The proposal to supply a Trust Registry API for the HHS ONC is awaiting action. It provides a trust registry similar to that used in the NIST SP 800-63-3 Trust Registry with two new features:
- Kantara FIRE will complete a specification (the MAAS) for the acceptability of smartphone applications to protect patient health data, which is protected by HIPPA in covered entities. This specification will then be converted to software assessment criteria in the same way that the NIST specs were used to create an SAC for Credential Service Providers. The MAAS specification is now posted as an implementer’s report.
- The Trust Registry can be queried by a json API which will allows certified apps to be immediately acceptable to download patient data which has a strict time limit in the final rule for the 21st Century Cures Act. There is no place where a trust logo can be displayed in a fully automated system.
The proposal is for ONC to fund the development of both features and start to onboard a few initial test sites over the first year of operation. It is expected that the continuing support for the program will come from fees on the application developers and the relying parties.
The team’s mobile driver’s license criteria have been contributed to the Kantara effort to respond to the DHS Request for Comment on ISO 18013-5 which is also the subject of the PImDL report that is expected from that discussion group very soon.
The WG is supporting https://trustregistry.org with additional details about the goals and work behind the proposal.
Further info on the WG is found on both our Kantara wiki
The Draft MAAS can be found here:
and the legacy IDESG wiki which the work group has continued to leverage, for example this page on mobile drivers’ licenses
- Changes to SAC concerning subject-focused, component service consumer criteria.
- Provide input to the Kantara response to the Homeland Security RFI concerning mDL
- Provide comments concerning the UK DCMS May Update - Certification Questions and assessment of RPs.
- Provide response to the NIST open discussion of issues related to SP800-63 Rev 4
The PImDL Group Approved Draft has been forwarded to the Leadership Council for a vote. Depending on the Leadership Council, the report will be published (and the DG will be shut down) or the draft will come back for review and update.
- The group approved an updated Charter for 2021
- The group approved new leadership for 2021. Alec Laws and Steve Venema have been elected as Chair and Vice-chair, respectively
- The group would like to thank Eve Maler for her unwavering support of the group and role as Chair over these many years!
- The group has looked at an updated Relationship Manager draft that incorporates concepts of resource owner held keys & credentials
- Please check out our most recent notes for more details on the above
Our work continues on several tracks:
To build out the Consent Receipt Framework 1.2, along the lines of OAuth where version 2 was a framework and not a specification. The consent receipt does not stand alone and we are working to provide a notice and consent framework consistent with privacy by design (ISO 27550 Privacy engineering for system life cycle processes) and the ISO 29100 Privacy Framework.
- Define the fields for the "anchor" receipt which is the notice receipt at the start of the (consent) flow.
- Work to incorporate this effort into ISO 27650 through Kantara liaison and individual member participation in the standard WG.
- Continued collaboration with W3C, Trust over IP, other participants in the NGI Trust who can leverage the work of the consent receipt in their individual projects and elsewhere.
- Outreach to browser providers to incorporate the consent receipt and "two factor consent" that is meaningul notice and then meaningful consent.
- We have ongoing workshops and presentation to support and promote the work, most recently an Identiverse presentation as part of Kantara's presentation, and "Role of Identity, Identification, and Receipts for Consent" at the Open Identity Summit 2021 on 2 June.