Re: [WG-UMA] Trust Framework non profits: Notes from APAC-friendly UMA WG sync 2015-09-02
Thanks Eve Indeed, a great quick rundown. But with a number of us on this list pretty deeply involved in IDESG, I guess we are honour-bound to slightly correct you there.. :) << IDESG is the private-sector-led steering committee overseeing the US public-sector NSTIC initiative. I don't think it has a specific focus on trust frameworks vs. other various elements that are thought to be valuable for making privacy-sensitive federated identity successful.>> Actually it does have a very specific focus on a Trust Framework, the IDEF (IDentity Ecosystem Framework) based on the NSTIC Guiding Principles. The (soon to be announced) IDEF consists of a Functional Model from which Baseline Requirements and Supplemental Guidance are drawn, which has a major focus on Privacy along with UX, Interop, Security etc. A Self Attested Listing Service (SALS) will initially indicate relative compliance level of the applicable players, and in the fullness of time, a TrustMark or similar may emerge to 'brand' that compliance level. Cheers Colin From: wg-uma-bounces@kantarainitiative.org [mailto:wg-uma-bounces@kantarainitiative.org] On Behalf Of Eve Maler Sent: Thursday, 3 September 2015 4:30 p.m. To: Adrian Gropper; Paul Templeman Cc: wg-uma@kantarainitiative.org UMA Subject: Re: [WG-UMA] Notes from APAC-friendly UMA WG sync 2015-09-02 Here's an attempt at a quick (?) rundown. An identity federation trust framework is a set of federated identity "rules and tools" identified by a set of policymakers representing a community of interest, which may be vertical/sectoral or horizontal in nature. Here's a white paper<http://openidentityexchange.org/wp-content/uploads/the-open-identity-trust-framework-model-2010-03.pdf> from 2010 that presents what is intended to be a model for open identity trust frameworks. The community could run/use cloud identity services, or just be a bunch of companies or organizations that want to be able to single sign-in to each other's stuff, or whatever. As noted below, Kantara does the care and feeding of a specific identity federation trust framework, including "assessing the assessors" for it. That trust framework has a FICAM heritage; FICAM is a US gov-specific trust framework. OIX is becoming capable of hosting listings of the members of multiple trust frameworks, and doesn't itself offer one and is agnostic as to the types. What OTA published is very cool; I don't know if I'd call it a trust framework; more a set of best practices (ymmv). The Federal Bridge is a PKI-based trust framework. PKI predates the cross-domain federated identity protocols such as SAML and OpenID connect, and the Federal Bridge has been around a long time. Connect.gov<http://Connect.gov> is a service that offers brokered federated identity services; parties involved in it have to be FICAM-accredited. IDESG is the private-sector-led steering committee overseeing the US public-sector NSTIC initiative. I don't think it has a specific focus on trust frameworks vs. other various elements that are thought to be valuable for making privacy-sensitive federated identity successful. (This isn't a complete list of federations, identity trust frameworks, or initiatives!) My take on why this is all relevant to UMA is that, where identity federations deal with "rules and tools" for IdPs and relying parties and users, UMA is a different beast and needs "rules and tools" for its own involved parties: resource owners, requesting parties, resource servers, and the like. The name we've given to UMA deployment ecosystems with a formal organizational principle is "access federations", and we believe they would benefit from trust frameworks too. The main reason why we have the legal subgroup is to develop some starter (and/or meta?) "rules and tools" to encourage UMA deployment ecosystems to flourish, while staying true to UMA's design principles. (I welcome corrections...) Eve On 2 Sep 2015, at 7:47 PM, Paul Templeman <paul@templeman.co<mailto:paul@templeman.co>> wrote: Thanks Adrian Appreciate the list. The discussion was as a result of a newby question asked by myself, whilst there were only a few people to annoy. :-) Still on a learning curve ... Regards Paul... ________________________________ Date: Wed, 2 Sep 2015 22:17:17 -0400 From: agropper@healthurl.com<mailto:agropper@healthurl.com> To: eve@xmlgrrl.com<mailto:eve@xmlgrrl.com> CC: wg-uma@kantarainitiative.org<mailto:wg-uma@kantarainitiative.org> Subject: Re: [WG-UMA] Notes from APAC-friendly UMA WG sync 2015-09-02 I have the following list of overlapping trust framework non-profits: OTA - https://otalliance.org/iot-trust-framework-submission Kantara - http://kantarainitiative.org/ FICAM - https://www.ise.gov/federal-identity-credential-and-access-management-ficam Federal Bridge - http://www.idmanagement.gov/fbca-certificate-policy-page Connect.gov<http://Connect.gov> - http://www.connect.gov/ OIX - http://openidentityexchange.org/ IDESG - https://www.idecosystem.org/ I can't tell them apart. Some of them depend on the others to some extent. How does any of this affect UMA? Adrian On Wed, Sep 2, 2015 at 7:57 PM, Eve Maler <eve@xmlgrrl.com<mailto:eve@xmlgrrl.com>> wrote: Attending: Eve, Paul, Allan Agenda bashing: - Looking at UMA in the context of sport (Australian Digital Transformation Office has an interest) There are similarities to health, and there are customer relationships as well. An under-6 soccer game involves two teams, two clubs, a competition organizer, a venue manager, and a referees' organization. There are different legal entities, and a lot of personal data flying between them. This is what makes it a little similar to health. "Children checks" involves officials who are members of sport organizations that cross state-level jurisdictions. And a lot of people involved are volunteers. If a dad is a volunteer coach, he still has to go through the check. If one person is a coach for two different teams/kids/sports, the person may have to go through the check multiple times. Paper forms are often still involved in this world. There are also sport associations at local, state, national, and international levels, responsible for different parts of the process. The vision would be, e.g., that a volunteer coach could go through a single check and have it be valid for other activities as long as it's fresh enough. Along with underage child regulations, there are also anti-doping regulations to think about. There's an interest in trust frameworks around this. What's the relationship between UMA trust framework opportunities and the Kantara and OIX work on trust frameworks and the UMA legal subgroup work? The Kantara trust framework came out of the US FICAM and NIST SP 800-63 material, but is not US-specific. Kantara has approved assessors that approve organizations under that trust framework. A key motivation for doing this is actual FICAM acceptance, which is valuable for (likely) being accepted sight unseen by the US General Services Administration. There's work ongoing to map US and UK trust frameworks. OIX runs a registry that can hold registrations, for communities of interest that have a trust framework, of members in good standing in that framework. Right now it only holds one set of entries, for a technical-level community run by OpenID Foundation recording self-certified conformance to the specs. So Kantara sort of specializes in "config-time" and OIX sort of specializes in "run-time". Some other identity federations in higher education and research have their own trust frameworks. What is the UMA legal subgroup doing? The mission of record is: "Develop recommendations about resource owner-and-requesting party [Alice-and-Bob], resource server-and-authorization server [service-and-hub], and any other transactional relationships in the UMA environment, keeping in mind international jurisdictional friendliness; applicability to many different vertical and horizontal use cases, including health; and support of higher-level access federation trust frameworks and similar efforts." The parallels between health and sport are actually pretty strong, as long as we stay away from only government, only health, only US, etc. One difference is that the people and even some of the organizations involved are at a small, non- or under-funded scale. It's mom-and-pop a lot of times, and volunteers can't deploy IT infrastructure. AI: Paul: Follow up on these notes with some specifics on "legal use cases" that arise out of the sport scenario. Who would be the Principal of interest in each? Etc. - V1.0.1 status update? We should close the specs for 45-day public review as of next Thursday or earlier. That would mean it's effectively stable at that point, modulo public review period comments. Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com<mailto:xmlgrrl@gmail.com> _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org<mailto:WG-UMA@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-uma -- Adrian Gropper MD RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org<mailto:WG-UMA@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-uma Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com<mailto:xmlgrrl@gmail.com>
Thank you for the correction! (I knew there would be *something*.)
On 3 Sep 2015, at 9:47 PM, Colin Wallis <Colin.Wallis@dia.govt.nz> wrote:
Thanks Eve
Indeed, a great quick rundown.
