This is the home for the Kantara-convened community discussion on NISTIR 8112 Attribute Metadata public draft.
Public Draft Open for Comments: https://pages.nist.gov/NISTIR-8112/
HTML rendering of current document version: https://pages.nist.gov/NISTIR-8112/NISTIR-8112.html
github repo: https://github.com/usnistgov/NISTIR-8112
Questions posed by NIST:
Some specific questions we are interested in answering both in the short and long term include:
- Does this bring value to federated scenarios and identity solutions?
- Would your community or organization profile this schema to support a specific solution or sector?
- Is the body of attribute and attribute value metadata complete? What is missing? What should be removed?
- Is the categorization adequate and complete? Did we miss anything that is critical to improve trust and confidence in decision making based on federated attributes?
- Is trust-time vs. run-time sufficiently considered? Should the defined attribute metadata be shifted among these two lifecycle phases?
- Is the delineation between attribute and attribute value metadata clear and are both required in this schema?
- Is level of effort required to integrate and leverage the schema commensurate with the value of the schema?
- Does the addition of the metadata negatively impact performance of systems?
|Overview of NISTIR 8112 review DG||Context|
|Overview of NIST 'github' comment process||Context|
|Discussion of DG schedule and plan||Consensus on approach and plan|
|High level review of NISTIR 8112 document (time permitting)|
- Andrew gave an overview of the process and expected outcomes of this process
- Note that the document is an NIST IR not a Special Publication
- Note that the attribute values for classifications is specific to US Government - but there should also be either flexible value sets for commercial purposes
- The community encourages NIST to focus on the metadata of broadest applicability before metadata that is very specific to particular use cases
- For example: metadata for a Trust Mark or metadata for LOA would be most useful to industry at first
- Note that NISTIR for "Verification Method" values does not precisely match the processes outlined in SP 800-63-3
- Note that the NISTIR deals with attributes for Authorization and Access Control rather than authentication
- Must check if the NISTIR deals with the full range of Attributes about individuals - the "Verification Method" values appear to deal with documented attributes only, not with observed attributes
- Must discuss the range of metadata elements in the list - is it complete? or too much? There are some elements that appear to be implementation specific
- Must examine the concept of "trust time" v "transaction time"
- Is the concept described in the NISTIR the same or different from the "Federation / Assertion" concept described in 800-63-3C