This is the home for the Kantara-convened community discussion on NISTIR 8112 Attribute Metadata public draft.
Our participants discuss the document and post Issues and comments to the NIST github repo. Note that each person or organization is responsible for posting their own feedback to NIST as Kantara will not be assembling a centralized list.
Public Draft Open for Comments: https://pages.nist.gov/NISTIR-8112/
HTML rendering of current document version: https://pages.nist.gov/NISTIR-8112/NISTIR-8112.html
github repo: https://github.com/usnistgov/NISTIR-8112
Questions posed by NIST:
Some specific questions we are interested in answering both in the short and long term include:
- Does this bring value to federated scenarios and identity solutions?
- Would your community or organization profile this schema to support a specific solution or sector?
- Is the body of attribute and attribute value metadata complete? What is missing? What should be removed?
- Is the categorization adequate and complete? Did we miss anything that is critical to improve trust and confidence in decision making based on federated attributes?
- Is trust-time vs. run-time sufficiently considered? Should the defined attribute metadata be shifted among these two lifecycle phases?
- Is the delineation between attribute and attribute value metadata clear and are both required in this schema?
- Is level of effort required to integrate and leverage the schema commensurate with the value of the schema?
- Does the addition of the metadata negatively impact performance of systems?
Discussion Call Schedule
Join our open meetings:
DATES: Thursdays September 8, September 15, September 29 2017
TIME: 12:00 Pacific Time | 15:00 Eastern Time
- Dial-in Details
- Skype: +99051000000481
- US Dial-In: +1-805-309-2350
- Conference ID: 613-2898
|Discuss scope section|
Begin discussion on
- Does this document address current technologies and architectures? For example, mobile devices may affect attribute metadata
- The overall scenario of the use cases and the NISTIR itself appear to be well suited to law enforcement and national intelligence purposes rather than commercial or general public uses. Is this intentional?
- The metadata described in section 3 would have to be expanded to cover more typical uses for general public uses.
|Overview of NISTIR 8112 review DG||Context|
|Overview of NIST 'github' comment process||Context|
|Discussion of DG schedule and plan||Consensus on approach and plan|
|High level review of NISTIR 8112 document (time permitting)|
- Andrew gave an overview of the process and expected outcomes of this process
- Note that the document is an NIST IR not a Special Publication
- Note that the attribute values for classifications is specific to US Government - but there should also be either flexible value sets for commercial purposes
- The community encourages NIST to focus on the metadata of broadest applicability before metadata that is very specific to particular use cases
- For example: metadata for a Trust Mark or metadata for LOA would be most useful to industry at first
- Note that NISTIR for "Verification Method" values does not precisely match the processes outlined in SP 800-63-3
- Note that the NISTIR deals with attributes for Authorization and Access Control rather than authentication
- Must check if the NISTIR deals with the full range of Attributes about individuals - the "Verification Method" values appear to deal with documented attributes only, not with observed attributes
- Must discuss the range of metadata elements in the list - is it complete? or too much? There are some elements that appear to be implementation specific
- Must examine the concept of "trust time" v "transaction time"
- Is the concept described in the NISTIR the same or different from the "Federation / Assertion" concept described in 800-63-3C
Reminders that everyone should create a github account and "Watch" the repo to get notifications.
Next meeting: September 15 2017 15:00 Eastern Daylight time.