But with a number of us on this list pretty deeply involved in IDESG, I guess we are honour-bound to slightly correct you there.. J
<< IDESG is the private-sector-led steering committee overseeing the US public-sector NSTIC initiative. I don’t think it has a specific focus on trust frameworks vs. other various elements that are thought to be valuable for making privacy-sensitive federated identity successful.>>
Actually it does have a very specific focus on a Trust Framework, the IDEF (IDentity Ecosystem Framework) based on the NSTIC Guiding Principles. The (soon to be announced) IDEF consists of a Functional Model from which Baseline Requirements and Supplemental Guidance are drawn, which has a major focus on Privacy along with UX, Interop, Security etc. A Self Attested Listing Service (SALS) will initially indicate relative compliance level of the applicable players, and in the fullness of time, a TrustMark or similar may emerge to ‘brand’ that compliance level.
Cheers Colin
From: wg-uma-bounces@kantarainitiative.org [mailto:wg-uma-bounces@kantarainitiative.org] On Behalf Of Eve Maler Sent: Thursday, 3 September 2015 4:30 p.m. To: Adrian Gropper; Paul Templeman Cc: wg-uma@kantarainitiative.org UMA Subject: Re: [WG-UMA] Notes from APAC-friendly UMA WG sync 2015-09-02
Here’s an attempt at a quick (?) rundown.
An identity federation trust framework is a set of federated identity “rules and tools” identified by a set of policymakers representing a community of interest, which may be vertical/sectoral or horizontal in nature. Here’s a white paper <http://openidentityexchange.org/wp-content/uploads/the-open-identity-trust-framework-model-2010-03.pdf> from 2010 that presents what is intended to be a model for open identity trust frameworks. The community could run/use cloud identity services, or just be a bunch of companies or organizations that want to be able to single sign-in to each other’s stuff, or whatever.
As noted below, Kantara does the care and feeding of a specific identity federation trust framework, including “assessing the assessors” for it. That trust framework has a FICAM heritage; FICAM is a US gov-specific trust framework. OIX is becoming capable of hosting listings of the members of multiple trust frameworks, and doesn’t itself offer one and is agnostic as to the types.
What OTA published is very cool; I don’t know if I’d call it a trust framework; more a set of best practices (ymmv).
The Federal Bridge is a PKI-based trust framework. PKI predates the cross-domain federated identity protocols such as SAML and OpenID connect, and the Federal Bridge has been around a long time.
Connect.gov <http://connect.gov/> is a service that offers brokered federated identity services; parties involved in it have to be FICAM-accredited.
IDESG is the private-sector-led steering committee overseeing the US public-sector NSTIC initiative. I don’t think it has a specific focus on trust frameworks vs. other various elements that are thought to be valuable for making privacy-sensitive federated identity successful.
(This isn’t a complete list of federations, identity trust frameworks, or initiatives!)
My take on why this is all relevant to UMA is that, where identity federations deal with “rules and tools” for IdPs and relying parties and users, UMA is a different beast and needs “rules and tools” for its own involved parties: resource owners, requesting parties, resource servers, and the like. The name we’ve given to UMA deployment ecosystems with a formal organizational principle is “access federations”, and we believe they would benefit from trust frameworks too.
The main reason why we have the legal subgroup is to develop some starter (and/or meta?) “rules and tools” to encourage UMA deployment ecosystems to flourish, while staying true to UMA’s design principles.
(I welcome corrections…)
Eve
On 2 Sep 2015, at 7:47 PM, Paul Templeman <paul@templeman.co <mailto:paul@templeman.co>> wrote:
Thanks Adrian
Appreciate the list. The discussion was as a result of a newby question asked by myself, whilst there were only a few people to annoy. :-)
Still on a learning curve ...
Regards Paul...
Date: Wed, 2 Sep 2015 22:17:17 -0400 From: agropper@healthurl.com <mailto:agropper@healthurl.com> To: eve@xmlgrrl.com <mailto:eve@xmlgrrl.com> CC: wg-uma@kantarainitiative.org <mailto:wg-uma@kantarainitiative.org> Subject: Re: [WG-UMA] Notes from APAC-friendly UMA WG sync 2015-09-02
I have the following list of overlapping trust framework non-profits:
OTA - https://otalliance.org/iot-trust-framework-submission <https://otalliance.org/iot-trust-framework-submission> Kantara - http://kantarainitiative.org/ <http://kantarainitiative.org/> FICAM - https://www.ise.gov/federal-identity-credential-and-access-management-ficam <https://www.ise.gov/federal-identity-credential-and-access-management-ficam> Federal Bridge - http://www.idmanagement.gov/fbca-certificate-policy-page <http://www.idmanagement.gov/fbca-certificate-policy-page> Connect.gov <http://connect.gov/> - http://www.connect.gov/ <http://www.connect.gov/> OIX - http://openidentityexchange.org/ <http://openidentityexchange.org/> IDESG - https://www.idecosystem.org/ <https://www.idecosystem.org/> I can't tell them apart. Some of them depend on the others to some extent. How does any of this affect UMA?
