NSTIC Drafts
Kantara Position Paper - NSTIC Steering Group Formation
Overview
Kantara Initiative (Kantara) is pleased to welcome the formation of the National Strategy for Trusted Identity - Steering Group. Kantara expects to be an active participant in the NSTIC Steering Group formation, both as an organization as well as through our stakeholder members and participants, in various areas of the Steering Group activities and development.
Kantara seeks to ensure that the NSTIC development does not disrupt already progressing solutions within Identity Ecosystems but rather encourages the cooperation and re-use of solutions and programs that already exist. Kantara recommends that the NSTIC Steering Group should strive to be a coordinating organization that connects and promotes existing solutions for the establishment privacy, security, interoperability and ease of use, with regard to a US National Identity Ecosystem, and move to create new solutions where none exist (as the NSTIC strategy states “The Strategy seeks to promote the existing marketplace, encourage new solutions where none exist, and establish a baseline of privacy, security, interoperability, and ease of use that will enable the market to flourish.” Page 3 NSTICstrategy_041511.pdf).
Additionally, given the international and cross-sector stakeholder representation within Kantara, we recommend that the NSTIC Steering Group consider Kantara’s active support of the international context as contemplated by the establishment of the International Coordination Working Group in the NSTIC Plenary as noted in the Recommendations for Establishing an Identity Ecosystem Governance Structure document (page 6, 2012-nstic-governance-recs.pdf).
In this document readers will find the preferred areas of Kantara interest regarding the 14 Stakeholder Groups as well as materials that may be submitted as items for consideration in the development of the NSTIC Steering Group.
Stakeholder Groups
In general terms Kantara stakeholders have concerns regarding the definition of the stakeholder groups and how they will form the basis of the Management Council operationally. Kantara seeks to collaborate with the NSTIC Steering Group and stakeholders to further refine and specify how the NSTIC Steering Group Management Council formation process will proceed.
Kantara is a dynamic multi-stakeholder organization. We believe that our members will identify with numerous stakeholder groups as listed below.
- Privacy & Civil Liberties
- Alignment –Privacy and Public Policy Work Group
- Usability & Human Factors
- Alignment –User Managed Access Work Group
- Consumer Advocates
- U.S. Federal Government
- Alignment - Identity Assurance Work Group
- U.S. State, Local, Tribal, and Territorial Government
- Alignment - Identity Assurance Work Group
- Research, Development, Education & Innovation
- Identity & Attribute Providers
- Alignment - Identity Assurance Work Group
- Alignment - Attribute Management Discussion Group
- Alignment – Privacy and Public Policy Work Group
- Interoperability
- Alignment - Federation Interoperability Work Group
- Alignment - eGovernment Work Group
- Alignment – Privacy and Public Policy Work Group
- Alignment - Interoperability Review board
- Information Technology (IT) Infrastructure
10. Regulated Industries
- Alignment - Healthcare Identity Assurance Work Group
- Alignment – Privacy and Public Policy Work Group
11. Small Business & Entrepreneurs
12. Security
13. Relying Parties
- Alignment - Identity Assurance Work Group
- Alignment – Privacy and Public Policy Work Group
14. Unaffiliated Individuals
Standing Committee Alignments
Kantara Work Groups and Sub-Committees produce material that align with each of the 4 standing committees proposed to form the NSTIC Steering Group (Accreditation, Policy, Privacy, and Standards). In addition, Kantara has operational entities that perform specific tasks. Compiled below are suggested Kantara materials and operational entities for consideration by each of the proposed NSTIC Steering Group standing committees. Included are direct references to each working item, as well as context for each to provide the reader with a better understanding of how each directly aligns to a NSTIC Steering Group standing committee.
Accreditation
Identity Assurance Work Group (IAWG)
- Identity Assurance Framework – Assurance Assessment Scheme
- Identity Assurance Framework – Service Assessment Criteria
Context
These materials define the operations of the Kantara Assurance Accreditation and Service Approval program as well as the criteria to assess Services at Levels of Assurance aligned with NIST 800-63 and OMB-04-04. These core documents are the heart of Kantara Assurance work and provide our members, staff and stakeholders with guidance for all levels of operation of our Assurance Program. Working in a standard and defined way, Kantara is able to plug-in virtually any set of reasonable and mission aligned criteria to operate programs which verify Trust layers in Identity Systems.
User Managed Work Group (UMAWG)
- UMA Trust Model
Context
The technical layer of UMA is accompanied by a business/legal-focused layer called Binding Obligations, in the form of a contractual framework. Various parties interacting using UMA might additional have pairwise contracts or shared membership in trust frameworks, in addition. Accreditation of parties interacting in this fashion would include the Binding Obligations.
Assurance Review Board (ARB)
Context
This operational entity is a sub-committee of the Kantara Board of Trustees. The ARB operates the Kantara Assurance Program. ARB membership consists of stakeholders representing: Assessors, Relying Parties, Policy Makers and Research and Education Networks. ARB membership includes both United States and International representatives who have real world experience in operating and assessing Federated Identity Management Systems as well as building policy around those systems.
