a question about trust frameworks
Hi all - I'm trying to flesh out the section of our report referencing Trust Frameworks. Right now, the draft text is: --- h2. Trust frameworks Quite a bit of work has gone in to Identity Assurance, with different levels of assurance certifications described by different standards bodies, auditors trained, and a general understanding of the concept shared. That said, finding a trust framework that extends down to the level of the attributes themselves is still a work in progress. An individual could have a mix of self-asserted and proofed attributes describing them, and a consumer of those attributes should be able to determine which attribute comes with a higher level of assurance. --- I know of some interesting work by ABC4Trust, but that's more about privacy, not LOA. Then the Trust Framework stuff going on in OIX, but that's seems to be bigger-picture work (tho' perhaps that's because I only see the publicly released documentation). What should we be linking to in the report that would indicate works in progress, or is this still a fairly open field? thanks! -Heather
Thanks as always Heather :-) OK, I'll give it a first go.. But before I do...... << An individual could have a mix of self-asserted and proofed attributes describing them, and a consumer of those attributes should be able to determine which attribute comes with a higher level of assurance.>> ..doesn't quite sit right with me. The LoA of the attribute is but one factor (and in most cases the LoA will be higher for a proofed attribute). That said, 'proofing' comes in many forms. My eBay seller reputation is a dynamic proof of my good character as a trader and may carry a greater LoA in a particular context than a core identity attribute. I think it would be better to say.. << An individual could have a mix of self-asserted and proofed attributes describing them, and a consumer of those attributes should be able to choose which attribute to use, depending on the context of the activity or transaction.>> To your question: you are getting warm regards OIX, but it is not the trust framework stuff that we need to reference here..it's the attributes work group: http://groups.google.com/group/oix-ax-working-group/browse_thread/thread/b86... Cheers Colin -----Original Message----- From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Heather Flanagan Sent: Tuesday, 21 February 2012 6:57 a.m. To: dg-am@kantarainitiative.org Subject: [DG-AM] a question about trust frameworks Hi all - I'm trying to flesh out the section of our report referencing Trust Frameworks. Right now, the draft text is: --- h2. Trust frameworks Quite a bit of work has gone in to Identity Assurance, with different levels of assurance certifications described by different standards bodies, auditors trained, and a general understanding of the concept shared. That said, finding a trust framework that extends down to the level of the attributes themselves is still a work in progress. An individual could have a mix of self-asserted and proofed attributes describing them, and a consumer of those attributes should be able to determine which attribute comes with a higher level of assurance. --- I know of some interesting work by ABC4Trust, but that's more about privacy, not LOA. Then the Trust Framework stuff going on in OIX, but that's seems to be bigger-picture work (tho' perhaps that's because I only see the publicly released documentation). What should we be linking to in the report that would indicate works in progress, or is this still a fairly open field? thanks! -Heather _______________________________________________ DG-AM mailing list DG-AM@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-am ==== CAUTION: This email message and any attachments contain information that may be confidential and may be LEGALLY PRIVILEGED. If you are not the intended recipient, any use, disclosure or copying of this message or attachments is strictly prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. Thank you. ====
Thanks, Colin, that's great. I've modified the text as follows: --- h2. Trust frameworks Quite a bit of work has gone in to Identity Assurance, with different levels of assurance certifications described by different standards bodies, auditors trained, and a general understanding of the concept shared. That said, finding a trust framework that extends down to the level of the attributes themselves is still a work in progress. An individual could have a mix of self-asserted and proofed attributes describing them, and a consumer of those attributes should be able to choose which attribute to use, depending on the context of the activity or transaction. The question of how a cohesive Trust Framework can handle information at the attribute level is still an open question and will be a critical component of attribute management. h4. Efforts in this space: * [OIX Attribute Working Group|http://groups.google.com/group/oix-ax-working-group/browse_thread/thread/b86...] --- Also, David Wasley is sharing a really interesting diagram on the Identity Service Provider space that I'm going to put in the repository. Helpful for folks wrapping their brains around this Brave New World. -heather ----- Original Message ----- From: "Colin Wallis" <Colin.Wallis@dia.govt.nz> To: dg-am@kantarainitiative.org Sent: Monday, February 20, 2012 2:49:07 PM Subject: Re: [DG-AM] a question about trust frameworks Thanks as always Heather :-) OK, I'll give it a first go.. But before I do...... << An individual could have a mix of self-asserted and proofed attributes describing them, and a consumer of those attributes should be able to determine which attribute comes with a higher level of assurance.>> ..doesn't quite sit right with me. The LoA of the attribute is but one factor (and in most cases the LoA will be higher for a proofed attribute). That said, 'proofing' comes in many forms. My eBay seller reputation is a dynamic proof of my good character as a trader and may carry a greater LoA in a particular context than a core identity attribute. I think it would be better to say.. << An individual could have a mix of self-asserted and proofed attributes describing them, and a consumer of those attributes should be able to choose which attribute to use, depending on the context of the activity or transaction.>> To your question: you are getting warm regards OIX, but it is not the trust framework stuff that we need to reference here..it's the attributes work group: http://groups.google.com/group/oix-ax-working-group/browse_thread/thread/b86... Cheers Colin -----Original Message----- From: dg-am-bounces@kantarainitiative.org [mailto:dg-am-bounces@kantarainitiative.org] On Behalf Of Heather Flanagan Sent: Tuesday, 21 February 2012 6:57 a.m. To: dg-am@kantarainitiative.org Subject: [DG-AM] a question about trust frameworks Hi all - I'm trying to flesh out the section of our report referencing Trust Frameworks. Right now, the draft text is: --- h2. Trust frameworks Quite a bit of work has gone in to Identity Assurance, with different levels of assurance certifications described by different standards bodies, auditors trained, and a general understanding of the concept shared. That said, finding a trust framework that extends down to the level of the attributes themselves is still a work in progress. An individual could have a mix of self-asserted and proofed attributes describing them, and a consumer of those attributes should be able to determine which attribute comes with a higher level of assurance. --- I know of some interesting work by ABC4Trust, but that's more about privacy, not LOA. Then the Trust Framework stuff going on in OIX, but that's seems to be bigger-picture work (tho' perhaps that's because I only see the publicly released documentation). What should we be linking to in the report that would indicate works in progress, or is this still a fairly open field? thanks! -Heather _______________________________________________ DG-AM mailing list DG-AM@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-am ==== CAUTION: This email message and any attachments contain information that may be confidential and may be LEGALLY PRIVILEGED. If you are not the intended recipient, any use, disclosure or copying of this message or attachments is strictly prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. Thank you. ==== _______________________________________________ DG-AM mailing list DG-AM@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-am
participants (2)
-
Colin Wallis -
Heather Flanagan