Adrian
On Wed, Sep 2, 2015 at 7:57 PM, Eve Maler <eve@xmlgrrl.com <mailto:eve@xmlgrrl.com>> wrote: Attending: Eve, Paul, Allan
Agenda bashing:
- Looking at UMA in the context of sport (Australian Digital Transformation Office has an interest)
There are similarities to health, and there are customer relationships as well. An under-6 soccer game involves two teams, two clubs, a competition organizer, a venue manager, and a referees’ organization. There are different legal entities, and a lot of personal data flying between them. This is what makes it a little similar to health.
“Children checks” involves officials who are members of sport organizations that cross state-level jurisdictions. And a lot of people involved are volunteers. If a dad is a volunteer coach, he still has to go through the check. If one person is a coach for two different teams/kids/sports, the person may have to go through the check multiple times. Paper forms are often still involved in this world. There are also sport associations at local, state, national, and international levels, responsible for different parts of the process. The vision would be, e.g., that a volunteer coach could go through a single check and have it be valid for other activities as long as it’s fresh enough. Along with underage child regulations, there are also anti-doping regulations to think about.
There’s an interest in trust frameworks around this. What’s the relationship between UMA trust framework opportunities and the Kantara and OIX work on trust frameworks and the UMA legal subgroup work?
The Kantara trust framework came out of the US FICAM and NIST SP 800-63 material, but is not US-specific. Kantara has approved assessors that approve organizations under that trust framework. A key motivation for doing this is actual FICAM acceptance, which is valuable for (likely) being accepted sight unseen by the US General Services Administration. There’s work ongoing to map US and UK trust frameworks.
OIX runs a registry that can hold registrations, for communities of interest that have a trust framework, of members in good standing in that framework. Right now it only holds one set of entries, for a technical-level community run by OpenID Foundation recording self-certified conformance to the specs.
So Kantara sort of specializes in “config-time” and OIX sort of specializes in “run-time”.
Some other identity federations in higher education and research have their own trust frameworks.
What is the UMA legal subgroup doing? The mission of record is:
"Develop recommendations about resource owner-and-requesting party [Alice-and-Bob], resource server-and-authorization server [service-and-hub], and any other transactional relationships in the UMA environment, keeping in mind international jurisdictional friendliness; applicability to many different vertical and horizontal use cases, including health; and support of higher-level access federation trust frameworks and similar efforts.”
The parallels between health and sport are actually pretty strong, as long as we stay away from only government, only health, only US, etc. One difference is that the people and even some of the organizations involved are at a small, non- or under-funded scale. It’s mom-and-pop a lot of times, and volunteers can’t deploy IT infrastructure.
AI: Paul: Follow up on these notes with some specifics on “legal use cases” that arise out of the sport scenario. Who would be the Principal of interest in each? Etc.
- V1.0.1 status update?
We should close the specs for 45-day public review as of next Thursday or earlier. That would mean it’s effectively stable at that point, modulo public review period comments.
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <mailto:xmlgrrl@gmail.com>
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <mailto:WG-UMA@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-uma <http://kantarainitiative.org/mailman/listinfo/wg-uma>
--
Adrian Gropper MD
RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ <http://patientprivacyrights.org/donate-2/>
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <mailto:WG-UMA@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-uma <http://kantarainitiative.org/mailman/listinfo/wg-uma>
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <mailto:xmlgrrl@gmail.com>
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
Hi Colin - Whilst we're making clarifications :-). I understand NSTIC to be a very private sector focused effort where IDESG is the consortia champion of the NSTIC principles. To my knowledge NSTIC is not focused on public-sector in scope - although one can easily see where there is, could, should be, an overlap in the venn of scope between public and private sector. Best, - Joni Best Regards, Joni Brennan Kantara Initiative | Executive Director email: joni @ kantarainitiative.org Connecting Identity for a more trustworthy Internet - Overview <http://www.slideshare.net/kantarainitiative/kantara-overview2014-37969351> On Thu, Sep 3, 2015 at 10:46 PM, Eve Maler <eve@xmlgrrl.com> wrote:
Thank you for the correction! (I knew there would be *something*.)
