Here’s an attempt at a quick (?) rundown.

An identity federation trust framework is a set of federated identity “rules and tools” identified by a set of policymakers representing a community of interest, which may be vertical/sectoral or horizontal in nature. Here’s a white paper from 2010 that presents what is intended to be a model for open identity trust frameworks. The community could run/use cloud identity services, or just be a bunch of companies or organizations that want to be able to single sign-in to each other’s stuff, or whatever.

As noted below, Kantara does the care and feeding of a specific identity federation trust framework, including “assessing the assessors” for it. That trust framework has a FICAM heritage; FICAM is a US gov-specific trust framework. OIX is becoming capable of hosting listings of the members of multiple trust frameworks, and doesn’t itself offer one and is agnostic as to the types.

What OTA published is very cool; I don’t know if I’d call it a trust framework; more a set of best practices (ymmv).

The Federal Bridge is a PKI-based trust framework. PKI predates the cross-domain federated identity protocols such as SAML and OpenID connect, and the Federal Bridge has been around a long time.

Connect.gov is a service that offers brokered federated identity services; parties involved in it have to be FICAM-accredited.

IDESG is the private-sector-led steering committee overseeing the US public-sector NSTIC initiative. I don’t think it has a specific focus on trust frameworks vs. other various elements that are thought to be valuable for making privacy-sensitive federated identity successful.

(This isn’t a complete list of federations, identity trust frameworks, or initiatives!)

My take on why this is all relevant to UMA is that, where identity federations deal with “rules and tools” for IdPs and relying parties and users, UMA is a different beast and needs “rules and tools” for its own involved parties: resource owners, requesting parties, resource servers, and the like. The name we’ve given to UMA deployment ecosystems with a formal organizational principle is “access federations”, and we believe they would benefit from trust frameworks too.

The main reason why we have the legal subgroup is to develop some starter (and/or meta?) “rules and tools” to encourage UMA deployment ecosystems to flourish, while staying true to UMA’s design principles.

(I welcome corrections…)

Eve

On 2 Sep 2015, at 7:47 PM, Paul Templeman <paul@templeman.co> wrote:

Thanks Adrian

Appreciate the list. The discussion was as a result of a newby question asked by myself, whilst there were only a few people to annoy. :-)

Still on a learning curve ...

Regards
Paul...

Date: Wed, 2 Sep 2015 22:17:17 -0400
From: agropper@healthurl.com
To: eve@xmlgrrl.com
CC: wg-uma@kantarainitiative.org
Subject: Re: [WG-UMA] Notes from APAC-friendly UMA WG sync 2015-09-02

I can't tell them apart. Some of them depend on the others to some extent. How does any of this affect UMA?

Adrian

On Wed, Sep 2, 2015 at 7:57 PM, Eve Maler <eve@xmlgrrl.com> wrote:
Attending: Eve, Paul, Allan

Agenda bashing:

- Looking at UMA in the context of sport (Australian Digital Transformation Office has an interest)

There are similarities to health, and there are customer relationships as well. An under-6 soccer game involves two teams, two clubs, a competition organizer, a venue manager, and a referees’ organization. There are different legal entities, and a lot of personal data flying between them. This is what makes it a little similar to health.

“Children checks” involves officials who are members of sport organizations that cross state-level jurisdictions. And a lot of people involved are volunteers. If a dad is a volunteer coach, he still has to go through the check. If one person is a coach for two different teams/kids/sports, the person may have to go through the check multiple times. Paper forms are often still involved in this world. There are also sport associations at local, state, national, and international levels, responsible for different parts of the process. The vision would be, e.g., that a volunteer coach could go through a single check and have it be valid for other activities as long as it’s fresh enough. Along with underage child regulations, there are also anti-doping regulations to think about.

There’s an interest in trust frameworks around this. What’s the relationship between UMA trust framework opportunities and the Kantara and OIX work on trust frameworks and the UMA legal subgroup work?

The Kantara trust framework came out of the US FICAM and NIST SP 800-63 material, but is not US-specific. Kantara has approved assessors that approve organizations under that trust framework. A key motivation for doing this is actual FICAM acceptance, which is valuable for (likely) being accepted sight unseen by the US General Services Administration. There’s work ongoing to map US and UK trust frameworks.

OIX runs a registry that can hold registrations, for communities of interest that have a trust framework, of members in good standing in that framework. Right now it only holds one set of entries, for a technical-level community run by OpenID Foundation recording self-certified conformance to the specs.

So Kantara sort of specializes in “config-time” and OIX sort of specializes in “run-time”.

Some other identity federations in higher education and research have their own trust frameworks.

What is the UMA legal subgroup doing? The mission of record is:

"Develop recommendations about resource owner-and-requesting party [Alice-and-Bob], resource server-and-authorization server [service-and-hub], and any other transactional relationships in the UMA environment, keeping in mind international jurisdictional friendliness; applicability to many different vertical and horizontal use cases, including health; and support of higher-level access federation trust frameworks and similar efforts.”

The parallels between health and sport are actually pretty strong, as long as we stay away from only government, only health, only US, etc. One difference is that the people and even some of the organizations involved are at a small, non- or under-funded scale. It’s mom-and-pop a lot of times, and volunteers can’t deploy IT infrastructure.

AI: Paul: Follow up on these notes with some specifics on “legal use cases” that arise out of the sport scenario. Who would be the Principal of interest in each? Etc.

- V1.0.1 status update?

We should close the specs for 45-day public review as of next Thursday or earlier. That would mean it’s effectively stable at that point, modulo public review period comments.


Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma



--

Adrian Gropper MD

RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/

_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma


Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com