Colin, My apologies with respect to LoA - I did miss it. Given that LoA is a key component of Trust Frameworks I don't think that it needs a topic of its own. I am in agreement with the recommendations and would suggest that the answer to your question is yes - the experience of the IAWG should be applied to evolving the existing LoA framework and SAC to accommodate attributes. Ken Kenneth Dagg Senior Project Co-ordinator | Coordonnateur de projet supérieur Security and Identity Management | Sécurité et gestion des identités Chief Information Officer Branch | Direction du dirigeant principal de l'information Treasury Board of Canada Secretariat | Secrétariat du Conseil du Trésor du Canada Ottawa, Canada K1A 0R5 Kenneth.Dagg@tbs-sct.gc.ca Telephone | Téléphone 613-957-7041 / Facsimile | Télécopieur 613-954-6642 / Teletypewriter | Téléimprimeur 613-957-9090 Government of Canada | Gouvernement du Canada -----Original Message----- From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Colin Wallis Sent: February 27, 2012 6:38 PM To: dg-am@kantarainitiative.org Subject: Re: [DG-AM] AM Report Clean up (RE: REMINDER & AGENDA - DG-AM call, 28-Feb-2012) Many thanks for the feedback Ken Better late than never! :-) Heather's editing and the group may have a view, but some comments from me <<inline>> below Cheers Colin -----Original Message----- From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Dagg, Kenneth Sent: Tuesday, 28 February 2012 10:03 a.m. To: Colin Wallis; dg-am@kantarainitiative.org Subject: Re: [DG-AM] AM Report Clean up (RE: REMINDER & AGENDA - DG-AM call, 28-Feb-2012) Colin, Some initial comments on the draft report. I realize I haven't been a part of the discussion up to now but hope to be participating on a regular basis going forward. Missing Topic In my mind the Level of Assurance of an attribute should be a topic. That is, beyond the criteria contained in the SAC, what factors determine the level of assurance for an attribute. Does an attribute from a provider have a higher level of assurance if it was validated a year ago rather than 5 years ago. The question is: what factors are there (including range of values) and how many of them have to be satisfied for each level of assurance. <<CW: Umm..LoA is in there under Trust Frameworks (it was under Governance but I moved it). Did you see it? Or is it that you would like it as a separate topic - which is a fair point regardless..>> Context Topic To me Context is a valid concept but I believe that it is only an issue for Identity Assertion Providers and is not an issue for Identity Attribute Providers or for Identity Attribute Assertion Providers. In my mind, an Attribute Provider supplies content (e.g., age is 29) while an Attribute Assertion Provider supplies assertions about content (e.g., age is valid). My rationale is: an Identity Attribute (Assertion) Provider, as an Authoritative Party, maintains Identity Attributes to a Level of Assurance that they provide (content or assertion) upon a request from a service provider. In other words, they are either an authoritative party of an attribute or not. I'm not sure if the context in which the IAP has gathered the attribute matters to them. Where context matters, I believe, is when Identity Assertions (as opposed to Identity Attribute Assertions) are made. In this case, the context in which they have validated an identity matters greatly in terms of the assertion it can make concerning the identity of a subject. To me, the attribute assertion world is easier than the identity assertion world as, I believe, Identity Attribute Providers (whether they provide actual content or just assertions about content) is just an extension of credential service providers. The extension is not simple as there are several policy/legal issues (e.g., consent) that have to be addressed. Where I believe context also matters is in the Service Provider space. However, the context in which a service provider uses Identity Attributes is set by the attributes they are allowed (legally/by policy) to gather in order to 1) uniquely identify the individual, 2) determine eligibility for the service, and 3) deliver service. <<CW: Good points and no disagreement with the distinction that could be added. But remember that the scope is not limited to Identity Assertions (at least not explicitly)>>. Query Language Topic I agree with the statement, "With no standard/normative query language, there is no way to ask a broad set of identity providers anything about the entities they are authoritative for. When a service provider needs to ask dozens of identity providers across the globe "Is this person of legal age to use my service?" To me, to satisfy this, requires the service provider to either make a "discovery" like query or, the provider, as a federation member, having metadata to describe the attributes it maintains. The query to obtain the attributes then becomes a standard protocol. I would further suggest, given this rational, that the Query Language be merged into the Protocol section as it seems to belong there instead of being a section on its own. <<CW: Fair point. The reason I think they were separated was because they felt the protocol part per se was stable, whereas the query language that would go into the protocol was not. If there were no other comments to the contrary, they could be pushed back together.>>. Kenneth Dagg Senior Project Co-ordinator | Coordonnateur de projet supérieur Security and Identity Management | Sécurité et gestion des identités Chief Information Officer Branch | Direction du dirigeant principal de l'information Treasury Board of Canada Secretariat | Secrétariat du Conseil du Trésor du Canada Ottawa, Canada K1A 0R5 Kenneth.Dagg@tbs-sct.gc.ca Telephone | Téléphone 613-957-7041 / Facsimile | Télécopieur 613-954-6642 / Teletypewriter | Téléimprimeur 613-957-9090 Government of Canada | Gouvernement du Canada -----Original Message----- From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Colin Wallis Sent: February 26, 2012 7:53 PM To: dg-am@kantarainitiative.org Subject: [DG-AM] AM Report Clean up (RE: REMINDER & AGENDA - DG-AM call, 28-Feb-2012) Folks I read the latest draft over the weekend and have given it some surgery - knife, air supply (additions) and moving stuff around, getting more consistency :-). I have left some questions and checking work to do, but I think it's better overall. Do you agree? http://kantarainitiative.org/confluence/display/AMDG/Report+-+DRAFT Cheers Colin -----Original Message----- From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Heather Flanagan Sent: Sunday, 26 February 2012 11:17 a.m. To: dg-am@kantarainitiative.org Cc: don.thibeau@openidentityexchange.org Subject: [DG-AM] REMINDER & AGENDA - DG-AM call, 28-Feb-2012 Hi all - Just a reminder: we have our Attribute Management Discussion Group call this Tuesday. Agenda is online in detail, with summary below. http://kantarainitiative.org/confluence/display/AMDG/AMDG+Meeting+Agenda+201... * *Date:* Tuesday, February 28, 2012 (?) * *Time:* 11h PT / 14h ET / 19h UTC * Dial in: * Skype: \+99051000000481 * US Dial-In: \+1-805-309-2350 \| Room Code: 613-2898 AGENDA: 1. Administrative a. Roll Call b. New member introduction - no new members c. Agenda confirmation d. Action item review 2. Discussion a. Report b. OIX-AX (guest, Don Thibeau) c. Meeting March 13? _______________________________________________ DG-AM mailing list DG-AM@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-am ==== CAUTION: This email message and any attachments contain information that may be confidential and may be LEGALLY PRIVILEGED. If you are not the intended recipient, any use, disclosure or copying of this message or attachments is strictly prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. Thank you. ==== _______________________________________________ DG-AM mailing list DG-AM@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-am _______________________________________________ DG-AM mailing list DG-AM@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-am ==== CAUTION: This email message and any attachments contain information that may be confidential and may be LEGALLY PRIVILEGED. If you are not the intended recipient, any use, disclosure or copying of this message or attachments is strictly prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. Thank you. ==== _______________________________________________ DG-AM mailing list DG-AM@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-am