On 3 Sep 2015, at 9:47 PM, Colin Wallis <Colin.Wallis@dia.govt.nz> wrote:
Thanks Eve
Indeed, a great quick rundown.
But with a number of us on this list pretty deeply involved in IDESG, I guess we are honour-bound to slightly correct you there.. J
<< IDESG is the private-sector-led steering committee overseeing the US public-sector NSTIC initiative. I don’t think it has a specific focus on trust frameworks vs. other various elements that are thought to be valuable for making privacy-sensitive federated identity successful.>>
Actually it does have a very specific focus on a Trust Framework, the IDEF (IDentity Ecosystem Framework) based on the NSTIC Guiding Principles. The (soon to be announced) IDEF consists of a Functional Model from which Baseline Requirements and Supplemental Guidance are drawn, which has a major focus on Privacy along with UX, Interop, Security etc. A Self Attested Listing Service (SALS) will initially indicate relative compliance level of the applicable players, and in the fullness of time, a TrustMark or similar may emerge to ‘brand’ that compliance level.
Cheers
Colin
*From:* wg-uma-bounces@kantarainitiative.org [ mailto:wg-uma-bounces@kantarainitiative.org <wg-uma-bounces@kantarainitiative.org>] *On Behalf Of *Eve Maler *Sent:* Thursday, 3 September 2015 4:30 p.m. *To:* Adrian Gropper; Paul Templeman *Cc:* wg-uma@kantarainitiative.org UMA *Subject:* Re: [WG-UMA] Notes from APAC-friendly UMA WG sync 2015-09-02
Here’s an attempt at a quick (?) rundown.
An identity federation trust framework is a set of federated identity “rules and tools” identified by a set of policymakers representing a community of interest, which may be vertical/sectoral or horizontal in nature. Here’s a white paper <http://openidentityexchange.org/wp-content/uploads/the-open-identity-trust-framework-model-2010-03.pdf> from 2010 that presents what is intended to be a model for open identity trust frameworks. The community could run/use cloud identity services, or just be a bunch of companies or organizations that want to be able to single sign-in to each other’s stuff, or whatever.
As noted below, Kantara does the care and feeding of a specific identity federation trust framework, including “assessing the assessors” for it. That trust framework has a FICAM heritage; FICAM is a US gov-specific trust framework. OIX is becoming capable of hosting listings of the members of multiple trust frameworks, and doesn’t itself offer one and is agnostic as to the types.
What OTA published is very cool; I don’t know if I’d call it a trust framework; more a set of best practices (ymmv).
The Federal Bridge is a PKI-based trust framework. PKI predates the cross-domain federated identity protocols such as SAML and OpenID connect, and the Federal Bridge has been around a long time.
Connect.gov <http://connect.gov/> is a service that offers brokered federated identity services; parties involved in it have to be FICAM-accredited.
IDESG is the private-sector-led steering committee overseeing the US public-sector NSTIC initiative. I don’t think it has a specific focus on trust frameworks vs. other various elements that are thought to be valuable for making privacy-sensitive federated identity successful.
(This isn’t a complete list of federations, identity trust frameworks, or initiatives!)
My take on why this is all relevant to UMA is that, where identity federations deal with “rules and tools” for IdPs and relying parties and users, UMA is a different beast and needs “rules and tools” for its own involved parties: resource owners, requesting parties, resource servers, and the like. The name we’ve given to UMA deployment ecosystems with a formal organizational principle is “access federations”, and we believe they would benefit from trust frameworks too.
The main reason why we have the legal subgroup is to develop some starter (and/or meta?) “rules and tools” to encourage UMA deployment ecosystems to flourish, while staying true to UMA’s design principles.
(I welcome corrections…)
Eve
On 2 Sep 2015, at 7:47 PM, Paul Templeman <paul@templeman.co> wrote:
Thanks Adrian
Appreciate the list. The discussion was as a result of a newby question asked by myself, whilst there were only a few people to annoy. :-)
Still on a learning curve ...
