- Updates to the SAC to accommodate challenges that have been encountered during assessments using NIST 800-63 Rev3 have been approved by an All-Member Ballot (October 27, 2018). These changes will be used by Assessors going forward.
- Revisions to the IAF Overview (IAF1000) continue. A draft has been sent to current Kantara Approved CSPs for their input. The IAF Glossary (IAF1100) will be the next document to be revised.
- The Group Charter has been endorsed by the Group and the current leadership team has been affirmed for another year.
Prepared with information provided by Jim Pasquelle (WGChair)
- The Group is well on the way to reframing Consent in general.
- The hard work and persistent effort of several team members resulted in a demo around sharing consent receipt information. Many people have experienced the demo at several conferences. Andrew Hughes and others have excited people many of whom have begun participating and contributing to the WG. Work continues to make improvements to the demo.
- Work on the demo has led to a series of high-level discussions around consent in general and how the WG would proceed with a features set for a specification for the next release. These discussions have improved participants’ understanding and grasping the language used around Consent Receipt which will undoubtedly result in improving the next version of the Consent Receipt Specification.
From Keith Uber:
Yesterday as part of the Kantara session at Consumer Identity World Europe in Amsterdam, I presented the work of the WG and the interop demo, largely based on Andrew's prior presentations. The audience was maybe 30 or 40.
The presentation was well received. I got one question about what happens when consent is revoked - is there a receipt for that action.
Nixu approached me at the event and told that they have implemented CR spec for a customer prestudy. I have asked them to submit some mention of this work to the "known implementations" page of the wiki.
VP Customer Success, Ubisecure Inc
- Updates to the SAC to accommodate challenges that have been encountered during assessments using NIST 800-63 Rev3 have developed and endorsed by IAWG. LC has, by a super majority ote, endorsed a zero day IPR review period. The changes are currently undergoing an All-Member Ballot expected to close Oct 27, 2018.
- Revisions to the IAF Overview (IAF1000) continue. The IAF Glossary (IAF1100) will be the next document to be revised.
The current chair, due to circumstances beyond his control, is resigning. One participant of the group (Scott Shorter) has proposed redirecting the DG to Smart Cities. He will assume being the Chair if there is support for this direction. Failing support, the DG will be dissolved.
- The Work Group has learned that some implementers have begun doing interoperability testing among themselves, and so is beginning to coordinate more formal "matrix testing" (a scheme for which can be seen here, from the UMA1 era). We will be also seeing a demo of WSO2's new UMA2 implementation at our Oct 18 meeting.
- The WG is undertaking an analysis of resource owner and requesting party notification requirements coming from a variety of sources, partly related to Open Banking's "decoupled" needs.
- Some offline progress is being made on finding opportunities to test the UMA business model, associated with the Vermont PIPC law.
- Updates to the SAC to accommodate challenges that have been encountered during assessments using NIST 800-63 Rev3 are being developed. IAWG has endorsed the proposed changes and recommended that they be adopted as “minor” updates. As such, the updates will not have to undergo a public review.
- The IAF Overview (IAF1000) is being revised to make it more current (currently dated 2009). The IAF Glossary (IAF1100) will be the next document to be revised.
- The Work Group welcomed the news of the RedHat Keycloak UMA2 implementation coming out of beta, and discussed some of its extensions as potential fodder for standardization. Another UMA2 implementation announcement is expected in October.
- The Work Group is continuing its business model effort, and is now working to set up a meeting with a representative of an insurance company interested in the outlines of the new Vermont Personal Information Protection law and how UMA might be of assistance to the captive insurance market related to this law. We anticipate the major portion of our work in the fall will be dedicated to this and other concrete examples of the business model.
Presented the demo of interoperable consent receipts from the Kantara Initiative Information and Sharing workgroup at the MyData Global Network Conference in Helsinki. Five Kantara member companies got together and in under 7 weeks coded exchangeable consent receipts - potentially for management of data subject rights from a 'privacy dashboard'. Very strong positive response & many interested in getting involved.
eGov hosted a webinar on August 16, 2018: The Australian DTA has been working on their new Trusted Digital Identity Framework (TDIF). It is a comprehensive set of documents for digital identity in Australia. It covers a range of topics from IDM, Authentication, security privacy, fraud control, etc. DTA are presenting the trust framework aspects on Thursday, August 16 at 14:00 UTC. Webinar recording will be available after the event.
Progress has been slow on the primary deliverables of this WG. The overall plan is to develop a document outline to capture Consent Management common practices, develop an interview protocol and survey, then gather data from as many organizations as possible. Then, the results will be analysed for common practices and areas where standardization could help. We have renewed committments of participant time starting in September, so hope to increase the rate of progress at that time.
The WG will be presenting a demo at MyData in Helsinki on August 29, 2018.
Over the last couple months, digi.me, OpenConsent, Consentua, Ubisecure and Trunomi have been designing and building functions into their systems to create or consume Kantara Consent Receipts. The demo concept is to show off interoperable Consent Receipts. In this first round, we show that an individual can ask for a receipt as part of a service interaction; the receipt given to that person and then viewed in a viewer of the person's choosing. The accompanying presentation and discussion will cover how the receipt fits into exercising individual data rights as set out in GDPR and other privacy regulations. This is a great opportunity to showcase Kantara members at an international conference.
- The Work Group is on a "summer time" schedule, meeting every two weeks or even less often until September.
- We held leadership team elections; Eve and Maciej have been re-elected in the chair and vice-chair roles respectively.
- We discussed novel solutions to the "multiple portals problem" (so-called in healthcare but applicable to other sectors), and novel ways UMA or UMA++ may be used to tackle the challenge.
IAWG is currently working on the following items:
- Developing NIST 800-63-3 implementation guidance with other members of the TFS Coordination Group; and
- Reviewing, with the objective of updating, the Identity Assurance Framework: Overview (IAF1000) and the Identity Assurance Framework: Overview (IAF1100).
- The business model design is now fairly solid. Chair Eve Maler presented it at the EIC conference, along with a set of "cradle-to-grave" business scenarios. Jim Hazard is proposing a specific use case to which to apply our POC efforts.
- The group has been analyzing the Open Banking use case called "decoupled" and what it might look like if UMA were applied to it. (The MODRNA extension spec called CIBA was specially designed to solve it.) Both CIBA and UMA may potentially solve different aspects; Mike Schwartz is planning to put together a proposal that combines them.