The ISI WG information Sharing interoperability comprises several ongoing projects with its main objective to create a personal data use record framework or PDURF.
A personal data use record framework is a concept whereby the framework accommodates a receipt. Since receipts themselves are not one-size-fits-all, the notion of the framework is to allow profiles to be developed, submitted, approved to the framework, and put in use by anyone.
Currently, two profiles are being developed and worked on; one around healthcare, the other around consent receipt for browsers.
The ISI workgroup is split into project groups; they work separately and then bring together their best solutions under the framework.
After being on several months of hiatus, the workgroup will begin to meet regularly starting in December 2021.
The group presented at Kantara's session at the European Identity Conference
The group continued to define test cases for a future UMA interoperability test suite
- The group discussed OAuth vs UMA differences and how we can better educate people
An UMA 101 session was presented at IIW 33. There were around 25 participants. There was discussion of recent WG topics such as "UMA + data schema standards" and "UMA + SSI identity credentials".
The group reviewed a recent FHIR API vulnerability findings and is preparing a short report to show how to remediate using UMA
The group is reviewing delegation uses cases raised by other groups, and how to accomplish them with UMA
- The group has been looking at some challenges and out of scope items of UMA 2. Working through user-stories and ways to address those challenges
- Have been talking about discovery mechanisms, how they can improve user experience and support wide ecosystems
- Looking into requirements for a minimal viable interoperability profile for Authorization Server implementations
- Review and comments underway for contribution to Kantara ISO Liaison expert comments on ISO 27560 WD3
- Incorporation of Privacy as Expeected (PaE) into Notice and Consent Receipt Record Framewok
- Joint investigation w/ UMA WG in use of PaE flow for Alice's discovery of Bob's service
- Continued development of specification for Anchor Notice Record and Receipt 1.2.1
- Investigation of funding through NGI Atlantic 4th call, to leverage consent receipt work into a globally interoperable human centric privacy control set and conformance program.
The proposal to supply a Trust Registry API for the HHS ONC is awaiting action. It provides a trust registry similar to that used in the NIST SP 800-63-3 Trust Registry with two new features:
- Kantara FIRE will complete a specification (the MAAS) for the acceptability of smartphone applications to protect patient health data, which is protected by HIPPA in covered entities. This specification will then be converted to software assessment criteria in the same way that the NIST specs were used to create an SAC for Credential Service Providers. The MAAS specification is now posted as an implementer’s report.
- The Trust Registry can be queried by a json API which will allows certified apps to be immediately acceptable to download patient data which has a strict time limit in the final rule for the 21st Century Cures Act. There is no place where a trust logo can be displayed in a fully automated system.
The proposal is for ONC to fund the development of both features and start to onboard a few initial test sites over the first year of operation. It is expected that the continuing support for the program will come from fees on the application developers and the relying parties.
The team’s mobile driver’s license criteria have been contributed to the Kantara effort to respond to the DHS Request for Comment on ISO 18013-5 which is also the subject of the PImDL report that is expected from that discussion group very soon.
The WG is supporting https://trustregistry.org with additional details about the goals and work behind the proposal.
Further info on the WG is found on both our Kantara wiki
The Draft MAAS can be found here:
and the legacy IDESG wiki which the work group has continued to leverage, for example this page on mobile drivers’ licenses
- Changes to SAC concerning subject-focused, component service consumer criteria.
- Provide input to the Kantara response to the Homeland Security RFI concerning mDL
- Provide comments concerning the UK DCMS May Update - Certification Questions and assessment of RPs.
- Provide response to the NIST open discussion of issues related to SP800-63 Rev 4
The PImDL Group Approved Draft has been forwarded to the Leadership Council for a vote. Depending on the Leadership Council, the report will be published (and the DG will be shut down) or the draft will come back for review and update.
- The group approved an updated Charter for 2021
- The group approved new leadership for 2021. Alec Laws and Steve Venema have been elected as Chair and Vice-chair, respectively
- The group would like to thank Eve Maler for her unwavering support of the group and role as Chair over these many years!
- The group has looked at an updated Relationship Manager draft that incorporates concepts of resource owner held keys & credentials
- Please check out our most recent notes for more details on the above
Our work continues on several tracks:
To build out the Consent Receipt Framework 1.2, along the lines of OAuth where version 2 was a framework and not a specification. The consent receipt does not stand alone and we are working to provide a notice and consent framework consistent with privacy by design (ISO 27550 Privacy engineering for system life cycle processes) and the ISO 29100 Privacy Framework.
- Define the fields for the "anchor" receipt which is the notice receipt at the start of the (consent) flow.
- Work to incorporate this effort into ISO 27650 through Kantara liaison and individual member participation in the standard WG.
- Continued collaboration with W3C, Trust over IP, other participants in the NGI Trust who can leverage the work of the consent receipt in their individual projects and elsewhere.
- Outreach to browser providers to incorporate the consent receipt and "two factor consent" that is meaningul notice and then meaningful consent.
- We have ongoing workshops and presentation to support and promote the work, most recently an Identiverse presentation as part of Kantara's presentation, and "Role of Identity, Identification, and Receipts for Consent" at the Open Identity Summit 2021 on 2 June.
We now have 3 members of the ANCR WG working in ISO on 27560
Jan Lundquist, Editor
- Several WG members staffed a Virtual Booth at the ONC Annual General Meeting
- Eve and George presented a UMA 101 session (pdf slides) at the latest Internet Identity Workshop.
- Checkout a new UMA profile!!
- The WG continues to discuss how UMA intersects, works with, and supports other standards
- The WG continues to iterate on the Relationship Manager profile. Recent draft text
- The work group has been reviewing the UK Pensions Dashboard profile contribution, both the contents and IPR concerns
- The work group has been discussing the FAPI project: If we can/should recommend the same security profile to implementors, and if we should contribute a UMA profile for consideration by FAPI
- The work group presented to all members during the monthly Leadership Council call. Highlighted two upcoming deployments (UK Pensions Dsahboard and an Ontario trusted account for health) and how those deployments are bringing profiles and work back to the group
- BIT Report now available and published as a KI report here: https://kantarainitiative.org/download/blinding-identity-taxonomy-pdf/
- PDUR (Personal Data Use Receipt) in the draft mode, to be contributed to the WG by AH & JA early July timeframe. The entire ISI workgroup will then begin to make comments on PDUR project calls
- IntentCasting Project is writing a primer document around IC
- Notice and Consent is on a summer projects work schedule working on several aspects of AdvCIS,
- SAC for FAL3 under Public and IPR review
- working on SAC for IAL3, AAL3, and FAL3
- comments being developed for DIACC PCTF Attributes and Relationships component
- getting started on suggestions to NIST for rev4
A few months ago the FIRE WG representative to the Kantara Initiative Education Foundation shared that the FIRE WG would seek funding to support the pursuit of a grant to:
- Establish an assurance program for high assurance tokens and applications and to that end has fine-tuned the scoop to Public Health Centers - Vulnerable Populations, an activity that would build out the proposed sandbox :
- In addition to the above, also being considered is the build out the IDEF Registry from a partially designed and functional self-attested registry (NIST funded) to a Federated IDEF-Registry on a functional trust platform with a Trust Registry that would involve three Kantara WG’s: HIAWG, IAWG and FIRE. The application would be a Kantara assets which all the WG’s could contribute too and benefit from.
- ONC and CMS has funding and a need in light of COVID -19. This was briefly discussed at the HIAWG meeting last week with Dr. Tom, Colin and me online; we agreed to have a follow up call.