IAWG is currently working on the following items:
- Developing NIST 800-63-3 implementation guidance with other members of the TFS Coordination Group;
- Preparing comments on the recently released OMB Policy Draft; and
- Reviewing, with the objective of updating, the Identity Assurance Framework: Overview (IAF1000) and the Identity Assurance Framework: Overview (IAF1100).
- The Work Group has consolidated its two meeting series (Legal subgroup and main Work Group).
- It is working in earnest on its formal "business model", which is designed to enable:
- The auditing of technical artifacts (such as tokens) in a privacy-sensitive way during a run of the protocol to be able to prove the claimed consent/permission/delegation/licensing happened
- How the artifacts can link out to the relevant legal devices (contracts and licenses)
- Determining patterns of which artifacts need to be dissolved (e.g., tokens to revoke) and then remade (issued) to serve various complex business use cases
- It is also considering potential protocol extensions.
- The draft formal model was presented at IIW 26, which evinced some interest.
- The SAC developed to meet the requirements expressed in NIST SP800-63 rev 3 are currently undergoing an all member vote which closes March 19, 2018. We are on schedule to meet the NIST deadline of March 21st.
- IAWG has approved a repackaged KIAF 1400 (current SAC) that enable parts of it to be used with the SAC it has developed for 800-63 Rev3 to enable a CSP to be granted either an 800-83 Rev 3.0 Approval or a NIST 800-63 Rev 3 Technical Approval. As the effort focused on ensuring that the changes were “immaterial changes” they do not require a public review or all member ballot.
- IAWG is reviewing and responding to the comments received from the Public and IPR review of the SAC developed to meet the requirements expressed in NIST SP800-63 rev 3. The comments are, for the most part, aimed at the requirements expressed in NIST document. The Disposition Log and Documents are being revised so they can be submitted for LC’s approval for a two-week all-member ballot. We are on schedule to meet the NIST deadline of March 21st.
- IAWG is also repackaging KIAF 1400 (current SAC) to enable parts of it to be used with the SAC it has developed for 800-63 Rev3 to approve CSPs. The effort is focused on ensuring that the changes are viewed as “immaterial changes” so that they do not require a public review or all member ballot.
The Consent and Information Sharing WG is currently processing comments received during the Public Review of the Consent Receipt v1.1 specification. We expect to have this finished by the end of February, then on to all-member ballot in March 2018.
The Consent Management Solutions WG will have its first WG call Wednesday February 21 2018 at 15:00 GMT / 10:00 Eastern / 7:00 Pacific. Chair Corné and Vice-Chair Julian will present the overall plan, initial work packages list and schedule. Please join us!
- Now that Kantara has published the UMA2 Recommendations (for which a formal press release and a blog post are under way), the Work Group has (finally) begun discussing refreshing its charter to reflect the next phase of its work. This is likely to include the ongoing legal/business/trust efforts, potential work items around extensions, and promoting adoption and interoperability.
- The Legal subgroup (which may take on a revised name) has voted to approve its first Draft Report and submit it to the Leadership Council for certification for publishing. This report describes "how the UMA protocol enables a license-based model for controlling access rights to personal digital assets".
The formal launch of the Consent Management Solutions WG happened at the November Consumer Identity World event in Paris.
iWelcome and digi.me are leading the charge & the WG roster is starting to get bigger. We anticipate the first WG call to happen mid-January 2018.
The Consent Receipt v1.1 is in Public Review until January 20, 2018. This is a major milestone for the WG and prepares the foundation to allow 'overlays' and profiles to be created to suit the specific needs of localized regulations. We've received some comments already and will be working on resolution early in the new year.
Members of the Kantara Initiative Consent & Information Sharing WG have recently approved the Consent Receipt Specification v1.1.0 draft 7 2017-11-20. The document described below now enters a 45-day public comment and IPR review period in preparation for a member ballot to consider its approval as a Kantara Initiative Recommendation.