Regards
Paul... ------------------------------
Date: Wed, 2 Sep 2015 22:17:17 -0400 From: agropper@healthurl.com To: eve@xmlgrrl.com CC: wg-uma@kantarainitiative.org Subject: Re: [WG-UMA] Notes from APAC-friendly UMA WG sync 2015-09-02
I have the following list of overlapping trust framework non-profits:
OTA - https://otalliance.org/iot-trust-framework-submission
Kantara - http://kantarainitiative.org/
FICAM - https://www.ise.gov/federal-identity-credential-and-access-management-ficam
Federal Bridge - http://www.idmanagement.gov/fbca-certificate-policy-page
Connect.gov <http://connect.gov/> - http://www.connect.gov/
OIX - http://openidentityexchange.org/
IDESG - https://www.idecosystem.org/
I can't tell them apart. Some of them depend on the others to some extent. How does any of this affect UMA?
Adrian
On Wed, Sep 2, 2015 at 7:57 PM, Eve Maler <eve@xmlgrrl.com> wrote:
Attending: Eve, Paul, Allan
Agenda bashing:
- Looking at UMA in the context of sport (Australian Digital Transformation Office has an interest)
There are similarities to health, and there are customer relationships as well. An under-6 soccer game involves two teams, two clubs, a competition organizer, a venue manager, and a referees’ organization. There are different legal entities, and a lot of personal data flying between them. This is what makes it a little similar to health.
“Children checks” involves officials who are members of sport organizations that cross state-level jurisdictions. And a lot of people involved are volunteers. If a dad is a volunteer coach, he still has to go through the check. If one person is a coach for two different teams/kids/sports, the person may have to go through the check multiple times. Paper forms are often still involved in this world. There are also sport associations at local, state, national, and international levels, responsible for different parts of the process. The vision would be, e.g., that a volunteer coach could go through a single check and have it be valid for other activities as long as it’s fresh enough. Along with underage child regulations, there are also anti-doping regulations to think about.
There’s an interest in trust frameworks around this. What’s the relationship between UMA trust framework opportunities and the Kantara and OIX work on trust frameworks and the UMA legal subgroup work?
The Kantara trust framework came out of the US FICAM and NIST SP 800-63 material, but is not US-specific. Kantara has approved assessors that approve organizations under that trust framework. A key motivation for doing this is actual FICAM acceptance, which is valuable for (likely) being accepted sight unseen by the US General Services Administration. There’s work ongoing to map US and UK trust frameworks.
OIX runs a registry that can hold registrations, for communities of interest that have a trust framework, of members in good standing in that framework. Right now it only holds one set of entries, for a technical-level community run by OpenID Foundation recording self-certified conformance to the specs.
So Kantara sort of specializes in “config-time” and OIX sort of specializes in “run-time”.
Some other identity federations in higher education and research have their own trust frameworks.
What is the UMA legal subgroup doing? The mission of record is:
"Develop recommendations about resource owner-and-requesting party [Alice-and-Bob], resource server-and-authorization server [service-and-hub], and any other transactional relationships in the UMA environment, keeping in mind international jurisdictional friendliness; applicability to many different vertical and horizontal use cases, including health; and support of higher-level access federation trust frameworks and similar efforts.”
The parallels between health and sport are actually pretty strong, as long as we stay away from only government, only health, only US, etc. One difference is that the people and even some of the organizations involved are at a small, non- or under-funded scale. It’s mom-and-pop a lot of times, and volunteers can’t deploy IT infrastructure.
AI: Paul: Follow up on these notes with some specifics on “legal use cases” that arise out of the sport scenario. Who would be the Principal of interest in each? Etc.
- V1.0.1 status update?
We should close the specs for 45-day public review as of next Thursday or earlier. That would mean it’s effectively stable at that point, modulo public review period comments.
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
--
Adrian Gropper MD
RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
NSTIC is the overall program, run from Department of Commerce / NIST, which includes Federal Government initiatives and also private-sector related initiatives. IDESG is the industry consortium that is working on NSTIC's private sector trusted ecosystem concept and related constructs. andrew (IDESG Plenary Vice-Chair) *Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting* o +1 650.209.7542 m +1 250.888.9474 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security * On Mon, Sep 21, 2015 at 9:34 AM, Joni Brennan <joni@kantarainitiative.org> wrote:
Hi Colin -
Whilst we're making clarifications :-). I understand NSTIC to be a very private sector focused effort where IDESG is the consortia champion of the NSTIC principles. To my knowledge NSTIC is not focused on public-sector in scope - although one can easily see where there is, could, should be, an overlap in the venn of scope between public and private sector.
