Re: [DG-IDPro] the need to develop a common vocabulary
Speaking of a 'common lexicon' here's one in the biopharma space fresh off the press (I think): http://pharmaleaders.com/align-biopharma-announces-new-identity-management-s tandard-available-for-life-sciences-industry-input/ I haven't clicked through the non standard T&C's clickwrap around it however. Looks like they want to not be encumbered with restrictions on comments back? Looks like the word 'standard' may be more opinion than fact. Hard to tell. Catherine, inferring from the lifemedid.com domain, this sounds like an area your organization may circulate in . Thoughts on how it informs things in the idPro space and the approach to common vocabulary? C From: <dg-idpro-bounces@kantarainitiative.org> on behalf of Catherine Schulten <catherine.schulten@lifemedid.com> Date: Wednesday, April 12, 2017 at 10:04 AM To: "dg-idpro@kantarainitiative.org" <dg-idpro@kantarainitiative.org> Subject: [DG-IDPro] the need to develop a common vocabulary Found this relevant paragraph in some research I was doing. The following from a NIST workshop held in Jan 2016: Develop a common lexicon. Many participants identified a lack of standardized terminology regarding identity proofing processes and functions. For example, some attendees used the term ³verification² while others preferred ³validation² for the same process. For the purposes of NIST¹s work, attendees suggested a common vocabulary should be developed to help ensure consistency in the framework and across communities, and that the taxonomy be aligned to the best extent possible with existing schemes. http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_8103_draft.pdf Catherine Schulten VP of Product Management - OrangeHook, Inc. / LifeMed ID 3009 Douglas Blvd., STE 200, Roseville, CA 95661 Direct: 954-290-1991 Website <http://www.orangehook.com/> | LinkedIn <https://www.linkedin.com/company-beta/4794831/> | Facebook <https://www.facebook.com/orangehook/?fref=ts> | Twitter <https://twitter.com/OrangeHookInc?lang=en> | YouTube <https://www.youtube.com/channel/UC1NXbg8WNI92qrCpmrea4CA> IMPORTANT NOTICE: This e-mail communication may contain confidential or legally privileged information and is intended to be received only by persons entitled to receive the confidential information it may contain. Please do not read, copy, forward or store this message unless you are an intended recipient of it. Any review, use, dissemination, distribution or copying of this communication by other than the intended recipient or that person's agent is strictly prohibited pursuant to the Electronic Communication Privacy Act,18 USCA 2510. If you have received this message in error, please notify the sender by forwarding it by email to the sender and then delete it completely from your computer system.
Huh. That's a new org to me AlignBiopharma.org I wonder what SAFEBiopharma has to say about the 'new identity management standard' and how it compares to the SAFEBiopharma standards and frameworks? I also wonder how the alignbiopharma standards for 'technical requirements for registration, verification, and authentication processes that solutions should follow to enable a single sign-on service for healthcare professionals' compare to those of DirectTrust.org ? I'll check in with the Kantara ID Assurance WG and also other peer orgs to try and find out more. andrew. *Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting* o +1 650.209.7542 m +1 250.888.9474 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security * On Wed, Apr 12, 2017 at 7:18 AM, Chris Phillips <Chris.Phillips@canarie.ca> wrote:
Speaking of a 'common lexicon' here's one in the biopharma space fresh off the press (I think):
http://pharmaleaders.com/align-biopharma-announces-new- identity-management-standard-available-for-life-sciences-industry-input/
I haven't clicked through the non standard T&C's clickwrap around it however. Looks like they want to not be encumbered with restrictions on comments back? Looks like the word 'standard' may be more opinion than fact. Hard to tell.
Catherine, inferring from the lifemedid.com domain, this sounds like an area your organization may circulate in .
Thoughts on how it informs things in the idPro space and the approach to common vocabulary?
C
From: <dg-idpro-bounces@kantarainitiative.org> on behalf of Catherine Schulten <catherine.schulten@lifemedid.com> Date: Wednesday, April 12, 2017 at 10:04 AM To: "dg-idpro@kantarainitiative.org" <dg-idpro@kantarainitiative.org> Subject: [DG-IDPro] the need to develop a common vocabulary
Found this relevant paragraph in some research I was doing. The following from a NIST workshop held in Jan 2016:
*Develop a common lexicon.** Many participants identified a lack of standardized terminology regarding identity proofing processes and functions. For example, some attendees used the term “verification” while others preferred “validation” for the same process. For the purposes of NIST’s work, attendees suggested a common vocabulary should be developed to help ensure consistency in the framework and across communities, and that the taxonomy be aligned to the best extent possible with existing schemes.*
http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_8103_draft.pdf
Catherine Schulten VP of Product Management - OrangeHook, Inc. / LifeMed ID 3009 Douglas Blvd., STE 200, Roseville, CA 95661
Direct: 954-290-1991 <(954)%20290-1991>
Website <http://www.orangehook.com/>| LinkedIn <https://www.linkedin.com/company-beta/4794831/>| Facebook <https://www.facebook.com/orangehook/?fref=ts>| Twitter <https://twitter.com/OrangeHookInc?lang=en>| YouTube <https://www.youtube.com/channel/UC1NXbg8WNI92qrCpmrea4CA>
IMPORTANT NOTICE: This e-mail communication may contain confidential or legally privileged information and is intended to be received only by persons entitled to receive the confidential information it may contain. Please do not read, copy, forward or store this message unless you are an intended recipient of it. Any review, use, dissemination, distribution or copying of this communication by other than the intended recipient or that person's agent is strictly prohibited pursuant to the Electronic Communication Privacy Act,18 USCA 2510. If you have received this message in error, please notify the sender by forwarding it by email to the sender and then delete it completely from your computer system.
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
I've met with the AlignBiopharma management team... I'm still curious what they are going to produce. On Wed, Apr 12, 2017 at 9:35 AM, Andrew Hughes <andrewhughes3000@gmail.com> wrote:
Huh. That's a new org to me AlignBiopharma.org
I wonder what SAFEBiopharma has to say about the 'new identity management standard' and how it compares to the SAFEBiopharma standards and frameworks?
I also wonder how the alignbiopharma standards for 'technical requirements for registration, verification, and authentication processes that solutions should follow to enable a single sign-on service for healthcare professionals' compare to those of DirectTrust.org ?
I'll check in with the Kantara ID Assurance WG and also other peer orgs to try and find out more.
andrew.
*Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting*
o +1 650.209.7542 <(650)%20209-7542> m +1 250.888.9474 <(250)%20888-9474> 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security *
On Wed, Apr 12, 2017 at 7:18 AM, Chris Phillips <Chris.Phillips@canarie.ca
wrote:
Speaking of a 'common lexicon' here's one in the biopharma space fresh off the press (I think):
http://pharmaleaders.com/align-biopharma-announces-new-ident ity-management-standard-available-for-life-sciences-industry-input/
I haven't clicked through the non standard T&C's clickwrap around it however. Looks like they want to not be encumbered with restrictions on comments back? Looks like the word 'standard' may be more opinion than fact. Hard to tell.
Catherine, inferring from the lifemedid.com domain, this sounds like an area your organization may circulate in .
Thoughts on how it informs things in the idPro space and the approach to common vocabulary?
C
From: <dg-idpro-bounces@kantarainitiative.org> on behalf of Catherine Schulten <catherine.schulten@lifemedid.com> Date: Wednesday, April 12, 2017 at 10:04 AM To: "dg-idpro@kantarainitiative.org" <dg-idpro@kantarainitiative.org> Subject: [DG-IDPro] the need to develop a common vocabulary
Found this relevant paragraph in some research I was doing. The following from a NIST workshop held in Jan 2016:
*Develop a common lexicon.** Many participants identified a lack of standardized terminology regarding identity proofing processes and functions. For example, some attendees used the term “verification” while others preferred “validation” for the same process. For the purposes of NIST’s work, attendees suggested a common vocabulary should be developed to help ensure consistency in the framework and across communities, and that the taxonomy be aligned to the best extent possible with existing schemes.*
http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_ 8103_draft.pdf
Catherine Schulten VP of Product Management - OrangeHook, Inc. / LifeMed ID 3009 Douglas Blvd., STE 200, Roseville, CA 95661
Direct: 954-290-1991 <(954)%20290-1991>
Website <http://www.orangehook.com/>| LinkedIn <https://www.linkedin.com/company-beta/4794831/>| Facebook <https://www.facebook.com/orangehook/?fref=ts>| Twitter <https://twitter.com/OrangeHookInc?lang=en>| YouTube <https://www.youtube.com/channel/UC1NXbg8WNI92qrCpmrea4CA>
IMPORTANT NOTICE: This e-mail communication may contain confidential or legally privileged information and is intended to be received only by persons entitled to receive the confidential information it may contain. Please do not read, copy, forward or store this message unless you are an intended recipient of it. Any review, use, dissemination, distribution or copying of this communication by other than the intended recipient or that person's agent is strictly prohibited pursuant to the Electronic Communication Privacy Act,18 USCA 2510. If you have received this message in error, please notify the sender by forwarding it by email to the sender and then delete it completely from your computer system.
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
-- Ian Glazer Senior Director, Identity +1 202 255 3166 @iglazer <https://twitter.com/iglazer>
Interesting document. The healthcare space has two primary communities of actors: the healthcare provider and the patient. Healthcare providers are physicians, therapists, nurses, etc. As such they are typically licensed to practice and they are employees or credentialed by a hospital or similar organization to provide their services at certain facilities. As such these people have established attributes such as email addresses, license numbers and federal identifiers (National Provider ID, DEA#, etc.). They are also adults. Patients on the other hand range in age from birth to >100 yrs. old, may or may not have an email address and certainly aren't credentialed to be a patient nor do they have a national ID number (at least not in the U.S.) The align biopharma "standard" makes sense for providers working in life sciences since that set of individuals all share those common attributes. Notice also that the stakeholders that developed this open standard are all pharma companies. Pardon the pun, but their standards are highly prescriptive to the set of individuals and the purpose that drives the need for identity/authentication. Catherine Schulten Direct: 954-290-1991 From: Chris Phillips [mailto:Chris.Phillips@canarie.ca] Sent: Wednesday, April 12, 2017 10:19 AM To: dg-idpro@kantarainitiative.org; Catherine Schulten <catherine.schulten@lifemedid.com> Subject: Re: [DG-IDPro] the need to develop a common vocabulary Speaking of a 'common lexicon' here's one in the biopharma space fresh off the press (I think): http://pharmaleaders.com/align-biopharma-announces-new-identity-management-s... I haven't clicked through the non standard T&C's clickwrap around it however. Looks like they want to not be encumbered with restrictions on comments back? Looks like the word 'standard' may be more opinion than fact. Hard to tell. Catherine, inferring from the lifemedid.com domain, this sounds like an area your organization may circulate in . Thoughts on how it informs things in the idPro space and the approach to common vocabulary? C From: <dg-idpro-bounces@kantarainitiative.org<mailto:dg-idpro-bounces@kantarainitiative.org>> on behalf of Catherine Schulten <catherine.schulten@lifemedid.com<mailto:catherine.schulten@lifemedid.com>> Date: Wednesday, April 12, 2017 at 10:04 AM To: "dg-idpro@kantarainitiative.org<mailto:dg-idpro@kantarainitiative.org>" <dg-idpro@kantarainitiative.org<mailto:dg-idpro@kantarainitiative.org>> Subject: [DG-IDPro] the need to develop a common vocabulary Found this relevant paragraph in some research I was doing. The following from a NIST workshop held in Jan 2016: Develop a common lexicon. Many participants identified a lack of standardized terminology regarding identity proofing processes and functions. For example, some attendees used the term "verification" while others preferred "validation" for the same process. For the purposes of NIST's work, attendees suggested a common vocabulary should be developed to help ensure consistency in the framework and across communities, and that the taxonomy be aligned to the best extent possible with existing schemes. http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_8103_draft.pdf Catherine Schulten VP of Product Management - OrangeHook, Inc. / LifeMed ID 3009 Douglas Blvd., STE 200, Roseville, CA 95661 Direct: 954-290-1991 Website<http://www.orangehook.com/>| LinkedIn<https://www.linkedin.com/company-beta/4794831/>| Facebook<https://www.facebook.com/orangehook/?fref=ts>| Twitter<https://twitter.com/OrangeHookInc?lang=en>| YouTube<https://www.youtube.com/channel/UC1NXbg8WNI92qrCpmrea4CA> IMPORTANT NOTICE: This e-mail communication may contain confidential or legally privileged information and is intended to be received only by persons entitled to receive the confidential information it may contain. Please do not read, copy, forward or store this message unless you are an intended recipient of it. Any review, use, dissemination, distribution or copying of this communication by other than the intended recipient or that person's agent is strictly prohibited pursuant to the Electronic Communication Privacy Act,18 USCA 2510. If you have received this message in error, please notify the sender by forwarding it by email to the sender and then delete it completely from your computer system.
