AIM WG Minutes 30-October-2013

DRAFT minutes pending AIM WG review

Date and Time

  • Date: Wednesday, 30 October 2013
  • Time: 07:00 PT | 10:00 ET | 14:00 UTC
  • Dial-in: United States Toll +1 (805) 309-2350
    •  Alternate Toll +1 (714) 551-9842
  • Skype: +99051000000481
    • Conference code: 613-2898

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Approval of Minutes: AIM WG Minutes 04-September-2013
  2. Discussion / Action Item Review
    1. Attribute Provider Certification?
    2. Periodic Table of Trust Elements (see "Misc. Documents" - https://spaces.internet2.edu/display/scalepriv/Useful+reference+documents)
    3. Review of charter
      1. AMDG report review
      2. matching our charter to the Kantara "why"
  3. AOB
  4. Adjourn

Attendees

  • Steve Olshansky
  • Allan Foster
  • David Chadwick

As of August 5, 2013, quorum is 3 of 5

Non-Voting

  • Stu Vaeth - Secure Key
  • Ken Klingenstein

Staff

  • Heather Flanagan

Apologies

  • Keith Hazelton

Minutes

Administration

  • Minute approval postponed

Action Items

Action

Assigned To

Status

Description

Comments
20130123-01Kirk Fergusson Share the working definitions for components in their diagramSal to reach out to Kirk to let him know we are going to remove the action item (2013-09-04)
20130821-01Keith Hazelton, Allan FosterIn ProgressGo through the Attribute Registry Draft and answer the questions, post to the listKeith to sent out a list of comments; waiting for Allan
20130904-01Heather FlanaganIn ProgressUpdate Attribute Handling Best Practices outline in time for the next call 

New Action Items

Action

Assigned To

Status

Description

Comments
     

Discussion

Periodic Table of Trust Elements (see "Misc. Documents" - https://spaces.internet2.edu/display/scalepriv/Useful+reference+documents)
  • Ken has had a follow up conversation with the NPO on this, and they are fully on board
  • If you go to the slide deck, go to the last slide - that's what we will discuss today: Trust Elements, Trust Marks, Trust Frameworks
    • these words/phrases have all sorts of interesting interpretations
    • To explain the periodic table: first row has lots of detail - that's the space we've lived in for a while now - and bottom row is less detailed, with new considerations and things we are still discovering
      • Robin Wilton (ISOC) will also be looking at this and trying to add more detail
    • A Trust Element is something associated with a specific theme; Trust Marks are created by gathering elements together
      • If you build a Trust Mark around Accessibility, it might look at tools, attributes
      • Organizations relying on Trust Marks will want some assurance regarding it's end-to-end reliability and security
      • A Trust Mark will cross several layers of the periodic table
    • A Trust Framework looks at end-to-end reliability and security
  • Are people comfortable with those distinctions? If so, then the next set will be to determine what elements should be associated with different marks
    • the NPO has asked to color the marks according to what principles the elements apply to (which doesn't entirely make sense, but will make the NPO happy); Steve Olshansky working on that now
  • Questions
    • Trust Frameworks and Trust Marks are a huge pair of topics; a great deal of work and clarification here
Attribute Provider Certification?
  • At IIW, there was a lot of discussion around the concept of an Attribute Provider; almost every diagram included this concept, an entity that provided attributes at some level of assurance
  • A parallel discussion, within the authN space, we have a few defined points: 800-63, LoAs, various other concepts in the authN space.  There is nothing like that, no clearly defined points, in the Attribute Provider space.  We do have the attribute ecosystem work, the periodic table just discussed, but there is a nice, gaping hole for some form of definition around how do you work with an Attribute Provider, how do you define them; some kind of work similar to what the IAWG put together for the CSP accreditation .  We could build out something that defines what kind of things need to be reviewed to bring an AP in to a Trust Framework
  • When we started the group, we were aiming for the best practices for an Attribute Broker, and this covers the same space but makes it a bit more general to talk about the issues surrounding both the attributes and the Provider itself; need to address the relationship of the Provider and the other entities in the space
  • Questions/comments?
    • how do you differentiate between an Attribute Provider and an Attribute Verifier?  the difference may encompass consent, confidence, others.  Is that a valid distinction?
    • what LoA issues may lurk here?  what about the bindings between children and parents, children and teachers (COPPA regulations) which in turn feed things like parental consent for a student to join a chatroom
      • this is all loosely defined at the moment, or defined in a domain specific way
    • as an alternate model, regarding AP and AV, some can look at two different kinds of attributes - authoritative attributes from the Providers themselves vs. registered attributes where they are not the authoritative source but they will assert the attributes - these are attributes they included in their databases that have been verified in someway (looked at Passports, Driver's License)
      • as the ecosystem starts growing, there will be different levels of attributes available and it will be harder to understand/verify the level of confidence of those attributes; in particular, as people see business opportunities and sell attributes, this becomes more important; and when we talk certification, there is liability involved
      • also note that what's authoritative in one vertical might not be authoritative in others; might be different even by federation within the same vertical; we need the framework to say who is providing what by what terms, possibly by a provider-by-provider level
      • Brokers have to be part of the discussion; on the one hand, you would expect the Broker to be held to the T&Cs of the underlying provider, but they also bring in an additional level of abstraction; we need to discuss the issue around when and how the Broker may be able to change the level of confidence on the assertion
  • there does seem to be some support in looking at the issues around APs, the Terms and Conditions around that, and this should be captured in the AIM WG Charter
Review of charter
  • AMDG report review
  • matching our charter to the Kantara "why"
  • Allan and Heather to work on the draft charter

AOB

  • HF to send out a query re: the timing of the call

Next Call

  • Date: Wednesday, 13 November 2013
  • Time: 07:00 PT | 10:00 ET | 15:00 UTC
  • Dial-in: United States Toll +1 (805) 309-2350
    •  Alternate Toll +1 (714) 551-9842
  • Skype: +99051000000481
    • Conference code: 613-2898