Best, - Joni
Best Regards,
Joni Brennan Kantara Initiative | Executive Director email: joni @ kantarainitiative.org
Connecting Identity for a more trustworthy Internet - Overview <http://www.slideshare.net/kantarainitiative/kantara-overview2014-37969351>
On Thu, Sep 3, 2015 at 10:46 PM, Eve Maler <eve@xmlgrrl.com> wrote:
Thank you for the correction! (I knew there would be *something*.)
On 3 Sep 2015, at 9:47 PM, Colin Wallis <Colin.Wallis@dia.govt.nz> wrote:
Thanks Eve
Indeed, a great quick rundown.
But with a number of us on this list pretty deeply involved in IDESG, I guess we are honour-bound to slightly correct you there.. J
<< IDESG is the private-sector-led steering committee overseeing the US public-sector NSTIC initiative. I don’t think it has a specific focus on trust frameworks vs. other various elements that are thought to be valuable for making privacy-sensitive federated identity successful.>>
Actually it does have a very specific focus on a Trust Framework, the IDEF (IDentity Ecosystem Framework) based on the NSTIC Guiding Principles. The (soon to be announced) IDEF consists of a Functional Model from which Baseline Requirements and Supplemental Guidance are drawn, which has a major focus on Privacy along with UX, Interop, Security etc. A Self Attested Listing Service (SALS) will initially indicate relative compliance level of the applicable players, and in the fullness of time, a TrustMark or similar may emerge to ‘brand’ that compliance level.
Cheers
Colin
*From:* wg-uma-bounces@kantarainitiative.org [ mailto:wg-uma-bounces@kantarainitiative.org <wg-uma-bounces@kantarainitiative.org>] *On Behalf Of *Eve Maler *Sent:* Thursday, 3 September 2015 4:30 p.m. *To:* Adrian Gropper; Paul Templeman *Cc:* wg-uma@kantarainitiative.org UMA *Subject:* Re: [WG-UMA] Notes from APAC-friendly UMA WG sync 2015-09-02
Here’s an attempt at a quick (?) rundown.
An identity federation trust framework is a set of federated identity “rules and tools” identified by a set of policymakers representing a community of interest, which may be vertical/sectoral or horizontal in nature. Here’s a white paper <http://openidentityexchange.org/wp-content/uploads/the-open-identity-trust-framework-model-2010-03.pdf> from 2010 that presents what is intended to be a model for open identity trust frameworks. The community could run/use cloud identity services, or just be a bunch of companies or organizations that want to be able to single sign-in to each other’s stuff, or whatever.
As noted below, Kantara does the care and feeding of a specific identity federation trust framework, including “assessing the assessors” for it. That trust framework has a FICAM heritage; FICAM is a US gov-specific trust framework. OIX is becoming capable of hosting listings of the members of multiple trust frameworks, and doesn’t itself offer one and is agnostic as to the types.
What OTA published is very cool; I don’t know if I’d call it a trust framework; more a set of best practices (ymmv).
The Federal Bridge is a PKI-based trust framework. PKI predates the cross-domain federated identity protocols such as SAML and OpenID connect, and the Federal Bridge has been around a long time.
Connect.gov <http://connect.gov/> is a service that offers brokered federated identity services; parties involved in it have to be FICAM-accredited.
IDESG is the private-sector-led steering committee overseeing the US public-sector NSTIC initiative. I don’t think it has a specific focus on trust frameworks vs. other various elements that are thought to be valuable for making privacy-sensitive federated identity successful.
(This isn’t a complete list of federations, identity trust frameworks, or initiatives!)
My take on why this is all relevant to UMA is that, where identity federations deal with “rules and tools” for IdPs and relying parties and users, UMA is a different beast and needs “rules and tools” for its own involved parties: resource owners, requesting parties, resource servers, and the like. The name we’ve given to UMA deployment ecosystems with a formal organizational principle is “access federations”, and we believe they would benefit from trust frameworks too.
The main reason why we have the legal subgroup is to develop some starter (and/or meta?) “rules and tools” to encourage UMA deployment ecosystems to flourish, while staying true to UMA’s design principles.