Hi, The topic of a vocabulary for expressing LoA is very topical right now. Unfortunately NIST 800-63 doesn't define a vocabulary, life would be nice if it did. As such everyone is tempted to use the descriptions in NIST 800-63 and invent their own vocabulary values. This is not helpful to drive interoperability, but it is done out of desperation. The sticky part is that although NIST 800-63 defines categories; they recognize that there is still operational facts that are necessary before one really understands what LoA "4" means. I think it is this that keeps NIST from declaring vocabulary. They recognize that their specification doesn't control enough space to assure that "4" means the same thing to everyone. Thus organizations like SAFE-Biopharma (which covers a very specific part of healthcare not including actual treatment...). They have been doing identity proofing for a long time in their space. They are embracing being more open, and leveraging standards more. John John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 JohnMoehrke@gmail.com https://www.linkedin.com/in/johnmoehrke https://healthcaresecprivacy.blogspot.com "Quis custodiet ipsos custodes?" ("Who watches the watchers?") On Wed, Apr 12, 2017 at 9:35 AM, Catherine Schulten < catherine.schulten@lifemedid.com> wrote:
Interesting document. The healthcare space has two primary communities of actors: the healthcare provider and the patient.
Healthcare providers are physicians, therapists, nurses, etc. As such they are typically licensed to practice and they are employees or credentialed by a hospital or similar organization to provide their services at certain facilities. As such these people have established attributes such as email addresses, license numbers and federal identifiers (National Provider ID, DEA#, etc.). They are also adults.
Patients on the other hand range in age from birth to >100 yrs. old, may or may not have an email address and certainly aren’t credentialed to be a patient nor do they have a national ID number (at least not in the U.S.)
The align biopharma “standard” makes sense for providers working in life sciences since that set of individuals all share those common attributes. Notice also that the stakeholders that developed this open standard are all pharma companies. Pardon the pun, but their standards are highly prescriptive to the set of individuals and the purpose that drives the need for identity/authentication.
Catherine Schulten Direct: 954-290-1991 <(954)%20290-1991>
*From:* Chris Phillips [mailto:Chris.Phillips@canarie.ca] *Sent:* Wednesday, April 12, 2017 10:19 AM *To:* dg-idpro@kantarainitiative.org; Catherine Schulten < catherine.schulten@lifemedid.com> *Subject:* Re: [DG-IDPro] the need to develop a common vocabulary
Speaking of a 'common lexicon' here's one in the biopharma space fresh off the press (I think):
http://pharmaleaders.com/align-biopharma-announces-new- identity-management-standard-available-for-life-sciences-industry-input/
I haven't clicked through the non standard T&C's clickwrap around it however. Looks like they want to not be encumbered with restrictions on comments back?
Looks like the word 'standard' may be more opinion than fact. Hard to tell.
Catherine, inferring from the lifemedid.com domain, this sounds like an area your organization may circulate in .
Thoughts on how it informs things in the idPro space and the approach to common vocabulary?
C
*From: *<dg-idpro-bounces@kantarainitiative.org> on behalf of Catherine Schulten <catherine.schulten@lifemedid.com> *Date: *Wednesday, April 12, 2017 at 10:04 AM *To: *"dg-idpro@kantarainitiative.org" <dg-idpro@kantarainitiative.org> *Subject: *[DG-IDPro] the need to develop a common vocabulary
Found this relevant paragraph in some research I was doing. The following from a NIST workshop held in Jan 2016:
*Develop a common lexicon.** Many participants identified a lack of standardized terminology regarding identity proofing processes and functions. For example, some attendees used the term “verification” while others preferred “validation” for the same process. For the purposes of NIST’s work, attendees suggested a common vocabulary should be developed to help ensure consistency in the framework and across communities, and that the taxonomy be aligned to the best extent possible with existing schemes.*
http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_8103_draft.pdf
Catherine Schulten VP of Product Management - OrangeHook, Inc. / LifeMed ID 3009 Douglas Blvd., STE 200, Roseville, CA 95661
Direct: 954-290-1991 <(954)%20290-1991>
Website <http://www.orangehook.com/>| LinkedIn <https://www.linkedin.com/company-beta/4794831/>| Facebook <https://www.facebook.com/orangehook/?fref=ts>| Twitter <https://twitter.com/OrangeHookInc?lang=en>| YouTube <https://www.youtube.com/channel/UC1NXbg8WNI92qrCpmrea4CA>
IMPORTANT NOTICE: This e-mail communication may contain confidential or legally privileged information and is intended to be received only by persons entitled to receive the confidential information it may contain. Please do not read, copy, forward or store this message unless you are an intended recipient of it. Any review, use, dissemination, distribution or copying of this communication by other than the intended recipient or that person's agent is strictly prohibited pursuant to the Electronic Communication Privacy Act,18 USCA 2510. If you have received this message in error, please notify the sender by forwarding it by email to the sender and then delete it completely from your computer system.
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
I'm a co-author on the rewrite of NIST 800-63, and it does define a vocabulary. Parts A, B, and C each have a section titled "Definitions and Abbreviations". It's not official yet, as we're still sorting through feedback from the public comment period, but you can view the document as it stands currently here: https://pages.nist.gov/800-63-3/ Sarah Squire Engage Identity http://engageidentity.com On Wed, Apr 12, 2017 at 7:47 AM, John Moehrke <johnmoehrke@gmail.com> wrote:
Hi,
The topic of a vocabulary for expressing LoA is very topical right now. Unfortunately NIST 800-63 doesn't define a vocabulary, life would be nice if it did. As such everyone is tempted to use the descriptions in NIST 800-63 and invent their own vocabulary values. This is not helpful to drive interoperability, but it is done out of desperation.
The sticky part is that although NIST 800-63 defines categories; they recognize that there is still operational facts that are necessary before one really understands what LoA "4" means. I think it is this that keeps NIST from declaring vocabulary. They recognize that their specification doesn't control enough space to assure that "4" means the same thing to everyone.
Thus organizations like SAFE-Biopharma (which covers a very specific part of healthcare not including actual treatment...). They have been doing identity proofing for a long time in their space. They are embracing being more open, and leveraging standards more.
John
John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 <(920)%20564-2067> JohnMoehrke@gmail.com https://www.linkedin.com/in/johnmoehrke https://healthcaresecprivacy.blogspot.com "Quis custodiet ipsos custodes?" ("Who watches the watchers?")
On Wed, Apr 12, 2017 at 9:35 AM, Catherine Schulten < catherine.schulten@lifemedid.com> wrote:
Interesting document. The healthcare space has two primary communities of actors: the healthcare provider and the patient.
Healthcare providers are physicians, therapists, nurses, etc. As such they are typically licensed to practice and they are employees or credentialed by a hospital or similar organization to provide their services at certain facilities. As such these people have established attributes such as email addresses, license numbers and federal identifiers (National Provider ID, DEA#, etc.). They are also adults.
Patients on the other hand range in age from birth to >100 yrs. old, may or may not have an email address and certainly aren’t credentialed to be a patient nor do they have a national ID number (at least not in the U.S.)
The align biopharma “standard” makes sense for providers working in life sciences since that set of individuals all share those common attributes. Notice also that the stakeholders that developed this open standard are all pharma companies. Pardon the pun, but their standards are highly prescriptive to the set of individuals and the purpose that drives the need for identity/authentication.
Catherine Schulten Direct: 954-290-1991 <(954)%20290-1991>
*From:* Chris Phillips [mailto:Chris.Phillips@canarie.ca] *Sent:* Wednesday, April 12, 2017 10:19 AM *To:* dg-idpro@kantarainitiative.org; Catherine Schulten < catherine.schulten@lifemedid.com> *Subject:* Re: [DG-IDPro] the need to develop a common vocabulary
Speaking of a 'common lexicon' here's one in the biopharma space fresh off the press (I think):
http://pharmaleaders.com/align-biopharma-announces-new-ident ity-management-standard-available-for-life-sciences-industry-input/
I haven't clicked through the non standard T&C's clickwrap around it however. Looks like they want to not be encumbered with restrictions on comments back?
Looks like the word 'standard' may be more opinion than fact. Hard to tell.
Catherine, inferring from the lifemedid.com domain, this sounds like an area your organization may circulate in .
Thoughts on how it informs things in the idPro space and the approach to common vocabulary?
C
*From: *<dg-idpro-bounces@kantarainitiative.org> on behalf of Catherine Schulten <catherine.schulten@lifemedid.com> *Date: *Wednesday, April 12, 2017 at 10:04 AM *To: *"dg-idpro@kantarainitiative.org" <dg-idpro@kantarainitiative.org> *Subject: *[DG-IDPro] the need to develop a common vocabulary
Found this relevant paragraph in some research I was doing. The following from a NIST workshop held in Jan 2016:
*Develop a common lexicon.** Many participants identified a lack of standardized terminology regarding identity proofing processes and functions. For example, some attendees used the term “verification” while others preferred “validation” for the same process. For the purposes of NIST’s work, attendees suggested a common vocabulary should be developed to help ensure consistency in the framework and across communities, and that the taxonomy be aligned to the best extent possible with existing schemes.*
http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_ 8103_draft.pdf
Catherine Schulten VP of Product Management - OrangeHook, Inc. / LifeMed ID 3009 Douglas Blvd., STE 200, Roseville, CA 95661
Direct: 954-290-1991 <(954)%20290-1991>
Website <http://www.orangehook.com/>| LinkedIn <https://www.linkedin.com/company-beta/4794831/>| Facebook <https://www.facebook.com/orangehook/?fref=ts>| Twitter <https://twitter.com/OrangeHookInc?lang=en>| YouTube <https://www.youtube.com/channel/UC1NXbg8WNI92qrCpmrea4CA>
IMPORTANT NOTICE: This e-mail communication may contain confidential or legally privileged information and is intended to be received only by persons entitled to receive the confidential information it may contain. Please do not read, copy, forward or store this message unless you are an intended recipient of it. Any review, use, dissemination, distribution or copying of this communication by other than the intended recipient or that person's agent is strictly prohibited pursuant to the Electronic Communication Privacy Act,18 USCA 2510. If you have received this message in error, please notify the sender by forwarding it by email to the sender and then delete it completely from your computer system.
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
Hi Sarah, That is fantastic news... Did I properly characterize the current state? I welcome corrections if I was wrong. John John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 JohnMoehrke@gmail.com https://www.linkedin.com/in/johnmoehrke https://healthcaresecprivacy.blogspot.com "Quis custodiet ipsos custodes?" ("Who watches the watchers?") On Wed, Apr 12, 2017 at 9:53 AM, Sarah Squire <sarah@engageidentity.com> wrote:
I'm a co-author on the rewrite of NIST 800-63, and it does define a vocabulary. Parts A, B, and C each have a section titled "Definitions and Abbreviations". It's not official yet, as we're still sorting through feedback from the public comment period, but you can view the document as it stands currently here: https://pages.nist.gov/800-63-3/
Sarah Squire Engage Identity http://engageidentity.com
On Wed, Apr 12, 2017 at 7:47 AM, John Moehrke <johnmoehrke@gmail.com> wrote:
Hi,
The topic of a vocabulary for expressing LoA is very topical right now. Unfortunately NIST 800-63 doesn't define a vocabulary, life would be nice if it did. As such everyone is tempted to use the descriptions in NIST 800-63 and invent their own vocabulary values. This is not helpful to drive interoperability, but it is done out of desperation.
The sticky part is that although NIST 800-63 defines categories; they recognize that there is still operational facts that are necessary before one really understands what LoA "4" means. I think it is this that keeps NIST from declaring vocabulary. They recognize that their specification doesn't control enough space to assure that "4" means the same thing to everyone.
Thus organizations like SAFE-Biopharma (which covers a very specific part of healthcare not including actual treatment...). They have been doing identity proofing for a long time in their space. They are embracing being more open, and leveraging standards more.
John
John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 <(920)%20564-2067> JohnMoehrke@gmail.com https://www.linkedin.com/in/johnmoehrke https://healthcaresecprivacy.blogspot.com "Quis custodiet ipsos custodes?" ("Who watches the watchers?")
On Wed, Apr 12, 2017 at 9:35 AM, Catherine Schulten < catherine.schulten@lifemedid.com> wrote:
Interesting document. The healthcare space has two primary communities of actors: the healthcare provider and the patient.
Healthcare providers are physicians, therapists, nurses, etc. As such they are typically licensed to practice and they are employees or credentialed by a hospital or similar organization to provide their services at certain facilities. As such these people have established attributes such as email addresses, license numbers and federal identifiers (National Provider ID, DEA#, etc.). They are also adults.
