Last week's blog post by Dr. Peter Alterman on "Why LOA for Attributes Don’t Really Exist" has generated a good bit of conversation on this topic within FICAM working groups, in the Twitter-verse (@Steve_Lockstep, @independentid, @TimW2JIG, @dak3...) and in may other places. I also wanted to call out the recent release of the Kantara Initiative's "Attribute Management Discussion Group - Final Report and Recommendations" (via @IDMachines) as being relevant to this conversation as well.
One challenge with this type of discussion is to make sure that at a specific point in the conversation, we are all discussing the same topic from the same perspective. So before attempting to go further, I wanted to put together a simple framework, and hopefully a common frame of reference, to hang this discussion on:
| "What" |
|
| "When" (to trust/rely-upon/use) |
|
| "Where" |
|
| "Who" |
|
Given the above, some common themes and points that surfaced across these conversations are:
- Don't blur the conversations on governance/policy and score/criteria i.e. The conversation around "This is how you will do this within a community of interest" is distinct and separate from the "The criteria for evaluating an Attribute/AP is x, y and z"
- Decisions/Choices regarding Attributes and Attribute Providers, while related, need to be addressed separately ["What"]
- Decision to trust/rely-upon/use is always local ["Where"], whether it is for attributes or attribute providers
- The decision to trust/rely-upon/use an Attribute Provider is typically a design time decision ["When"]
- The criteria that feeds this decision (i.e. input to a confidence in AP calculation) is typically more business/process centric e.g. security practices, data quality practices, auditing etc.
- There is value in standardizing the above, but it is unknown at present if this standardization can extend beyond a community of interest
- Given that the decision to trust/rely-upon/use an Attribute Provider is typically made out-of-band and at design-time, it is hard to envision a use case for a run-time evaluation based on a confidence score for making a judgement for doing business with an Attribute Provider ["When"]
- The decision to trust/rely-upon/use an Attribute is typically a local decision at the Relying Party ["Where"]
- The decision to trust/rely-upon/use an Attribute is typically a run-time decision ["When"], given that some of the potential properties associated with an attribute (e.g. unique, authoritative or self-reported, time since last verified, last time changed, last time accessed, last time consented or others) may change in real time
- There is value in standardizing these 'attributes of an attribute'
- It is currently unknown if these 'attributes of an attribute' can scale beyond a specific community of interest
- A Relying Party may choose to directly make the calculation about an Attribute (i.e. local confidence calculation based using the 'attributes of an attribute' as input) or depend on an externally provided confidence "score" ["What"]
- The "score" calculation may be outsourced to an external service/capability ["Where"]
- This choice of doing it yourself or outsourcing should be left up to the discretion of the RP based on their capabilities and risk profile ["Who"]
- Attribute Provider Practice Statement (APPS) for Attribute Providers, Aggregators, Re-Sellers
- Level of Confidence Criteria (LOCC) for Attributes
As always, this conversation is just starting...
:- by Anil John
