over due - and promised 4 yr ago

          • dr - 16 yr old Girl - (Talk to Kate Tillizeck)

          • separation of authorization service - from the relying party to allow to centralize the resource server or auth – (GNAP - .xyz - Justin Ritcher - was the person who wrote the consent receipt generator -

          • is separation of the auth server - the way to go

        • Data Broker

          • opening up the data broker, cutting them out as an intermediary

  • Where to Start

    • Simple use case - Feature -

    • Mind Map - (what are the layeres)

      • requirements

      • features

      • capabilities

    • Consent Profile of profiles (Profile proiject kit)

      • non-repruidiable, non-tamper

      • here is the profile - using these set of statements

        • meta-data - message and dialogue inside it

        • are we agnostic?

      • wrap the profile - but allow the bottom up choice of consent scheme

        • person in the middle pf an onion diagram

          • small projects to deal with

            • Community Consent Profile

            •  

      • ISO/MDL -add to that -

        • does it fit the required security properties ?

        • do we need to be agnostic

        • do we need a preferred approach -

        • method of approach - (project kit for interoperability)

    • each layer of an extension / extensible - with different overlays -

      •  

 

10

Roadmap & Actions

start considering timeline and capture key use case features /requirements and benefits

  • Way forward

    • many provide many credential to a service / relying party or domain.

    • can generate an attribute for every consent and privacy agreement

    • some trust is provided to the identity provider -

 

 

News

New OpenID Foundation WG -for Digital Credentials Protocol

  • Can Digital Credential

  • FAPI - Thornston -

  •  

 

Actions

Made inline

Â