Patients on the other hand range in age from birth to >100 yrs. old, may or may not have an email address and certainly aren’t credentialed to be a patient nor do they have a national ID number (at least not in the U.S.)
The align biopharma “standard” makes sense for providers working in life sciences since that set of individuals all share those common attributes. Notice also that the stakeholders that developed this open standard are all pharma companies. Pardon the pun, but their standards are highly prescriptive to the set of individuals and the purpose that drives the need for identity/authentication.
Catherine Schulten Direct: 954-290-1991 <(954)%20290-1991>
*From:* Chris Phillips [mailto:Chris.Phillips@canarie.ca] *Sent:* Wednesday, April 12, 2017 10:19 AM *To:* dg-idpro@kantarainitiative.org; Catherine Schulten < catherine.schulten@lifemedid.com> *Subject:* Re: [DG-IDPro] the need to develop a common vocabulary
Speaking of a 'common lexicon' here's one in the biopharma space fresh off the press (I think):
http://pharmaleaders.com/align-biopharma-announces-new-ident ity-management-standard-available-for-life-sciences-industry-input/
I haven't clicked through the non standard T&C's clickwrap around it however. Looks like they want to not be encumbered with restrictions on comments back?
Looks like the word 'standard' may be more opinion than fact. Hard to tell.
Catherine, inferring from the lifemedid.com domain, this sounds like an area your organization may circulate in .
Thoughts on how it informs things in the idPro space and the approach to common vocabulary?
C
*From: *<dg-idpro-bounces@kantarainitiative.org> on behalf of Catherine Schulten <catherine.schulten@lifemedid.com> *Date: *Wednesday, April 12, 2017 at 10:04 AM *To: *"dg-idpro@kantarainitiative.org" <dg-idpro@kantarainitiative.org> *Subject: *[DG-IDPro] the need to develop a common vocabulary
Found this relevant paragraph in some research I was doing. The following from a NIST workshop held in Jan 2016:
*Develop a common lexicon.** Many participants identified a lack of standardized terminology regarding identity proofing processes and functions. For example, some attendees used the term “verification” while others preferred “validation” for the same process. For the purposes of NIST’s work, attendees suggested a common vocabulary should be developed to help ensure consistency in the framework and across communities, and that the taxonomy be aligned to the best extent possible with existing schemes.*
http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_ 8103_draft.pdf
Catherine Schulten VP of Product Management - OrangeHook, Inc. / LifeMed ID 3009 Douglas Blvd., STE 200, Roseville, CA 95661
Direct: 954-290-1991 <(954)%20290-1991>
Website <http://www.orangehook.com/>| LinkedIn <https://www.linkedin.com/company-beta/4794831/>| Facebook <https://www.facebook.com/orangehook/?fref=ts>| Twitter <https://twitter.com/OrangeHookInc?lang=en>| YouTube <https://www.youtube.com/channel/UC1NXbg8WNI92qrCpmrea4CA>
IMPORTANT NOTICE: This e-mail communication may contain confidential or legally privileged information and is intended to be received only by persons entitled to receive the confidential information it may contain. Please do not read, copy, forward or store this message unless you are an intended recipient of it. Any review, use, dissemination, distribution or copying of this communication by other than the intended recipient or that person's agent is strictly prohibited pursuant to the Electronic Communication Privacy Act,18 USCA 2510. If you have received this message in error, please notify the sender by forwarding it by email to the sender and then delete it completely from your computer system.
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
Both of you are right - 800-63-3 does have a pretty good definition of terms. However stating that a vocabulary for expressing Levels of Assurance doesn't really exist. But mostly because (I think) it's not a valid way to describe it. LoAs are related to requirements and implemented controls - and as such what 'makes up' an LoA can be (and is) defined. But it's not a vocabulary of terms and definitions. *Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting* o +1 650.209.7542 m +1 250.888.9474 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security * On Wed, Apr 12, 2017 at 7:54 AM, John Moehrke <johnmoehrke@gmail.com> wrote:
Hi Sarah,
That is fantastic news... Did I properly characterize the current state? I welcome corrections if I was wrong.
John
John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 <(920)%20564-2067> JohnMoehrke@gmail.com https://www.linkedin.com/in/johnmoehrke https://healthcaresecprivacy.blogspot.com "Quis custodiet ipsos custodes?" ("Who watches the watchers?")
On Wed, Apr 12, 2017 at 9:53 AM, Sarah Squire <sarah@engageidentity.com> wrote:
I'm a co-author on the rewrite of NIST 800-63, and it does define a vocabulary. Parts A, B, and C each have a section titled "Definitions and Abbreviations". It's not official yet, as we're still sorting through feedback from the public comment period, but you can view the document as it stands currently here: https://pages.nist.gov/800-63-3/
Sarah Squire Engage Identity http://engageidentity.com
On Wed, Apr 12, 2017 at 7:47 AM, John Moehrke <johnmoehrke@gmail.com> wrote:
Hi,
The topic of a vocabulary for expressing LoA is very topical right now. Unfortunately NIST 800-63 doesn't define a vocabulary, life would be nice if it did. As such everyone is tempted to use the descriptions in NIST 800-63 and invent their own vocabulary values. This is not helpful to drive interoperability, but it is done out of desperation.
The sticky part is that although NIST 800-63 defines categories; they recognize that there is still operational facts that are necessary before one really understands what LoA "4" means. I think it is this that keeps NIST from declaring vocabulary. They recognize that their specification doesn't control enough space to assure that "4" means the same thing to everyone.
Thus organizations like SAFE-Biopharma (which covers a very specific part of healthcare not including actual treatment...). They have been doing identity proofing for a long time in their space. They are embracing being more open, and leveraging standards more.
John
John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 <(920)%20564-2067> JohnMoehrke@gmail.com https://www.linkedin.com/in/johnmoehrke https://healthcaresecprivacy.blogspot.com "Quis custodiet ipsos custodes?" ("Who watches the watchers?")
On Wed, Apr 12, 2017 at 9:35 AM, Catherine Schulten < catherine.schulten@lifemedid.com> wrote:
Interesting document. The healthcare space has two primary communities of actors: the healthcare provider and the patient.
Healthcare providers are physicians, therapists, nurses, etc. As such they are typically licensed to practice and they are employees or credentialed by a hospital or similar organization to provide their services at certain facilities. As such these people have established attributes such as email addresses, license numbers and federal identifiers (National Provider ID, DEA#, etc.). They are also adults.
Patients on the other hand range in age from birth to >100 yrs. old, may or may not have an email address and certainly aren’t credentialed to be a patient nor do they have a national ID number (at least not in the U.S.)
The align biopharma “standard” makes sense for providers working in life sciences since that set of individuals all share those common attributes. Notice also that the stakeholders that developed this open standard are all pharma companies. Pardon the pun, but their standards are highly prescriptive to the set of individuals and the purpose that drives the need for identity/authentication.
Catherine Schulten Direct: 954-290-1991 <(954)%20290-1991>
*From:* Chris Phillips [mailto:Chris.Phillips@canarie.ca] *Sent:* Wednesday, April 12, 2017 10:19 AM *To:* dg-idpro@kantarainitiative.org; Catherine Schulten < catherine.schulten@lifemedid.com> *Subject:* Re: [DG-IDPro] the need to develop a common vocabulary
Speaking of a 'common lexicon' here's one in the biopharma space fresh off the press (I think):
http://pharmaleaders.com/align-biopharma-announces-new-ident ity-management-standard-available-for-life-sciences-industry-input/
I haven't clicked through the non standard T&C's clickwrap around it however. Looks like they want to not be encumbered with restrictions on comments back?
Looks like the word 'standard' may be more opinion than fact. Hard to tell.
Catherine, inferring from the lifemedid.com domain, this sounds like an area your organization may circulate in .
Thoughts on how it informs things in the idPro space and the approach to common vocabulary?
C
*From: *<dg-idpro-bounces@kantarainitiative.org> on behalf of Catherine Schulten <catherine.schulten@lifemedid.com> *Date: *Wednesday, April 12, 2017 at 10:04 AM *To: *"dg-idpro@kantarainitiative.org" <dg-idpro@kantarainitiative.org> *Subject: *[DG-IDPro] the need to develop a common vocabulary
Found this relevant paragraph in some research I was doing. The following from a NIST workshop held in Jan 2016:
*Develop a common lexicon.** Many participants identified a lack of standardized terminology regarding identity proofing processes and functions. For example, some attendees used the term “verification” while others preferred “validation” for the same process. For the purposes of NIST’s work, attendees suggested a common vocabulary should be developed to help ensure consistency in the framework and across communities, and that the taxonomy be aligned to the best extent possible with existing schemes.*
http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_ 8103_draft.pdf
Catherine Schulten VP of Product Management - OrangeHook, Inc. / LifeMed ID 3009 Douglas Blvd., STE 200, Roseville, CA 95661
Direct: 954-290-1991 <(954)%20290-1991>
Website <http://www.orangehook.com/>| LinkedIn <https://www.linkedin.com/company-beta/4794831/>| Facebook <https://www.facebook.com/orangehook/?fref=ts>| Twitter <https://twitter.com/OrangeHookInc?lang=en>| YouTube <https://www.youtube.com/channel/UC1NXbg8WNI92qrCpmrea4CA>
IMPORTANT NOTICE: This e-mail communication may contain confidential or legally privileged information and is intended to be received only by persons entitled to receive the confidential information it may contain. Please do not read, copy, forward or store this message unless you are an intended recipient of it. Any review, use, dissemination, distribution or copying of this communication by other than the intended recipient or that person's agent is strictly prohibited pursuant to the Electronic Communication Privacy Act,18 USCA 2510. If you have received this message in error, please notify the sender by forwarding it by email to the sender and then delete it completely from your computer system.
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
To be clear, when I say vocabulary. I mean something like a URN that can be put into a security token (e.g. SAML)... Right? John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 JohnMoehrke@gmail.com https://www.linkedin.com/in/johnmoehrke https://healthcaresecprivacy.blogspot.com "Quis custodiet ipsos custodes?" ("Who watches the watchers?") On Wed, Apr 12, 2017 at 9:58 AM, Andrew Hughes <andrewhughes3000@gmail.com> wrote:
Both of you are right - 800-63-3 does have a pretty good definition of terms.
However stating that a vocabulary for expressing Levels of Assurance doesn't really exist. But mostly because (I think) it's not a valid way to describe it.
LoAs are related to requirements and implemented controls - and as such what 'makes up' an LoA can be (and is) defined. But it's not a vocabulary of terms and definitions.
*Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting*
o +1 650.209.7542 <(650)%20209-7542> m +1 250.888.9474 <(250)%20888-9474> 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security *
On Wed, Apr 12, 2017 at 7:54 AM, John Moehrke <johnmoehrke@gmail.com> wrote:
Hi Sarah,
That is fantastic news... Did I properly characterize the current state? I welcome corrections if I was wrong.
John
John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 <(920)%20564-2067> JohnMoehrke@gmail.com https://www.linkedin.com/in/johnmoehrke https://healthcaresecprivacy.blogspot.com "Quis custodiet ipsos custodes?" ("Who watches the watchers?")
On Wed, Apr 12, 2017 at 9:53 AM, Sarah Squire <sarah@engageidentity.com> wrote:
I'm a co-author on the rewrite of NIST 800-63, and it does define a vocabulary. Parts A, B, and C each have a section titled "Definitions and Abbreviations". It's not official yet, as we're still sorting through feedback from the public comment period, but you can view the document as it stands currently here: https://pages.nist.gov/800-63-3/
Sarah Squire Engage Identity http://engageidentity.com
On Wed, Apr 12, 2017 at 7:47 AM, John Moehrke <johnmoehrke@gmail.com> wrote:
Hi,
The topic of a vocabulary for expressing LoA is very topical right now. Unfortunately NIST 800-63 doesn't define a vocabulary, life would be nice if it did. As such everyone is tempted to use the descriptions in NIST 800-63 and invent their own vocabulary values. This is not helpful to drive interoperability, but it is done out of desperation.
The sticky part is that although NIST 800-63 defines categories; they recognize that there is still operational facts that are necessary before one really understands what LoA "4" means. I think it is this that keeps NIST from declaring vocabulary. They recognize that their specification doesn't control enough space to assure that "4" means the same thing to everyone.
Thus organizations like SAFE-Biopharma (which covers a very specific part of healthcare not including actual treatment...). They have been doing identity proofing for a long time in their space. They are embracing being more open, and leveraging standards more.