Interoperability Review Board (IRB)
Context
This operational entity is a sub-committee of the Board of Trustees that has the oversight and management of Kantara’s interoperability programs as its focus. The IRB works to understand the requirements and needs of end-user communities to develop interoperability programs that verify interoperable deployments. The IRB, through Kantara, also partners with organizations like TERENA (Trans-European Research and Education Network Association) to build interoperability programs around open tools, such as the forthcoming OpenID Deployment Verification program.
Policy
Identity Assurance Work Group (IAWG)
- Identity Assurance Framework and its subordinate documents
- Federation Operators Guidelines
Context
This operational entity develops the Identity Assurance Framework (IAF) that includes accreditation criteria to measure assurance of Trusted Identities which are issued by Credential Service Providers. The Identity Assurance Framework is based on the OMB-04-04 and NIST 800-63 Levels of Assurance.
Assurance levels are the levels of trust associated with a credential as measured by the associated technology, processes, and policy and practice statements. The IAF defers to the guidance provided by the U.S. National Institute of Standards and Technology (NIST) Special Publication 800-63 version 1.0.2 [NIST800-63] which outlines four levels of assurance, ranging in confidence level from low to very high. The level of assurance provided is measured by the strength and rigor of the identity verification and proofing process, the credential’s strength, and the management processes the CSP applies to it. The IAF then goes on to describe the service assessment criteria at each assurance level. (Page 8 IAF Overview 1000).
User Managed Access Work Group (UMAWG)
- UMA Trust Model
Context
UMA allows a user to make demands of the requesting side in order to test their suitability for receiving authorization. These demands can include requests for information (such as “Who are you?” or “Are you over 18?”) and promises (such as “Do you agree to these non-disclosure terms?” or “Can you confirm that your privacy and data portability policies match my requirements?”). This has the potential to be far more empowering than mere consent.
Privacy
Privacy and Public Policy Work Group (P3WG)
- US Federal Privacy Assessment Criteria
Context
This operational entity developes Privacy Assessment Criteria (PAC) to evaluate conformance of Identity Ecosystem actors with regard to privacy requirements for particular jurisdictions and industry sectors. The next deliverable of this group is to further define the Kantara IAF US Federal Privacy Criteria as well as the US FICAM Privacy Guidance to Assessors.
The P3WG focuses on the fact that there are two operational privacy Documents relevant to Kantara: (1) Privacy Requirements Documents; and (2) Privacy Assessment Criteria Documents that provide assessment criteria with respect to specific Privacy Requirements Documents. A third document managed by P3WG is a Privacy Best Practices Document, which will serve as an incubator for considerations that can be migrated into ongoing Privacy Requirements Documents, by the relevant jurisdiction or industry sector. A secondary purpose, as a result of Kantara’s cross-border and cross-sector privacy representation and discussions, will be to clarify the distinctions between such jurisdictions, which may better enable the establishment of global and/or cross-sector CSP’s.
Note that the Privacy Requirements and Assessment Criteria Documents only consider CSP’s, whereas the Privacy Guidance Document will also discuss the privacy requirements for Relying Parties or Federation Brokers in an Identity Federation. (P3WG Document Charter)
User Managed Access Work Group (UMAWG)
Context
UMA's ability to enable individuals to be peers in a selective data-sharing network with organizations and other individuals embodies Privacy By Design principles.
Standards
eGovernment Work Group (eGovWG)
- eGov Implementation Profile for deployment of SAML 2.0
Context
This operational entity works with representatives from governments to understand common requirements. The eGov Work Group has produced the eGov Implementation Profile for deployment of SAML 2.0 that is already adopted and in use by various governments.
Federation Interoperability Work Group (FIWG)
- SAML2INT Profile
Context
The Federation Interoperability Work Group is collaborating with REFEDS to provide an open and transparent development and evolutionary home for the SAML2INT Web SSO Interoperability Deployment Profile (PROFILE). FIWG has accepted the current version of SAML2INT as submitted by at least 3 or more of the original contributors. FIWG has performed a feature freeze of SAML2INT and is now working to re-publish it under Kantara Operating Procedures with provision of attribution for all original stakeholders. FIWG is performing analysis of extended features to evolve and brand SAML2INT as a Federation Deployment Profile. FIWG will publish the new SAML2INT (name to be determined) as a Federation Deployment Profile. The Kantara Interoperability Review Board will coordinate with REFEDS for further partnership and development of educational tools and certification program to be operated by Kantara.
User Managed Access Work Group (UMAWG)
- UMA 1.0 Core Protocol specification
Context
User-Managed Access (UMA) is a protocol that enables individuals to use a unified control point for authorizing who and what can get access to their online personal data (such as identity attributes), content (such as photos), and services (such as viewing and creating status updates), no matter where these things live on the web. At this control point, a user can set policy that ensures that only requesters meeting criteria such as having a certain identity, being over a certain age, or being willing to agree to non-disclosure terms can succeed in gaining access. UMA can apply to a wide variety of sharing scenarios, such as sharing social data and calendars with friends, sharing health data securely with medical professionals, giving contract bookkeepers access to small-business financial data, and offering photos for sale. An international team of computer industry professionals, web service providers, and researchers has been involved in designing and implementing the draft UMA specifications.