Document: Consent Receipt Specification
Version: v1.1.0 draft 7
Document Date: 2017-11-20
Document URL: Download the document
Overview of Document: A Consent Receipt is a record of authority granted by a Personally Identifiable Information (PII) Principal to a PII Controller for processing of the Principal’s PII. The record of consent is human-readable and can be represented as standard JSON. This specification defines the requirements for the creation of a consent record and the provision of a human-readable receipt. The standard includes requirements for links to existing privacy notices & policies as well as a description of what information has been or will be collected, the purposes for that collection as well as relevant information about how that information will be used or disclosed. This specification is based on current privacy and data protection principles as set out in various data protection laws, regulations and international standards.
This is an open invitation to comment. Kantara Initiative solicits feedback from potential users, developers and, other interested parties, whether Kantara Initiative members or not, for the sake of improving the interoperability and quality of its technical work.
Public Review and IPR Review Period Opens: 2017-12-07, 20:00 UTC
Public Review and IPR Review Period Closes: 2018-1-20, 19:59 UTC
To Comment on the Specification: To comment please use the form located at: https://kantarainitiative.org/comment/or email your comments to firstname.lastname@example.org with the subject "CISWG COMMENT SUBMISSION".
Note that any submissions are deemed to be contributed under the IPR Option of the WG: Patent & Copyright: Reciprocal Royalty Free with Opt-Out to Reasonable And Non-discriminatory (RAND)
- In 2017, the WG completed its V2.0 specification edits, undertook two public comment and IPR review periods and disposed of comments arising from these periods, and remanded the specifications to the LC for certification towards an All-Member Ballot. The WG is currently considering a late-breaking comment related to security arising out of the (successful) All-Member Ballot prior to publication of the Recommendations. In 2018, post-publication, the WG will work on a fresh Roadmap, considering joint consent receipt work, working on issues with the "extension" label, and whatever else rises to the top of its list.
- In 2017, the Legal subgroup worked with legal expert Tim Reiniger to produce three contracted deliverables, and then put together major elements of a new UMA legal framework, in the form of a document and a series of diagrams. The framework is approaching full draft completion and readiness for practical review. In 2018, the subgroup will review its Mission, considering completing the framework document as soon as possible, working with one or more UMA deployers interested to contribute case studies, and developing the first sets of template contract and license text.
- Service Assessment Criteria for NIST 800-63 Rev 3 Parts A and B have been developed. IAWG has approved them and they are now out for Public and IPR review with a closing date of 2018-1-29.
- Comments prepared for on the drafts of GSA TFS Certification Process and Concepts of Operations for approval by the Board of Directors.
- The WG has approved its UMA 2.0 Draft Recommendations (revs 09) for certification by the LC to go to All-Member Ballot. If all goes well with both the remaining steps, we anticipate reaching Recommendation stage by mid-December.
- The Legal subgroup is working on a draft legal framework document.
- The WG is looking at some new candidate logos for UMA.
- Efforts underway to revitalize the Kantara IAF to accommodate release 3 of NIST SP800-63
- Still working with IDESG on operationalizing the use of Kantara approval of a CSP for the CSP to self assert to the IDESG
Slow summer, we had very few meetings. Currently working on the JSON-LD vocabulary for SAML.
In the past we had looked at blockchain technologies as a solution for publishing federation data, but we got bogged down on the logistical details-- for example, which blockchain, what is the business model, how would we publish claims. Sovrin maybe provides some of the answers to this question. More information about Sovrin can be found at http://sovrin.org. The design of OTTO aligns nicely with Sovrin. We are using JSON-LD as the data format, and the API's defined in OTTO could be used as Sovrin data endpoints.
The DHS ERASMUS pilot, which has been a driver for OTTO, is currently in limbo. The ERASMUS team will be presenting the work to the DHS first responder S&T group for December 7th. That is seen as a necessary gate for Phase II of the project.
Mike will be presenting OTTO at an Internet2 conference right before IIW.