John
John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 <(920)%20564-2067> JohnMoehrke@gmail.com https://www.linkedin.com/in/johnmoehrke https://healthcaresecprivacy.blogspot.com "Quis custodiet ipsos custodes?" ("Who watches the watchers?")
On Wed, Apr 12, 2017 at 9:35 AM, Catherine Schulten < catherine.schulten@lifemedid.com> wrote:
Interesting document. The healthcare space has two primary communities of actors: the healthcare provider and the patient.
Healthcare providers are physicians, therapists, nurses, etc. As such they are typically licensed to practice and they are employees or credentialed by a hospital or similar organization to provide their services at certain facilities. As such these people have established attributes such as email addresses, license numbers and federal identifiers (National Provider ID, DEA#, etc.). They are also adults.
Patients on the other hand range in age from birth to >100 yrs. old, may or may not have an email address and certainly aren’t credentialed to be a patient nor do they have a national ID number (at least not in the U.S.)
The align biopharma “standard” makes sense for providers working in life sciences since that set of individuals all share those common attributes. Notice also that the stakeholders that developed this open standard are all pharma companies. Pardon the pun, but their standards are highly prescriptive to the set of individuals and the purpose that drives the need for identity/authentication.
Catherine Schulten Direct: 954-290-1991 <(954)%20290-1991>
*From:* Chris Phillips [mailto:Chris.Phillips@canarie.ca] *Sent:* Wednesday, April 12, 2017 10:19 AM *To:* dg-idpro@kantarainitiative.org; Catherine Schulten < catherine.schulten@lifemedid.com> *Subject:* Re: [DG-IDPro] the need to develop a common vocabulary
Speaking of a 'common lexicon' here's one in the biopharma space fresh off the press (I think):
http://pharmaleaders.com/align-biopharma-announces-new-ident ity-management-standard-available-for-life-sciences-industry-input/
I haven't clicked through the non standard T&C's clickwrap around it however. Looks like they want to not be encumbered with restrictions on comments back?
Looks like the word 'standard' may be more opinion than fact. Hard to tell.
Catherine, inferring from the lifemedid.com domain, this sounds like an area your organization may circulate in .
Thoughts on how it informs things in the idPro space and the approach to common vocabulary?
C
*From: *<dg-idpro-bounces@kantarainitiative.org> on behalf of Catherine Schulten <catherine.schulten@lifemedid.com> *Date: *Wednesday, April 12, 2017 at 10:04 AM *To: *"dg-idpro@kantarainitiative.org" <dg-idpro@kantarainitiative.org
*Subject: *[DG-IDPro] the need to develop a common vocabulary
Found this relevant paragraph in some research I was doing. The following from a NIST workshop held in Jan 2016:
*Develop a common lexicon.** Many participants identified a lack of standardized terminology regarding identity proofing processes and functions. For example, some attendees used the term “verification” while others preferred “validation” for the same process. For the purposes of NIST’s work, attendees suggested a common vocabulary should be developed to help ensure consistency in the framework and across communities, and that the taxonomy be aligned to the best extent possible with existing schemes.*
http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_ 8103_draft.pdf
Catherine Schulten VP of Product Management - OrangeHook, Inc. / LifeMed ID 3009 Douglas Blvd., STE 200, Roseville, CA 95661
Direct: 954-290-1991 <(954)%20290-1991>
Website <http://www.orangehook.com/>| LinkedIn <https://www.linkedin.com/company-beta/4794831/>| Facebook <https://www.facebook.com/orangehook/?fref=ts>| Twitter <https://twitter.com/OrangeHookInc?lang=en>| YouTube <https://www.youtube.com/channel/UC1NXbg8WNI92qrCpmrea4CA>
IMPORTANT NOTICE: This e-mail communication may contain confidential or legally privileged information and is intended to be received only by persons entitled to receive the confidential information it may contain. Please do not read, copy, forward or store this message unless you are an intended recipient of it. Any review, use, dissemination, distribution or copying of this communication by other than the intended recipient or that person's agent is strictly prohibited pursuant to the Electronic Communication Privacy Act,18 USCA 2510. If you have received this message in error, please notify the sender by forwarding it by email to the sender and then delete it completely from your computer system.
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
OK - that wasn't clear to me :) *Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting* o +1 650.209.7542 m +1 250.888.9474 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security * On Wed, Apr 12, 2017 at 8:00 AM, John Moehrke <johnmoehrke@gmail.com> wrote:
To be clear, when I say vocabulary. I mean something like a URN that can be put into a security token (e.g. SAML)... Right?
John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 <(920)%20564-2067> JohnMoehrke@gmail.com https://www.linkedin.com/in/johnmoehrke https://healthcaresecprivacy.blogspot.com "Quis custodiet ipsos custodes?" ("Who watches the watchers?")
On Wed, Apr 12, 2017 at 9:58 AM, Andrew Hughes <andrewhughes3000@gmail.com
wrote:
Both of you are right - 800-63-3 does have a pretty good definition of terms.
However stating that a vocabulary for expressing Levels of Assurance doesn't really exist. But mostly because (I think) it's not a valid way to describe it.
LoAs are related to requirements and implemented controls - and as such what 'makes up' an LoA can be (and is) defined. But it's not a vocabulary of terms and definitions.
*Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting*
o +1 650.209.7542 <(650)%20209-7542> m +1 250.888.9474 <(250)%20888-9474> 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security *
On Wed, Apr 12, 2017 at 7:54 AM, John Moehrke <johnmoehrke@gmail.com> wrote:
Hi Sarah,
That is fantastic news... Did I properly characterize the current state? I welcome corrections if I was wrong.
John
John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 <(920)%20564-2067> JohnMoehrke@gmail.com https://www.linkedin.com/in/johnmoehrke https://healthcaresecprivacy.blogspot.com "Quis custodiet ipsos custodes?" ("Who watches the watchers?")
On Wed, Apr 12, 2017 at 9:53 AM, Sarah Squire <sarah@engageidentity.com> wrote:
I'm a co-author on the rewrite of NIST 800-63, and it does define a vocabulary. Parts A, B, and C each have a section titled "Definitions and Abbreviations". It's not official yet, as we're still sorting through feedback from the public comment period, but you can view the document as it stands currently here: https://pages.nist.gov/800-63-3/
Sarah Squire Engage Identity http://engageidentity.com
On Wed, Apr 12, 2017 at 7:47 AM, John Moehrke <johnmoehrke@gmail.com> wrote:
Hi,
The topic of a vocabulary for expressing LoA is very topical right now. Unfortunately NIST 800-63 doesn't define a vocabulary, life would be nice if it did. As such everyone is tempted to use the descriptions in NIST 800-63 and invent their own vocabulary values. This is not helpful to drive interoperability, but it is done out of desperation.
The sticky part is that although NIST 800-63 defines categories; they recognize that there is still operational facts that are necessary before one really understands what LoA "4" means. I think it is this that keeps NIST from declaring vocabulary. They recognize that their specification doesn't control enough space to assure that "4" means the same thing to everyone.
Thus organizations like SAFE-Biopharma (which covers a very specific part of healthcare not including actual treatment...). They have been doing identity proofing for a long time in their space. They are embracing being more open, and leveraging standards more.
John
John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 <(920)%20564-2067> JohnMoehrke@gmail.com https://www.linkedin.com/in/johnmoehrke https://healthcaresecprivacy.blogspot.com "Quis custodiet ipsos custodes?" ("Who watches the watchers?")
On Wed, Apr 12, 2017 at 9:35 AM, Catherine Schulten < catherine.schulten@lifemedid.com> wrote:
Interesting document. The healthcare space has two primary communities of actors: the healthcare provider and the patient.
Healthcare providers are physicians, therapists, nurses, etc. As such they are typically licensed to practice and they are employees or credentialed by a hospital or similar organization to provide their services at certain facilities. As such these people have established attributes such as email addresses, license numbers and federal identifiers (National Provider ID, DEA#, etc.). They are also adults.
Patients on the other hand range in age from birth to >100 yrs. old, may or may not have an email address and certainly aren’t credentialed to be a patient nor do they have a national ID number (at least not in the U.S.)
The align biopharma “standard” makes sense for providers working in life sciences since that set of individuals all share those common attributes. Notice also that the stakeholders that developed this open standard are all pharma companies. Pardon the pun, but their standards are highly prescriptive to the set of individuals and the purpose that drives the need for identity/authentication.
Catherine Schulten Direct: 954-290-1991 <(954)%20290-1991>
*From:* Chris Phillips [mailto:Chris.Phillips@canarie.ca] *Sent:* Wednesday, April 12, 2017 10:19 AM *To:* dg-idpro@kantarainitiative.org; Catherine Schulten < catherine.schulten@lifemedid.com> *Subject:* Re: [DG-IDPro] the need to develop a common vocabulary
Speaking of a 'common lexicon' here's one in the biopharma space fresh off the press (I think):
http://pharmaleaders.com/align-biopharma-announces-new-ident ity-management-standard-available-for-life-sciences-industry-input/
I haven't clicked through the non standard T&C's clickwrap around it however. Looks like they want to not be encumbered with restrictions on comments back?
Looks like the word 'standard' may be more opinion than fact. Hard to tell.
Catherine, inferring from the lifemedid.com domain, this sounds like an area your organization may circulate in .
Thoughts on how it informs things in the idPro space and the approach to common vocabulary?
C
*From: *<dg-idpro-bounces@kantarainitiative.org> on behalf of Catherine Schulten <catherine.schulten@lifemedid.com> *Date: *Wednesday, April 12, 2017 at 10:04 AM *To: *"dg-idpro@kantarainitiative.org" <dg-idpro@kantarainitiative.or g> *Subject: *[DG-IDPro] the need to develop a common vocabulary
Found this relevant paragraph in some research I was doing. The following from a NIST workshop held in Jan 2016:
*Develop a common lexicon.** Many participants identified a lack of standardized terminology regarding identity proofing processes and functions. For example, some attendees used the term “verification” while others preferred “validation” for the same process. For the purposes of NIST’s work, attendees suggested a common vocabulary should be developed to help ensure consistency in the framework and across communities, and that the taxonomy be aligned to the best extent possible with existing schemes.*
http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_ 8103_draft.pdf
Catherine Schulten VP of Product Management - OrangeHook, Inc. / LifeMed ID 3009 Douglas Blvd., STE 200, Roseville, CA 95661
Direct: 954-290-1991 <(954)%20290-1991>
Website <http://www.orangehook.com/>| LinkedIn <https://www.linkedin.com/company-beta/4794831/>| Facebook <https://www.facebook.com/orangehook/?fref=ts>| Twitter <https://twitter.com/OrangeHookInc?lang=en>| YouTube <https://www.youtube.com/channel/UC1NXbg8WNI92qrCpmrea4CA>
IMPORTANT NOTICE: This e-mail communication may contain confidential or legally privileged information and is intended to be received only by persons entitled to receive the confidential information it may contain. Please do not read, copy, forward or store this message unless you are an intended recipient of it. Any review, use, dissemination, distribution or copying of this communication by other than the intended recipient or that person's agent is strictly prohibited pursuant to the Electronic Communication Privacy Act,18 USCA 2510. If you have received this message in error, please notify the sender by forwarding it by email to the sender and then delete it completely from your computer system.
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
aaannd... what I sent makes no sense :-) Using the term "vocabulary" is not a good way to describe what goes into the specification of an assurance level. :) *Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting* o +1 650.209.7542 m +1 250.888.9474 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security * On Wed, Apr 12, 2017 at 7:58 AM, Andrew Hughes <andrewhughes3000@gmail.com> wrote:
Both of you are right - 800-63-3 does have a pretty good definition of terms.
However stating that a vocabulary for expressing Levels of Assurance doesn't really exist. But mostly because (I think) it's not a valid way to describe it.
LoAs are related to requirements and implemented controls - and as such what 'makes up' an LoA can be (and is) defined. But it's not a vocabulary of terms and definitions.
*Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting*
o +1 650.209.7542 <(650)%20209-7542> m +1 250.888.9474 <(250)%20888-9474> 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security *
On Wed, Apr 12, 2017 at 7:54 AM, John Moehrke <johnmoehrke@gmail.com> wrote:
Hi Sarah,
That is fantastic news... Did I properly characterize the current state? I welcome corrections if I was wrong.
John
John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 <(920)%20564-2067> JohnMoehrke@gmail.com https://www.linkedin.com/in/johnmoehrke https://healthcaresecprivacy.blogspot.com "Quis custodiet ipsos custodes?" ("Who watches the watchers?")