(I welcome corrections…)
Eve
On 2 Sep 2015, at 7:47 PM, Paul Templeman <paul@templeman.co> wrote:
Thanks Adrian
Appreciate the list. The discussion was as a result of a newby question asked by myself, whilst there were only a few people to annoy. :-)
Still on a learning curve ...
Regards
Paul... ------------------------------
Date: Wed, 2 Sep 2015 22:17:17 -0400 From: agropper@healthurl.com To: eve@xmlgrrl.com CC: wg-uma@kantarainitiative.org Subject: Re: [WG-UMA] Notes from APAC-friendly UMA WG sync 2015-09-02
I have the following list of overlapping trust framework non-profits:
OTA - https://otalliance.org/iot-trust-framework-submission
Kantara - http://kantarainitiative.org/
FICAM - https://www.ise.gov/federal-identity-credential-and-access-management-ficam
Federal Bridge - http://www.idmanagement.gov/fbca-certificate-policy-page
Connect.gov <http://connect.gov/> - http://www.connect.gov/
OIX - http://openidentityexchange.org/
IDESG - https://www.idecosystem.org/
I can't tell them apart. Some of them depend on the others to some extent. How does any of this affect UMA?
Adrian
On Wed, Sep 2, 2015 at 7:57 PM, Eve Maler <eve@xmlgrrl.com> wrote:
Attending: Eve, Paul, Allan
Agenda bashing:
- Looking at UMA in the context of sport (Australian Digital Transformation Office has an interest)
There are similarities to health, and there are customer relationships as well. An under-6 soccer game involves two teams, two clubs, a competition organizer, a venue manager, and a referees’ organization. There are different legal entities, and a lot of personal data flying between them. This is what makes it a little similar to health.
“Children checks” involves officials who are members of sport organizations that cross state-level jurisdictions. And a lot of people involved are volunteers. If a dad is a volunteer coach, he still has to go through the check. If one person is a coach for two different teams/kids/sports, the person may have to go through the check multiple times. Paper forms are often still involved in this world. There are also sport associations at local, state, national, and international levels, responsible for different parts of the process. The vision would be, e.g., that a volunteer coach could go through a single check and have it be valid for other activities as long as it’s fresh enough. Along with underage child regulations, there are also anti-doping regulations to think about.
There’s an interest in trust frameworks around this. What’s the relationship between UMA trust framework opportunities and the Kantara and OIX work on trust frameworks and the UMA legal subgroup work?
The Kantara trust framework came out of the US FICAM and NIST SP 800-63 material, but is not US-specific. Kantara has approved assessors that approve organizations under that trust framework. A key motivation for doing this is actual FICAM acceptance, which is valuable for (likely) being accepted sight unseen by the US General Services Administration. There’s work ongoing to map US and UK trust frameworks.
OIX runs a registry that can hold registrations, for communities of interest that have a trust framework, of members in good standing in that framework. Right now it only holds one set of entries, for a technical-level community run by OpenID Foundation recording self-certified conformance to the specs.
So Kantara sort of specializes in “config-time” and OIX sort of specializes in “run-time”.
Some other identity federations in higher education and research have their own trust frameworks.
What is the UMA legal subgroup doing? The mission of record is:
"Develop recommendations about resource owner-and-requesting party [Alice-and-Bob], resource server-and-authorization server [service-and-hub], and any other transactional relationships in the UMA environment, keeping in mind international jurisdictional friendliness; applicability to many different vertical and horizontal use cases, including health; and support of higher-level access federation trust frameworks and similar efforts.”
The parallels between health and sport are actually pretty strong, as long as we stay away from only government, only health, only US, etc. One difference is that the people and even some of the organizations involved are at a small, non- or under-funded scale. It’s mom-and-pop a lot of times, and volunteers can’t deploy IT infrastructure.
AI: Paul: Follow up on these notes with some specifics on “legal use cases” that arise out of the sport scenario. Who would be the Principal of interest in each? Etc.
- V1.0.1 status update?
We should close the specs for 45-day public review as of next Thursday or earlier. That would mean it’s effectively stable at that point, modulo public review period comments.
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
--
Adrian Gropper MD
RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
participants (4)
-
Andrew Hughes -
Colin Wallis -
Eve Maler -
Joni Brennan