AIM WG Minutes 06-Mar-2013

 

Date and Time

  • Date: Wednesday, 06 March 2013
  • Time: 07:00 PT | 10:00 ET | 15:00 UTC
  • Dial-in: United States Toll +1 (805) 309-2350
    •  Alternate Toll +1 (714) 551-9842
  • Skype: +99051000000481
    • Conference code: 613-2898

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Approval of Minutes: AIM WG Minutes 20-Feb-2013
    4. Action Item Review
  2. Discussion / Action Item Review
    1. Continue Tagging flows (Ken)
    2. Overlap between AIM and UMA (Ken, Keith)
    3. eGov and the Separating token/attribute model (pseudonymous credentials, late binding, ..) discussion
  3. AOB
  4. Adjourn

Attendees

  • Steve Olshansky
  • Keith Hazelton
  • Ingo Friese
  • Sal D'Agostino
  • Rainer Horbe

As of Feb 10, 2013 quorum is 5 of 9

Non-Voting

  • Steven Carmody
  • Ken Klingenstein

Staff

  • Heather Flanagan (scribe)

Apologies

Minutes

Reviewing minutes postponed for next call; quorum achieved late

Administration

Action Items

Action

Assigned To

Status

Description

Comments
20121127-06Allan Foster Review AMDG Recommendations and verify if/how they tie in to the AIMWG work 
20121211-01Group Review Attribute Design draftDetermine on next call if this is something group wants to discuss further
20130109-02Keith Hazelton create a semantic diagram that will look something at a historical perspective 
20130123-01Kirk Fergusson Share the working definitions for components in their diagram 

New Action Items

Action

Assigned To

Status

Description

Comments
     

Discussion

Continue Tagging flows (Ken)
  • See current Attribute Ecosystem slides
  • talking today about slide 24
    • Certification marks and their management - what are other categories that might have end entity categories germain to that vertical? point was that they are not end entities, they are certification marks
      • certification marks are highly controlled by regulation, handled by Patents and Trademarks in the US, and in the SAML world, end entity categories are equivalent to certification mark
      • would these need to be registered per country?  maybe, but there is the World Trade Organization and the Madrid Protocol
      • started talking about entity attributes, but has anyone heard any conversation about attaching these marks to identity assurance?  LoA is kind of like that, but maybe there is a whole space for this kind of thing?  we should understand what the legal foundations are for these kind of things are and see if we can emulate them in our federated landscape; the R&S tag has not been registered with the WTO and that might be a good thing to do
    • What about liability flows? Scott David (lawyer) suggests that there is no course in law school on liability, it is an aspect of every other course in law school; it becomes a characteristic of flows, but probably at the metadata level when we describe info flows we describe liability management in each of those flows; a very complex space built on legalisms and expectations of the participants; so, taken out liability as an explicit set of flows to watch and think about it as a characteristic of flows, joining another characteristic which is timing, and there may be other characteristics to think about
    • What about informed consent and what structuralisms are around that? received some references to another lawyer who has written a lot about informed consent, and will see if there is any guidance there
    • Regarding information, Ken sent info off to the head of the Privacy Standing Committee of the NSTIC IDESG listing 4 issues to engage on:
      • informed consent - how to do it
      • citizen centric schema
      • anonymous credential use cases and anonymous credential privacy leakage
      • privacy manager
        • will likely come up with a subcommittee to work on this cluster of topics
    • on the liability thing, in Europe the Code of Conduct, a single common framework for SPs and IDPs to work together within the constraining of the EU privacy directive is making steady progress, and is about to be promulgated by Géant - the Privacy Directive has this reputation of being a horrible, challenging thing, and yet the premise of working together without undue burden that is part of the CoC seems to work and is supported by the lawyers of campuses around the EU
      • note that there may be a lot more sensitivities when we get to things like COPPA compliance
      • There is a REFEDs work item to bring the CoC beyond the bounds of the EU, so it might be work taking this model to someone like Scott David and asking for his input; this also bumps up against the Chamber of Commerce's Safe Harbor rules
      • Suggest inviting Scott David to one of the April calls
  • Going to slide 12 (forgiving the black backdrop)
  • Going to slide 13 - metainformation; trying to let people know that the flow the attributes take and the flows of the management of attributes is very different
    • three kinds of arrows = biggest arrows indicate the most glacial processes; application provider going to service provider is another big flow; pink flows are stuff that's more real-time, but still not dynamic per transaction (maybe 1 per day); red flows are the hottest, real-time flows
  • Going to slide 14, the trust is generally between the portal and the application or SP; need a trust flow between the user and the portal
    • will need to resort to tagging the flows to represent the characteristics
Overlap between AIM and UMA (Ken, Keith)
  • see Eve's slides from an MIT Hackathon
  • would like us to encourage people to express their user cases in as technology-neutral a way as possible
  • re: the applicability of UMA - how does it move to providing info to structure this stuff? note that the NSTIC process is now turning to use cases, and the use cases are likely to drill down in to a variety of places at different levels and microcosms
  • Keith will take as homework to pick some classic use cases and then ask how he would approach the use case with his choice of components and protocols, and do that for a couple of different approaches; expect to see some interesting user stories that we will want to follow up on that might best (or even only) be solvable with UMA
  • if we have gotten to the point where we can develop a use case and then look at how different models would address the use case, that hasn't really been done yet in this space and should be a very enlightening exercise
eGov and the Separating token/attribute model (pseudonymous credentials, late binding, ..) discussion
  • mindmap of the attribute meta model 

  • the idea is to have an abstract model of what properties describe an attribute, in a static session
  • this is not a final breakdown or classification, it is a first pass at trying to collect characteristics and group them
  • is this model useful?
    • the goal is to characterize all the aspects of attributes that we might care about for protocols and discussions? yes; it is a crosscutting view to use cases; at the end of the day, each property needs to be used in a use case
    • what about a monetary value as being a possible character?  it is missing
    • is issuer an important enough property to call it out that should be associated?  there is an original issuer that should suit
    • under core set, is there something that would type the value in more of a computer language (string, integer, etc)? that would be simple type, but it could be a complex type like "digital signature"
    • there is a similar diagram that Leif Johansson created, an ontology of attributes, and available via the AIM wiki space, but the one discussed today is more extensive; should make sure that concepts captured in Leif's diagram are also captured here.

AOB

Next Call

  • Date: Wednesday, 20 March 2013
  • Time: 07:00 PT | 10:00 ET | 15:00 UTC
  • Dial-in: United States Toll +1 (805) 309-2350
    •  Alternate Toll +1 (714) 551-9842
  • Skype: +99051000000481
    • Conference code: 613-2898