On Wed, Apr 12, 2017 at 9:53 AM, Sarah Squire <sarah@engageidentity.com> wrote:
I'm a co-author on the rewrite of NIST 800-63, and it does define a vocabulary. Parts A, B, and C each have a section titled "Definitions and Abbreviations". It's not official yet, as we're still sorting through feedback from the public comment period, but you can view the document as it stands currently here: https://pages.nist.gov/800-63-3/
Sarah Squire Engage Identity http://engageidentity.com
On Wed, Apr 12, 2017 at 7:47 AM, John Moehrke <johnmoehrke@gmail.com> wrote:
Hi,
The topic of a vocabulary for expressing LoA is very topical right now. Unfortunately NIST 800-63 doesn't define a vocabulary, life would be nice if it did. As such everyone is tempted to use the descriptions in NIST 800-63 and invent their own vocabulary values. This is not helpful to drive interoperability, but it is done out of desperation.
The sticky part is that although NIST 800-63 defines categories; they recognize that there is still operational facts that are necessary before one really understands what LoA "4" means. I think it is this that keeps NIST from declaring vocabulary. They recognize that their specification doesn't control enough space to assure that "4" means the same thing to everyone.
Thus organizations like SAFE-Biopharma (which covers a very specific part of healthcare not including actual treatment...). They have been doing identity proofing for a long time in their space. They are embracing being more open, and leveraging standards more.
John
John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 <(920)%20564-2067> JohnMoehrke@gmail.com https://www.linkedin.com/in/johnmoehrke https://healthcaresecprivacy.blogspot.com "Quis custodiet ipsos custodes?" ("Who watches the watchers?")
On Wed, Apr 12, 2017 at 9:35 AM, Catherine Schulten < catherine.schulten@lifemedid.com> wrote:
Interesting document. The healthcare space has two primary communities of actors: the healthcare provider and the patient.
Healthcare providers are physicians, therapists, nurses, etc. As such they are typically licensed to practice and they are employees or credentialed by a hospital or similar organization to provide their services at certain facilities. As such these people have established attributes such as email addresses, license numbers and federal identifiers (National Provider ID, DEA#, etc.). They are also adults.
Patients on the other hand range in age from birth to >100 yrs. old, may or may not have an email address and certainly aren’t credentialed to be a patient nor do they have a national ID number (at least not in the U.S.)
The align biopharma “standard” makes sense for providers working in life sciences since that set of individuals all share those common attributes. Notice also that the stakeholders that developed this open standard are all pharma companies. Pardon the pun, but their standards are highly prescriptive to the set of individuals and the purpose that drives the need for identity/authentication.
Catherine Schulten Direct: 954-290-1991 <(954)%20290-1991>
*From:* Chris Phillips [mailto:Chris.Phillips@canarie.ca] *Sent:* Wednesday, April 12, 2017 10:19 AM *To:* dg-idpro@kantarainitiative.org; Catherine Schulten < catherine.schulten@lifemedid.com> *Subject:* Re: [DG-IDPro] the need to develop a common vocabulary
Speaking of a 'common lexicon' here's one in the biopharma space fresh off the press (I think):
http://pharmaleaders.com/align-biopharma-announces-new-ident ity-management-standard-available-for-life-sciences-industry-input/
I haven't clicked through the non standard T&C's clickwrap around it however. Looks like they want to not be encumbered with restrictions on comments back?
Looks like the word 'standard' may be more opinion than fact. Hard to tell.
Catherine, inferring from the lifemedid.com domain, this sounds like an area your organization may circulate in .
Thoughts on how it informs things in the idPro space and the approach to common vocabulary?
C
*From: *<dg-idpro-bounces@kantarainitiative.org> on behalf of Catherine Schulten <catherine.schulten@lifemedid.com> *Date: *Wednesday, April 12, 2017 at 10:04 AM *To: *"dg-idpro@kantarainitiative.org" <dg-idpro@kantarainitiative.org
*Subject: *[DG-IDPro] the need to develop a common vocabulary
Found this relevant paragraph in some research I was doing. The following from a NIST workshop held in Jan 2016:
*Develop a common lexicon.** Many participants identified a lack of standardized terminology regarding identity proofing processes and functions. For example, some attendees used the term “verification” while others preferred “validation” for the same process. For the purposes of NIST’s work, attendees suggested a common vocabulary should be developed to help ensure consistency in the framework and across communities, and that the taxonomy be aligned to the best extent possible with existing schemes.*
http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_ 8103_draft.pdf
Catherine Schulten VP of Product Management - OrangeHook, Inc. / LifeMed ID 3009 Douglas Blvd., STE 200, Roseville, CA 95661
Direct: 954-290-1991 <(954)%20290-1991>
Website <http://www.orangehook.com/>| LinkedIn <https://www.linkedin.com/company-beta/4794831/>| Facebook <https://www.facebook.com/orangehook/?fref=ts>| Twitter <https://twitter.com/OrangeHookInc?lang=en>| YouTube <https://www.youtube.com/channel/UC1NXbg8WNI92qrCpmrea4CA>
IMPORTANT NOTICE: This e-mail communication may contain confidential or legally privileged information and is intended to be received only by persons entitled to receive the confidential information it may contain. Please do not read, copy, forward or store this message unless you are an intended recipient of it. Any review, use, dissemination, distribution or copying of this communication by other than the intended recipient or that person's agent is strictly prohibited pursuant to the Electronic Communication Privacy Act,18 USCA 2510. If you have received this message in error, please notify the sender by forwarding it by email to the sender and then delete it completely from your computer system.
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
There is an IANA registry for it. On Apr 13, 2017, 12:00 AM, at 12:00 AM, Andrew Hughes <andrewhughes3000@gmail.com> wrote:
aaannd... what I sent makes no sense :-)
Using the term "vocabulary" is not a good way to describe what goes into the specification of an assurance level.
:)
*Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting*
o +1 650.209.7542 m +1 250.888.9474 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security *
On Wed, Apr 12, 2017 at 7:58 AM, Andrew Hughes <andrewhughes3000@gmail.com> wrote:
Both of you are right - 800-63-3 does have a pretty good definition of terms.
However stating that a vocabulary for expressing Levels of Assurance doesn't really exist. But mostly because (I think) it's not a valid way to describe it.
LoAs are related to requirements and implemented controls - and as such what 'makes up' an LoA can be (and is) defined. But it's not a vocabulary of terms and definitions.
*Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting*
o +1 650.209.7542 <(650)%20209-7542> m +1 250.888.9474 <(250)%20888-9474> 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security *
On Wed, Apr 12, 2017 at 7:54 AM, John Moehrke <johnmoehrke@gmail.com> wrote:
Hi Sarah,
That is fantastic news... Did I properly characterize the current state? I welcome corrections if I was wrong.
John
John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 <(920)%20564-2067> JohnMoehrke@gmail.com https://www.linkedin.com/in/johnmoehrke https://healthcaresecprivacy.blogspot.com "Quis custodiet ipsos custodes?" ("Who watches the watchers?")
On Wed, Apr 12, 2017 at 9:53 AM, Sarah Squire <sarah@engageidentity.com> wrote:
I'm a co-author on the rewrite of NIST 800-63, and it does define a vocabulary. Parts A, B, and C each have a section titled "Definitions and Abbreviations". It's not official yet, as we're still sorting through feedback from the public comment period, but you can view the document as it stands currently here: https://pages.nist.gov/800-63-3/
Sarah Squire Engage Identity http://engageidentity.com
On Wed, Apr 12, 2017 at 7:47 AM, John Moehrke <johnmoehrke@gmail.com> wrote:
Hi,
The topic of a vocabulary for expressing LoA is very topical right now. Unfortunately NIST 800-63 doesn't define a vocabulary, life would be nice if it did. As such everyone is tempted to use the descriptions in NIST 800-63 and invent their own vocabulary values. This is not helpful to drive interoperability, but it is done out of desperation.
The sticky part is that although NIST 800-63 defines categories; they recognize that there is still operational facts that are necessary before one really understands what LoA "4" means. I think it is this that keeps NIST from declaring vocabulary. They recognize that their specification doesn't control enough space to assure that "4" means the same thing to everyone.
Thus organizations like SAFE-Biopharma (which covers a very specific part of healthcare not including actual treatment...). They have been doing identity proofing for a long time in their space. They are embracing being more open, and leveraging standards more.
John
John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 <(920)%20564-2067> JohnMoehrke@gmail.com https://www.linkedin.com/in/johnmoehrke https://healthcaresecprivacy.blogspot.com "Quis custodiet ipsos custodes?" ("Who watches the watchers?")
On Wed, Apr 12, 2017 at 9:35 AM, Catherine Schulten < catherine.schulten@lifemedid.com> wrote:
Interesting document. The healthcare space has two primary communities of actors: the healthcare provider and the patient.
Healthcare providers are physicians, therapists, nurses, etc. As such they are typically licensed to practice and they are employees or credentialed by a hospital or similar organization to provide their services at certain facilities. As such these people have established attributes such as email addresses, license numbers and federal identifiers (National Provider ID, DEA#, etc.). They are also adults.
Patients on the other hand range in age from birth to >100 yrs. old, may or may not have an email address and certainly aren’t credentialed to be a patient nor do they have a national ID number (at least not in the U.S.)
The align biopharma “standard” makes sense for providers working in life sciences since that set of individuals all share those common attributes. Notice also that the stakeholders that developed this open standard are all pharma companies. Pardon the pun, but their standards are highly prescriptive to the set of individuals and the purpose that drives the need for identity/authentication.
Catherine Schulten Direct: 954-290-1991 <(954)%20290-1991>
*From:* Chris Phillips [mailto:Chris.Phillips@canarie.ca] *Sent:* Wednesday, April 12, 2017 10:19 AM *To:* dg-idpro@kantarainitiative.org; Catherine Schulten < catherine.schulten@lifemedid.com> *Subject:* Re: [DG-IDPro] the need to develop a common vocabulary
Speaking of a 'common lexicon' here's one in the biopharma space fresh off the press (I think):
http://pharmaleaders.com/align-biopharma-announces-new-ident
ity-management-standard-available-for-life-sciences-industry-input/
I haven't clicked through the non standard T&C's clickwrap around
however. Looks like they want to not be encumbered with restrictions on comments back?
Looks like the word 'standard' may be more opinion than fact. Hard to tell.
Catherine, inferring from the lifemedid.com domain, this sounds
an area your organization may circulate in .
Thoughts on how it informs things in the idPro space and the approach to common vocabulary?
C
*From: *<dg-idpro-bounces@kantarainitiative.org> on behalf of Catherine Schulten <catherine.schulten@lifemedid.com> *Date: *Wednesday, April 12, 2017 at 10:04 AM *To: *"dg-idpro@kantarainitiative.org" <dg-idpro@kantarainitiative.org > *Subject: *[DG-IDPro] the need to develop a common vocabulary
Found this relevant paragraph in some research I was doing. The following from a NIST workshop held in Jan 2016:
*Develop a common lexicon.** Many participants identified a lack of standardized terminology regarding identity proofing processes and functions. For example, some attendees used the term “verification” while others preferred “validation” for the same process. For the
NIST’s work, attendees suggested a common vocabulary should be developed to help ensure consistency in the framework and across communities, and that the taxonomy be aligned to the best extent possible with existing schemes.*
http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_ 8103_draft.pdf
Catherine Schulten VP of Product Management - OrangeHook, Inc. / LifeMed ID 3009 Douglas Blvd., STE 200, Roseville, CA 95661
Direct: 954-290-1991 <(954)%20290-1991>
Website <http://www.orangehook.com/>| LinkedIn <https://www.linkedin.com/company-beta/4794831/>| Facebook <https://www.facebook.com/orangehook/?fref=ts>| Twitter <https://twitter.com/OrangeHookInc?lang=en>| YouTube <https://www.youtube.com/channel/UC1NXbg8WNI92qrCpmrea4CA>
IMPORTANT NOTICE: This e-mail communication may contain confidential or legally privileged information and is intended to be received only by persons entitled to receive the confidential information it may contain. Please do not read, copy, forward or store this message unless you are an intended recipient of it. Any review, use, dissemination, distribution or copying of this communication by other than the intended recipient or that person's agent is strictly prohibited pursuant to the Electronic Communication Privacy Act,18 USCA 2510. If you have received this message in error, please notify the sender by forwarding it by email to
it like purposes of the sender
and then delete it completely from your computer system.
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
------------------------------------------------------------------------
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
It would probably be a good idea to look at ISO definitions such as the ones defined in ISO/IEC 24760-1 and ISO/IEC 29100. They are freely available from ITTF site[1], unlike most ISO standards. [1] Requirements for attribute-based unlinkable entity authentication Please note that ISO terms and definitions are unlike most conventional "definitions". To start with, the terms are actually the abbreviation for the "definition (text)" so that terms in the main text are to be replaced by the definition and readable after the replacement. Conventional sense of definition often is actually done in the main text as "clauses title" and the paragraphs that follow. Another important thing to note about ISO/IEC 24760-1 is that their term is a bit unconventional as it is trying to break away from the baggage that the common terms like "IdP" carry. So, I can expect a very negative impression on a first-time reader. But if you actually examine it, it is quite a good read though the models are a bit old. (What do you expect to ISO? Note - I am the head of the delegate for the WG from the Japanese National Body, and because of this conventionalism and oldness of the model, we have voted negatively to the standard. We are one of only a handful of negative voters (besides USA) but I am still saying this.) When we talk about Identity, we just cannot ignore the relationship to privacy. That is because of "identity", when defined as "set of attributes related to an entity", is in fact personal data if the entity is a living natural person. ISO/IEC 29100 Privacy framework is a standard that is endorsed by over 50 countries and such liaison organization like Article 29 Working Party (of EU). This standard is much less controversial than 24760-1. In fact, it has almost universal support from those countries. It probably is a good idea to take into account as well. --- Nat Sakimura Research Fellow, Nomura Research Institute Chairman of the Board, OpenID Foundation On 2017-04-12 23:53, Sarah Squire wrote:
I'm a co-author on the rewrite of NIST 800-63, and it does define a vocabulary. Parts A, B, and C each have a section titled "Definitions and Abbreviations". It's not official yet, as we're still sorting through feedback from the public comment period, but you can view the document as it stands currently here: https://pages.nist.gov/800-63-3/ [14]
Sarah Squire Engage Identity http://engageidentity.com [15]
On Wed, Apr 12, 2017 at 7:47 AM, John Moehrke <johnmoehrke@gmail.com> wrote:
Hi,
The topic of a vocabulary for expressing LoA is very topical right now. Unfortunately NIST 800-63 doesn't define a vocabulary, life would be nice if it did. As such everyone is tempted to use the descriptions in NIST 800-63 and invent their own vocabulary values. This is not helpful to drive interoperability, but it is done out of desperation.
The sticky part is that although NIST 800-63 defines categories; they recognize that there is still operational facts that are necessary before one really understands what LoA "4" means. I think it is this that keeps NIST from declaring vocabulary. They recognize that their specification doesn't control enough space to assure that "4" means the same thing to everyone.
Thus organizations like SAFE-Biopharma (which covers a very specific part of healthcare not including actual treatment...). They have been doing identity proofing for a long time in their space. They are embracing being more open, and leveraging standards more.
John
John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 [11] JohnMoehrke@gmail.com https://www.linkedin.com/in/johnmoehrke [12] https://healthcaresecprivacy.blogspot.com [13] "Quis custodiet ipsos custodes?" ("Who watches the watchers?")
On Wed, Apr 12, 2017 at 9:35 AM, Catherine Schulten <catherine.schulten@lifemedid.com> wrote:
Interesting document. The healthcare space has two primary communities of actors: the healthcare provider and the patient.
Healthcare providers are physicians, therapists, nurses, etc. As such they are typically licensed to practice and they are employees or credentialed by a hospital or similar organization to provide their services at certain facilities. As such these people have established attributes such as email addresses, license numbers and federal identifiers (National Provider ID, DEA#, etc.). They are also adults.
Patients on the other hand range in age from birth to >100 yrs. old, may or may not have an email address and certainly aren’t credentialed to be a patient nor do they have a national ID number (at least not in the U.S.)
The align biopharma “standard” makes sense for providers working in life sciences since that set of individuals all share those common attributes. Notice also that the stakeholders that developed this open standard are all pharma companies. Pardon the pun, but their standards are highly prescriptive to the set of individuals and the purpose that drives the need for identity/authentication.
Catherine Schulten Direct: 954-290-1991 [1]
FROM: Chris Phillips [mailto:Chris.Phillips@canarie.ca] SENT: Wednesday, April 12, 2017 10:19 AM TO: dg-idpro@kantarainitiative.org; Catherine Schulten <catherine.schulten@lifemedid.com> SUBJECT: Re: [DG-IDPro] the need to develop a common vocabulary
Speaking of a 'common lexicon' here's one in the biopharma space fresh off the press (I think):
http://pharmaleaders.com/align-biopharma-announces-new-identity-management-s...
[2]
I haven't clicked through the non standard T&C's clickwrap around it however. Looks like they want to not be encumbered with restrictions on comments back?
Looks like the word 'standard' may be more opinion than fact. Hard to tell.
Catherine, inferring from the lifemedid.com [3] domain, this sounds like an area your organization may circulate in .
Thoughts on how it informs things in the idPro space and the approach to common vocabulary?
C
FROM: <dg-idpro-bounces@kantarainitiative.org> on behalf of Catherine Schulten <catherine.schulten@lifemedid.com> DATE: Wednesday, April 12, 2017 at 10:04 AM TO: "dg-idpro@kantarainitiative.org" <dg-idpro@kantarainitiative.org> SUBJECT: [DG-IDPro] the need to develop a common vocabulary
Found this relevant paragraph in some research I was doing. The following from a NIST workshop held in Jan 2016:
_DEVELOP A COMMON LEXICON.__ Many participants identified a lack of standardized terminology regarding identity proofing processes and functions. For example, some attendees used the term “verification” while others preferred “validation” for the same process. For the purposes of NIST’s work, attendees suggested a common vocabulary should be developed to help ensure consistency in the framework and across communities, and that the taxonomy be aligned to the best extent possible with existing schemes._
http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_8103_draft.pdf
[4]
Catherine Schulten VP of Product Management - OrangeHook, Inc. / LifeMed ID 3009 Douglas Blvd., STE 200, Roseville, CA 95661
Direct: 954-290-1991 [1]
Website [5]| LinkedIn [6]| Facebook [7]| Twitter [8]| YouTube [9]
IMPORTANT NOTICE: This e-mail communication may contain confidential or legally privileged information and is intended to be received only by persons entitled to receive the confidential information it may contain. Please do not read, copy, forward or store this message unless you are an intended recipient of it. Any review, use, dissemination, distribution or copying of this communication by other than the intended recipient or that person's agent is strictly prohibited pursuant to the Electronic Communication Privacy Act,18 USCA 2510. If you have received this message in error, please notify the sender by forwarding it by email to the sender and then delete it completely from your computer system. _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro [10]
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro [10]
Links: ------ [1] tel:(954)%20290-1991 [2] http://pharmaleaders.com/align-biopharma-announces-new-identity-management-s... [3] http://lifemedid.com [4] http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_8103_draft.pdf [5] http://www.orangehook.com/ [6] https://www.linkedin.com/company-beta/4794831/ [7] https://www.facebook.com/orangehook/?fref=ts [8] https://twitter.com/OrangeHookInc?lang=en [9] https://www.youtube.com/channel/UC1NXbg8WNI92qrCpmrea4CA [10] http://kantarainitiative.org/mailman/listinfo/dg-idpro [11] tel:(920)%20564-2067 [12] https://www.linkedin.com/in/johnmoehrke [13] https://healthcaresecprivacy.blogspot.com [14] https://pages.nist.gov/800-63-3/ [15] http://engageidentity.com/
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
I agree that there needs to be a common vocabulary and we should start with what is out there and either incorporate them into a new document or upgrade them. Frankly the NIST documents and ISOs referenced and there are a few RFCs with specific "Glossary" terms as https://tools.ietf.org/html/rfc4949. -- -jim Jim Willeke On Fri, May 5, 2017 at 4:27 AM, Nat Sakimura <nat@sakimura.org> wrote:
It would probably be a good idea to look at ISO definitions such as the ones defined in ISO/IEC 24760-1 and ISO/IEC 29100. They are freely available from ITTF site[1], unlike most ISO standards.
[1] Requirements for attribute-based unlinkable entity authentication
Please note that ISO terms and definitions are unlike most conventional "definitions".
To start with, the terms are actually the abbreviation for the "definition (text)" so that terms in the main text are to be replaced by the definition and readable after the replacement.
Conventional sense of definition often is actually done in the main text as "clauses title" and the paragraphs that follow.
Another important thing to note about ISO/IEC 24760-1 is that their term is a bit unconventional as it is trying to break away from the baggage that the common terms like "IdP" carry. So, I can expect a very negative impression on a first-time reader. But if you actually examine it, it is quite a good read though the models are a bit old. (What do you expect to ISO? Note - I am the head of the delegate for the WG from the Japanese National Body, and because of this conventionalism and oldness of the model, we have voted negatively to the standard. We are one of only a handful of negative voters (besides USA) but I am still saying this.)
When we talk about Identity, we just cannot ignore the relationship to privacy. That is because of "identity", when defined as "set of attributes related to an entity", is in fact personal data if the entity is a living natural person.
ISO/IEC 29100 Privacy framework is a standard that is endorsed by over 50 countries and such liaison organization like Article 29 Working Party (of EU). This standard is much less controversial than 24760-1. In fact, it has almost universal support from those countries. It probably is a good idea to take into account as well. --- Nat Sakimura Research Fellow, Nomura Research Institute Chairman of the Board, OpenID Foundation
On 2017-04-12 23:53, Sarah Squire wrote:
I'm a co-author on the rewrite of NIST 800-63, and it does define a vocabulary. Parts A, B, and C each have a section titled "Definitions and Abbreviations". It's not official yet, as we're still sorting through feedback from the public comment period, but you can view the document as it stands currently here: https://pages.nist.gov/800-63-3/ [14]
Sarah Squire Engage Identity http://engageidentity.com [15]
On Wed, Apr 12, 2017 at 7:47 AM, John Moehrke <johnmoehrke@gmail.com> wrote:
Hi,
The topic of a vocabulary for expressing LoA is very topical right now. Unfortunately NIST 800-63 doesn't define a vocabulary, life would be nice if it did. As such everyone is tempted to use the descriptions in NIST 800-63 and invent their own vocabulary values. This is not helpful to drive interoperability, but it is done out of desperation.
The sticky part is that although NIST 800-63 defines categories; they recognize that there is still operational facts that are necessary before one really understands what LoA "4" means. I think it is this that keeps NIST from declaring vocabulary. They recognize that their specification doesn't control enough space to assure that "4" means the same thing to everyone.
Thus organizations like SAFE-Biopharma (which covers a very specific part of healthcare not including actual treatment...). They have been doing identity proofing for a long time in their space. They are embracing being more open, and leveraging standards more.
John
John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 [11] JohnMoehrke@gmail.com https://www.linkedin.com/in/johnmoehrke [12] https://healthcaresecprivacy.blogspot.com [13] "Quis custodiet ipsos custodes?" ("Who watches the watchers?")
On Wed, Apr 12, 2017 at 9:35 AM, Catherine Schulten <catherine.schulten@lifemedid.com> wrote:
Interesting document. The healthcare space has two primary
communities of actors: the healthcare provider and the patient.
Healthcare providers are physicians, therapists, nurses, etc. As such they are typically licensed to practice and they are employees or credentialed by a hospital or similar organization to provide their services at certain facilities. As such these people have established attributes such as email addresses, license numbers and federal identifiers (National Provider ID, DEA#, etc.). They are also adults.
Patients on the other hand range in age from birth to >100 yrs. old, may or may not have an email address and certainly aren’t credentialed to be a patient nor do they have a national ID number (at least not in the U.S.)
The align biopharma “standard” makes sense for providers working in life sciences since that set of individuals all share those common attributes. Notice also that the stakeholders that developed this open standard are all pharma companies. Pardon the pun, but their standards are highly prescriptive to the set of individuals and the purpose that drives the need for identity/authentication.
Catherine Schulten Direct: 954-290-1991 [1]
FROM: Chris Phillips [mailto:Chris.Phillips@canarie.ca] SENT: Wednesday, April 12, 2017 10:19 AM TO: dg-idpro@kantarainitiative.org; Catherine Schulten <catherine.schulten@lifemedid.com> SUBJECT: Re: [DG-IDPro] the need to develop a common vocabulary
Speaking of a 'common lexicon' here's one in the biopharma space fresh off the press (I think):
http://pharmaleaders.com/align-biopharma-announces-new-ident
ity-management-standard-available-for-life-sciences-industry-input/
[2]
I haven't clicked through the non standard T&C's clickwrap around it however. Looks like they want to not be encumbered with restrictions on comments back?
Looks like the word 'standard' may be more opinion than fact. Hard to tell.
Catherine, inferring from the lifemedid.com [3] domain, this sounds like an area your organization may circulate in .
Thoughts on how it informs things in the idPro space and the approach to common vocabulary?
C
FROM: <dg-idpro-bounces@kantarainitiative.org> on behalf of Catherine Schulten <catherine.schulten@lifemedid.com> DATE: Wednesday, April 12, 2017 at 10:04 AM TO: "dg-idpro@kantarainitiative.org" <dg-idpro@kantarainitiative.org> SUBJECT: [DG-IDPro] the need to develop a common vocabulary
Found this relevant paragraph in some research I was doing. The following from a NIST workshop held in Jan 2016:
_DEVELOP A COMMON LEXICON.__ Many participants identified a lack of standardized terminology regarding identity proofing processes and functions. For example, some attendees used the term “verification” while others preferred “validation” for the same process. For the purposes of NIST’s work, attendees suggested a common vocabulary should be developed to help ensure consistency in the framework and across communities, and that the taxonomy be aligned to the best extent possible with existing schemes._
http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_ 8103_draft.pdf
[4]
Catherine Schulten VP of Product Management - OrangeHook, Inc. / LifeMed ID 3009 Douglas Blvd., STE 200, Roseville, CA 95661
Direct: 954-290-1991 [1]
Website [5]| LinkedIn [6]| Facebook [7]| Twitter [8]| YouTube [9]
IMPORTANT NOTICE: This e-mail communication may contain confidential or legally privileged information and is intended to be received only by persons entitled to receive the confidential information it may contain. Please do not read, copy, forward or store this message unless you are an intended recipient of it. Any review, use, dissemination, distribution or copying of this communication by other than the intended recipient or that person's agent is strictly prohibited pursuant to the Electronic Communication Privacy Act,18 USCA 2510. If you have received this message in error, please notify the sender by forwarding it by email to the sender and then delete it completely from your computer system. _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro [10]
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro [10]
Links: ------ [1] tel:(954)%20290-1991 [2] http://pharmaleaders.com/align-biopharma-announces-new-ident ity-management-standard-available-for-life-sciences-industry-input/ [3] http://lifemedid.com [4] http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_ 8103_draft.pdf [5] http://www.orangehook.com/ [6] https://www.linkedin.com/company-beta/4794831/ [7] https://www.facebook.com/orangehook/?fref=ts [8] https://twitter.com/OrangeHookInc?lang=en [9] https://www.youtube.com/channel/UC1NXbg8WNI92qrCpmrea4CA [10] http://kantarainitiative.org/mailman/listinfo/dg-idpro [11] tel:(920)%20564-2067 [12] https://www.linkedin.com/in/johnmoehrke [13] https://healthcaresecprivacy.blogspot.com [14] https://pages.nist.gov/800-63-3/ [15] http://engageidentity.com/
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
Hi, I have already updated/ reworked the Link Collection, which will serve as input for the next steps: https://kantarainitiative.org/confluence/x/kgEhBQ Just check it out and add 'your' links and resources. Would be grated if you can somehow stick with the format I have chosen. And further more: here is once again the link to the BoK presentation subject to be held next week in Munich on the EIC https://kantarainitiative.org/confluence/download/attachments/85492303/IDPro... thx, Thorsten On 05.05.2017 12:11, Jim Willeke wrote:
I agree that there needs to be a common vocabulary and we should start with what is out there and either incorporate them into a new document or upgrade them.
Frankly the NIST documents and ISOs referenced and there are a few RFCs with specific "Glossary" terms as https://tools.ietf.org/html/rfc4949.
-- -jim Jim Willeke
On Fri, May 5, 2017 at 4:27 AM, Nat Sakimura <nat@sakimura.org <mailto:nat@sakimura.org>> wrote:
It would probably be a good idea to look at ISO definitions such as the ones defined in ISO/IEC 24760-1 and ISO/IEC 29100. They are freely available from ITTF site[1], unlike most ISO standards.
[1] Requirements for attribute-based unlinkable entity authentication
Please note that ISO terms and definitions are unlike most conventional "definitions".
To start with, the terms are actually the abbreviation for the "definition (text)" so that terms in the main text are to be replaced by the definition and readable after the replacement.
Conventional sense of definition often is actually done in the main text as "clauses title" and the paragraphs that follow.
Another important thing to note about ISO/IEC 24760-1 is that their term is a bit unconventional as it is trying to break away from the baggage that the common terms like "IdP" carry. So, I can expect a very negative impression on a first-time reader. But if you actually examine it, it is quite a good read though the models are a bit old. (What do you expect to ISO? Note - I am the head of the delegate for the WG from the Japanese National Body, and because of this conventionalism and oldness of the model, we have voted negatively to the standard. We are one of only a handful of negative voters (besides USA) but I am still saying this.)
When we talk about Identity, we just cannot ignore the relationship to privacy. That is because of "identity", when defined as "set of attributes related to an entity", is in fact personal data if the entity is a living natural person.
ISO/IEC 29100 Privacy framework is a standard that is endorsed by over 50 countries and such liaison organization like Article 29 Working Party (of EU). This standard is much less controversial than 24760-1. In fact, it has almost universal support from those countries. It probably is a good idea to take into account as well. --- Nat Sakimura Research Fellow, Nomura Research Institute Chairman of the Board, OpenID Foundation
On 2017-04-12 23:53, Sarah Squire wrote:
I'm a co-author on the rewrite of NIST 800-63, and it does define a vocabulary. Parts A, B, and C each have a section titled "Definitions and Abbreviations". It's not official yet, as we're still sorting through feedback from the public comment period, but you can view the document as it stands currently here: https://pages.nist.gov/800-63-3/ <https://pages.nist.gov/800-63-3/> [14]
Sarah Squire Engage Identity http://engageidentity.com [15]
On Wed, Apr 12, 2017 at 7:47 AM, John Moehrke <johnmoehrke@gmail.com <mailto:johnmoehrke@gmail.com>> wrote:
Hi,
The topic of a vocabulary for expressing LoA is very topical right now. Unfortunately NIST 800-63 doesn't define a vocabulary, life would be nice if it did. As such everyone is tempted to use the descriptions in NIST 800-63 and invent their own vocabulary values. This is not helpful to drive interoperability, but it is done out of desperation.
The sticky part is that although NIST 800-63 defines categories; they recognize that there is still operational facts that are necessary before one really understands what LoA "4" means. I think it is this that keeps NIST from declaring vocabulary. They recognize that their specification doesn't control enough space to assure that "4" means the same thing to everyone.
Thus organizations like SAFE-Biopharma (which covers a very specific part of healthcare not including actual treatment...). They have been doing identity proofing for a long time in their space. They are embracing being more open, and leveraging standards more.
John
John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy – Enabling authorized communications while respecting Privacy M +1 920-564-2067 <tel:920-564-2067> [11] JohnMoehrke@gmail.com <mailto:JohnMoehrke@gmail.com> https://www.linkedin.com/in/johnmoehrke <https://www.linkedin.com/in/johnmoehrke> [12] https://healthcaresecprivacy.blogspot.com <https://healthcaresecprivacy.blogspot.com> [13] "Quis custodiet ipsos custodes?" ("Who watches the watchers?")
On Wed, Apr 12, 2017 at 9:35 AM, Catherine Schulten <catherine.schulten@lifemedid.com <mailto:catherine.schulten@lifemedid.com>> wrote:
Interesting document. The healthcare space has two primary communities of actors: the healthcare provider and the patient.
Healthcare providers are physicians, therapists, nurses, etc. As such they are typically licensed to practice and they are employees or credentialed by a hospital or similar organization to provide their services at certain facilities. As such these people have established attributes such as email addresses, license numbers and federal identifiers (National Provider ID, DEA#, etc.). They are also adults.
Patients on the other hand range in age from birth to >100 yrs. old, may or may not have an email address and certainly aren’t credentialed to be a patient nor do they have a national ID number (at least not in the U.S.)
The align biopharma “standard” makes sense for providers working in life sciences since that set of individuals all share those common attributes. Notice also that the stakeholders that developed this open standard are all pharma companies. Pardon the pun, but their standards are highly prescriptive to the set of individuals and the purpose that drives the need for identity/authentication.
Catherine Schulten Direct: 954-290-1991 <tel:954-290-1991> [1]
FROM: Chris Phillips [mailto:Chris.Phillips@canarie.ca <mailto:Chris.Phillips@canarie.ca>] SENT: Wednesday, April 12, 2017 10:19 AM TO: dg-idpro@kantarainitiative.org <mailto:dg-idpro@kantarainitiative.org>; Catherine Schulten <catherine.schulten@lifemedid.com <mailto:catherine.schulten@lifemedid.com>> SUBJECT: Re: [DG-IDPro] the need to develop a common vocabulary
Speaking of a 'common lexicon' here's one in the biopharma space fresh off the press (I think):
http://pharmaleaders.com/align-biopharma-announces-new-identity-management-s... <http://pharmaleaders.com/align-biopharma-announces-new-identity-management-standard-available-for-life-sciences-industry-input/>
[2]
I haven't clicked through the non standard T&C's clickwrap around it however. Looks like they want to not be encumbered with restrictions on comments back?
Looks like the word 'standard' may be more opinion than fact. Hard to tell.
Catherine, inferring from the lifemedid.com <http://lifemedid.com> [3] domain, this sounds like an area your organization may circulate in .
Thoughts on how it informs things in the idPro space and the approach to common vocabulary?
C
FROM: <dg-idpro-bounces@kantarainitiative.org <mailto:dg-idpro-bounces@kantarainitiative.org>> on behalf of Catherine Schulten <catherine.schulten@lifemedid.com <mailto:catherine.schulten@lifemedid.com>> DATE: Wednesday, April 12, 2017 at 10:04 AM TO: "dg-idpro@kantarainitiative.org <mailto:dg-idpro@kantarainitiative.org>" <dg-idpro@kantarainitiative.org <mailto:dg-idpro@kantarainitiative.org>> SUBJECT: [DG-IDPro] the need to develop a common vocabulary
Found this relevant paragraph in some research I was doing. The following from a NIST workshop held in Jan 2016:
_DEVELOP A COMMON LEXICON.__ Many participants identified a lack of standardized terminology regarding identity proofing processes and functions. For example, some attendees used the term “verification” while others preferred “validation” for the same process. For the purposes of NIST’s work, attendees suggested a common vocabulary should be developed to help ensure consistency in the framework and across communities, and that the taxonomy be aligned to the best extent possible with existing schemes._
http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_8103_draft.pdf <http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_8103_draft.pdf>
[4]
Catherine Schulten VP of Product Management - OrangeHook, Inc. / LifeMed ID 3009 Douglas Blvd., STE 200, Roseville, CA 95661
Direct: 954-290-1991 <tel:954-290-1991> [1]
Website [5]| LinkedIn [6]| Facebook [7]| Twitter [8]| YouTube [9]
IMPORTANT NOTICE: This e-mail communication may contain confidential or legally privileged information and is intended to be received only by persons entitled to receive the confidential information it may contain. Please do not read, copy, forward or store this message unless you are an intended recipient of it. Any review, use, dissemination, distribution or copying of this communication by other than the intended recipient or that person's agent is strictly prohibited pursuant to the Electronic Communication Privacy Act,18 USCA 2510. If you have received this message in error, please notify the sender by forwarding it by email to the sender and then delete it completely from your computer system. _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org <mailto:DG-IDPro@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/dg-idpro <http://kantarainitiative.org/mailman/listinfo/dg-idpro> [10]
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org <mailto:DG-IDPro@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/dg-idpro <http://kantarainitiative.org/mailman/listinfo/dg-idpro> [10]
Links: ------ [1] tel:(954)%20290-1991 [2] http://pharmaleaders.com/align-biopharma-announces-new-identity-management-s... <http://pharmaleaders.com/align-biopharma-announces-new-identity-management-standard-available-for-life-sciences-industry-input/> [3] http://lifemedid.com [4] http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_8103_draft.pdf <http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_8103_draft.pdf> [5] http://www.orangehook.com/ [6] https://www.linkedin.com/company-beta/4794831/ <https://www.linkedin.com/company-beta/4794831/> [7] https://www.facebook.com/orangehook/?fref=ts <https://www.facebook.com/orangehook/?fref=ts> [8] https://twitter.com/OrangeHookInc?lang=en <https://twitter.com/OrangeHookInc?lang=en> [9] https://www.youtube.com/channel/UC1NXbg8WNI92qrCpmrea4CA <https://www.youtube.com/channel/UC1NXbg8WNI92qrCpmrea4CA> [10] http://kantarainitiative.org/mailman/listinfo/dg-idpro <http://kantarainitiative.org/mailman/listinfo/dg-idpro> [11] tel:(920)%20564-2067 [12] https://www.linkedin.com/in/johnmoehrke <https://www.linkedin.com/in/johnmoehrke> [13] https://healthcaresecprivacy.blogspot.com <https://healthcaresecprivacy.blogspot.com> [14] https://pages.nist.gov/800-63-3/ <https://pages.nist.gov/800-63-3/> [15] http://engageidentity.com/
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org <mailto:DG-IDPro@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/dg-idpro <http://kantarainitiative.org/mailman/listinfo/dg-idpro>
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org <mailto:DG-IDPro@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/dg-idpro <http://kantarainitiative.org/mailman/listinfo/dg-idpro>
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
The UNCITRAL (United Nations Commission of International Trade Law) has posted a set of documents around "Legal issues related to identity management and trust services" from several member nations within Working Group IV - Electronic Commerce http://www.uncitral.org/uncitral/en/commission/working_groups/4Electronic_Co... On that site is the following document that I think we may want to include in our set of references for the BoK/Taxonomy Terms and concepts relevant to identity management and trust services https://documents-dds-ny.un.org/doc/UNDOC/LTD/V17/008/31/PDF/V1700831.pdf?Op... 55 th session, 24-28 April 2017, New York A/CN.9/WG.IV/WP.140 - Annotated provisional agenda<http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/CN.9/WG.IV/WP.140&Lang=E> A/CN.9/WG.IV/WP.140/Add.1 - Annotated provisional agenda<http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/CN.9/WG.IV/WP.140/Add.1&Lang=E> A/CN.9/WG.IV/WP.141 - Legal issues related to identity management and trust services - Proposal by the Russian Federation<http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/CN.9/WG.IV/WP.141&Lang=E> A/CN.9/WG.IV/WP.142 - Contractual aspects of cloud computing<http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/CN.9/WG.IV/WP.142&Lang=E> A/CN.9/WG.IV/WP.143 - Legal issues related to identity management and trust services - Terms and concepts relevant to identity management and trust services<http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/CN.9/WG.IV/WP.143&Lang=E> A/CN.9/WG.IV/WP.144 - Legal issues related to identity management and trust services - Proposal by Austria, Belgium, France, Italy, the United Kingdom and the European Union<http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/CN.9/WG.IV/WP.144&Lang=E> A/CN.9/WG.IV/WP.145 - Legal issues related to identity management and trust services - Proposal by the United States of America<http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/CN.9/WG.IV/WP.145&Lang=E> A/CN.9/WG.IV/WP.146 - Legal issues related to identity management and trust services - Proposal by the United Kingdom of Great Britain and Northern Ireland<http://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/CN.9/WG.IV/WP.146&Lang=E> Catherine Schulten Direct: 954-290-1991 From: dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Thorsten H. Niebuhr [WedaCon GmbH] Sent: Friday, May 5, 2017 6:33 AM To: Jim Willeke <jim@willeke.com>; Nat Sakimura <nat@sakimura.org> Cc: dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] the need to develop a common vocabulary Hi, I have already updated/ reworked the Link Collection, which will serve as input for the next steps: https://kantarainitiative.org/confluence/x/kgEhBQ Just check it out and add 'your' links and resources. Would be grated if you can somehow stick with the format I have chosen. And further more: here is once again the link to the BoK presentation subject to be held next week in Munich on the EIC https://kantarainitiative.org/confluence/download/attachments/85492303/IDPro... thx, Thorsten On 05.05.2017 12:11, Jim Willeke wrote: I agree that there needs to be a common vocabulary and we should start with what is out there and either incorporate them into a new document or upgrade them. Frankly the NIST documents and ISOs referenced and there are a few RFCs with specific "Glossary" terms as https://tools.ietf.org/html/rfc4949. -- -jim Jim Willeke On Fri, May 5, 2017 at 4:27 AM, Nat Sakimura <nat@sakimura.org<mailto:nat@sakimura.org>> wrote: It would probably be a good idea to look at ISO definitions such as the ones defined in ISO/IEC 24760-1 and ISO/IEC 29100. They are freely available from ITTF site[1], unlike most ISO standards. [1] Requirements for attribute-based unlinkable entity authentication Please note that ISO terms and definitions are unlike most conventional "definitions". To start with, the terms are actually the abbreviation for the "definition (text)" so that terms in the main text are to be replaced by the definition and readable after the replacement. Conventional sense of definition often is actually done in the main text as "clauses title" and the paragraphs that follow. Another important thing to note about ISO/IEC 24760-1 is that their term is a bit unconventional as it is trying to break away from the baggage that the common terms like "IdP" carry. So, I can expect a very negative impression on a first-time reader. But if you actually examine it, it is quite a good read though the models are a bit old. (What do you expect to ISO? Note - I am the head of the delegate for the WG from the Japanese National Body, and because of this conventionalism and oldness of the model, we have voted negatively to the standard. We are one of only a handful of negative voters (besides USA) but I am still saying this.) When we talk about Identity, we just cannot ignore the relationship to privacy. That is because of "identity", when defined as "set of attributes related to an entity", is in fact personal data if the entity is a living natural person. ISO/IEC 29100 Privacy framework is a standard that is endorsed by over 50 countries and such liaison organization like Article 29 Working Party (of EU). This standard is much less controversial than 24760-1. In fact, it has almost universal support from those countries. It probably is a good idea to take into account as well. --- Nat Sakimura Research Fellow, Nomura Research Institute Chairman of the Board, OpenID Foundation On 2017-04-12 23:53, Sarah Squire wrote: I'm a co-author on the rewrite of NIST 800-63, and it does define a vocabulary. Parts A, B, and C each have a section titled "Definitions and Abbreviations". It's not official yet, as we're still sorting through feedback from the public comment period, but you can view the document as it stands currently here: https://pages.nist.gov/800-63-3/ [14] Sarah Squire Engage Identity http://engageidentity.com [15] On Wed, Apr 12, 2017 at 7:47 AM, John Moehrke <johnmoehrke@gmail.com<mailto:johnmoehrke@gmail.com>> wrote: Hi, The topic of a vocabulary for expressing LoA is very topical right now. Unfortunately NIST 800-63 doesn't define a vocabulary, life would be nice if it did. As such everyone is tempted to use the descriptions in NIST 800-63 and invent their own vocabulary values. This is not helpful to drive interoperability, but it is done out of desperation. The sticky part is that although NIST 800-63 defines categories; they recognize that there is still operational facts that are necessary before one really understands what LoA "4" means. I think it is this that keeps NIST from declaring vocabulary. They recognize that their specification doesn't control enough space to assure that "4" means the same thing to everyone. Thus organizations like SAFE-Biopharma (which covers a very specific part of healthcare not including actual treatment...). They have been doing identity proofing for a long time in their space. They are embracing being more open, and leveraging standards more. John John Moehrke Principal Engineering Architect: Standards - Interoperability, Privacy, and Security CyberPrivacy - Enabling authorized communications while respecting Privacy M +1 920-564-2067<tel:920-564-2067> [11] JohnMoehrke@gmail.com<mailto:JohnMoehrke@gmail.com> https://www.linkedin.com/in/johnmoehrke [12] https://healthcaresecprivacy.blogspot.com [13] "Quis custodiet ipsos custodes?" ("Who watches the watchers?") On Wed, Apr 12, 2017 at 9:35 AM, Catherine Schulten <catherine.schulten@lifemedid.com<mailto:catherine.schulten@lifemedid.com>> wrote: Interesting document. The healthcare space has two primary communities of actors: the healthcare provider and the patient. Healthcare providers are physicians, therapists, nurses, etc. As such they are typically licensed to practice and they are employees or credentialed by a hospital or similar organization to provide their services at certain facilities. As such these people have established attributes such as email addresses, license numbers and federal identifiers (National Provider ID, DEA#, etc.). They are also adults. Patients on the other hand range in age from birth to >100 yrs. old, may or may not have an email address and certainly aren't credentialed to be a patient nor do they have a national ID number (at least not in the U.S.) The align biopharma "standard" makes sense for providers working in life sciences since that set of individuals all share those common attributes. Notice also that the stakeholders that developed this open standard are all pharma companies. Pardon the pun, but their standards are highly prescriptive to the set of individuals and the purpose that drives the need for identity/authentication. Catherine Schulten Direct: 954-290-1991<tel:954-290-1991> [1] FROM: Chris Phillips [mailto:Chris.Phillips@canarie.ca<mailto:Chris.Phillips@canarie.ca>] SENT: Wednesday, April 12, 2017 10:19 AM TO: dg-idpro@kantarainitiative.org<mailto:dg-idpro@kantarainitiative.org>; Catherine Schulten <catherine.schulten@lifemedid.com<mailto:catherine.schulten@lifemedid.com>> SUBJECT: Re: [DG-IDPro] the need to develop a common vocabulary Speaking of a 'common lexicon' here's one in the biopharma space fresh off the press (I think): http://pharmaleaders.com/align-biopharma-announces-new-identity-management-s... [2] I haven't clicked through the non standard T&C's clickwrap around it however. Looks like they want to not be encumbered with restrictions on comments back? Looks like the word 'standard' may be more opinion than fact. Hard to tell. Catherine, inferring from the lifemedid.com<http://lifemedid.com> [3] domain, this sounds like an area your organization may circulate in . Thoughts on how it informs things in the idPro space and the approach to common vocabulary? C FROM: <dg-idpro-bounces@kantarainitiative.org<mailto:dg-idpro-bounces@kantarainitiative.org>> on behalf of Catherine Schulten <catherine.schulten@lifemedid.com<mailto:catherine.schulten@lifemedid.com>> DATE: Wednesday, April 12, 2017 at 10:04 AM TO: "dg-idpro@kantarainitiative.org<mailto:dg-idpro@kantarainitiative.org>" <dg-idpro@kantarainitiative.org<mailto:dg-idpro@kantarainitiative.org>> SUBJECT: [DG-IDPro] the need to develop a common vocabulary Found this relevant paragraph in some research I was doing. The following from a NIST workshop held in Jan 2016: _DEVELOP A COMMON LEXICON.__ Many participants identified a lack of standardized terminology regarding identity proofing processes and functions. For example, some attendees used the term "verification" while others preferred "validation" for the same process. For the purposes of NIST's work, attendees suggested a common vocabulary should be developed to help ensure consistency in the framework and across communities, and that the taxonomy be aligned to the best extent possible with existing schemes._ http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_8103_draft.pdf [4] Catherine Schulten VP of Product Management - OrangeHook, Inc. / LifeMed ID 3009 Douglas Blvd., STE 200, Roseville, CA 95661 Direct: 954-290-1991<tel:954-290-1991> [1] Website [5]| LinkedIn [6]| Facebook [7]| Twitter [8]| YouTube [9] IMPORTANT NOTICE: This e-mail communication may contain confidential or legally privileged information and is intended to be received only by persons entitled to receive the confidential information it may contain. Please do not read, copy, forward or store this message unless you are an intended recipient of it. Any review, use, dissemination, distribution or copying of this communication by other than the intended recipient or that person's agent is strictly prohibited pursuant to the Electronic Communication Privacy Act,18 USCA 2510. If you have received this message in error, please notify the sender by forwarding it by email to the sender and then delete it completely from your computer system. _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org<mailto:DG-IDPro@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/dg-idpro [10] _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org<mailto:DG-IDPro@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/dg-idpro [10] Links: ------ [1] tel:(954)%20290-1991 [2] http://pharmaleaders.com/align-biopharma-announces-new-identity-management-s... [3] http://lifemedid.com [4] http://csrc.nist.gov/publications/drafts/nistir-8103/nistir_8103_draft.pdf [5] http://www.orangehook.com/ [6] https://www.linkedin.com/company-beta/4794831/ [7] https://www.facebook.com/orangehook/?fref=ts [8] https://twitter.com/OrangeHookInc?lang=en [9] https://www.youtube.com/channel/UC1NXbg8WNI92qrCpmrea4CA [10] http://kantarainitiative.org/mailman/listinfo/dg-idpro [11] tel:(920)%20564-2067 [12] https://www.linkedin.com/in/johnmoehrke [13] https://healthcaresecprivacy.blogspot.com [14] https://pages.nist.gov/800-63-3/ [15] http://engageidentity.com/ _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org<mailto:DG-IDPro@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/dg-idpro _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org<mailto:DG-IDPro@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/dg-idpro _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org<mailto:DG-IDPro@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/dg-idpro
Hi Catherine, thanks, useful stuff! I have added it to the Link Collection BTW, I have an appointment tomorrow with 'ontotext' and their knowledge Management Systems/ Approaches cheers, Thorsten PS: For all those who missed it: here is a pic from the real taxonomy cake On 11.05.2017 20:32, Catherine Schulten wrote:
Legal issues related to identity management and trust services
participants (9)
-
Andrew Hughes -
Catherine Schulten -
Chris Phillips -
Ian Glazer -
Jim Willeke -
John Moehrke -
Nat Sakimura -
Sarah Squire -
Thorsten H. Niebuhr [WedaCon GmbH]