Claims Agent Charter

2012-04-11T08:14:23Z

WikiSysop: Undo revision 6482 by Cherriropq (talk)

'''Version 1.7'''
=== Status ===
* 02-Feb-2011: v1.7: craigwi: clarified situation involving non-RANDZ commercial software
* 16-Jan-2011: v1.6: ptrevithick: added a link to the new claims-agent mailing list
* 13-Jan-2011: v1.5: ptrevithick: added a mention that anyone can login with any OpenID and add their names to the participants list
* 10-Jan-2011: v1.4: craigwi: incorporated feedback from conference call
* 09-Jan-2011: v1.3: craigwi: incorporate feedback from early reviewers
* 07-Jan-2011: v1.2: craigwi: added initial scenarios; reworked language around components .vs. active client; other clarifications.
* 04-Jan-2011: v1.1: ptrevithick: renamed from Claims Broker to Claims Agent
* 30-Dec-2010: v1.0: ptrevithick: charter circulated for discussion period within Stewards Council

=== Name ===

Claims Agent Working Group

=== Purpose ===

The purpose of this working group is to (i) create a forum for the development of standards-based, interoperable, verified claims agent implementations (which would include both open source and commercial components), to (ii) initially focus on specific scenarios that the community and customers work together to implement and deploy end-to-end and (iii) provide funding and other incentives for the development of open source components.
A verified claims agent is a set of software components that allows the user to utilize claim-sets from different sources at relying parties (RPs) of their choosing, under their control, using technology that helps to protect their privacy and helps to ensure the security of the system end to end. Verified claims come from sources that do the verification and digitally sign the claims-sets; the agent itself does not do the verification and does not re-sign the claims or sets. The agent has the following characteristics:
* MUST be able to be used with an unmodified browser (includes all types of desktop and mobile devices; support for specific platforms and browsers TBD); this capability would be supported by a “cloud hosted” agent and would support many, but not all of the possible privacy and security features.
* MUST be possible to configure the system to prevent claims providers from being able to trivially track the use of a claims-set. MUST also be possible to configure the system to prevent trivial correlation of claims-sets delivered to different recipients. Both of these capabilities can be achieved by so-called minimal disclosure technologies based on zero knowledge cryptographic techniques or equivalent techniques.
* MUST provide mechanisms to mitigate the theft or lending of claims sets; e.g., claims sets could be cryptographically bound to a device such as a TPM chip, smart card, or phone.
* MAY include components downloaded to the user’s desktop or mobile device (e.g., a browser extension) to provide additional privacy and security features; e.g., used to invoke the agent service while reducing the phishing attack surface; store information local to the device; prevent the agent service from observing the flow of claims from provider to RP.
* Components downloaded to the user’s desktop or mobile device MAY also enhance the user experience, but MUST remain aligned and conceptually compatible with the user experience provided by the agent service.
* Architecture MUST support applications on a desktop or mobile device other than a browser; initial development efforts MAY not.
* MAY support existing specifications and protocols such as WS-Federation, OpenID, SAML and IMI
* MAY be used to provide claims used for authentication
* MAY include the ability to provide current or past claims (and convey which is which)
* MUST enable the exchange of variable claims which means that in some scenarios the process of retrieving claims-sets includes additional parameters that indicate something about the context of the request

=== Overall Scope ===

* To create a verified claims agent development community that includes open source, research and commercial efforts.
* To build liason relationships with related efforts at OpenID Artifact Binding WG, IETF (e.g., OAuth), Kantara (e.g. ULX and CI), Mozilla (e.g. Account Manager) and W3C (new initiatives being considered). Where possible to work with these organizations on their respective specs, rather than creating new specs.
* To build and test together at least one complete implementation of all claims agent components, including multiple cloud hosted agents and components for a wide range of desktop and mobile devices (specific systems and versions support TBD). May be a mix of open source and commercial components. The binaries of the commercially developed components that are part of this distinguished set of components must be available under RANDZ terms. All desktop and mobile device components must be compatible with all of the cloud agent instances.
* To fund one complete, open source claims agent implementation including a cloud agent (e.g., in Java, or .NET, or other suitable language) and components for desktop and mobile devices. All open source code will be licensed under TBD license (most likely Apache 2.0) and resulting components must be interoperable with any commercially developed components.
* To support and fund interoperability testing of claims agent components developed by members of the working group, including commercially developed components deemed compatible with the specifications and protocols used by this working group, but not available under RANDZ terms.
* To participate in discussions on: Trust frameworks that support the verified claims agent; relevant changes in laws and regulations; feedback from members of the privacy community.
* Ensure that the architecture and all components developed enable expansion of the initial target scenarios to include commercial sources of claims, claims orchestration and aggregation, and claims marketplaces (where there may be transaction costs per claims exchange).
* Consider how the architecture and components developed can enable value added services on both the cloud agent and the desktop and mobile devices.

=== Initial Target Scenario Characteristics ===

* Claims come from government, health and education sources and are verified by some source-dependent means.
* The expectation is that there is no cost to the citizen to use the claims and very limited cost, if any, to the organizations who consume them.
* Supported RPs include those at the same institutions that provided the claims, different agencies at different levels of governments and across national borders, as well as commercial organizations.
* Claims are exchanged in a way that helps protect the privacy of the citizen and security requirements of the claims provider (specific mechanisms employed depend on the scenario).
* Support for authentication would be limited to pre-allocated identifiers such as email (i.e., not dynamically allocated pseudonyms)

=== Principles ===

See Identity Commons [[Purpose And Principles]]

=== Practices ===

* We plan to collaborate using an Identity Commons-hosted mailing list
* We plan to contribute source code to a common repository. This repository will likely be a new repository in a larger effort such as [http://www.outercurve.org/ Outercurve Foundation] or [http://www.eclipse.org Eclipse].
* We plan to collaborate with the Identity Commons OSIS WG for interoperability testing.
* Specifications to be standardized would be submitted to standards groups such as OASIS, W3C, IETF and OpenID.
* We plan to seek corporate funding for the open source code and interoperability phases of this work. As Identity Commons evolves to support directed funding, this funding will eventually be to Identity Commons and, after an overhead fee is extracted, the balance pass to this working group.

=== Requirements of Participation and How to Join ===

To show interest in joining after this WG is approved by the Identity Commons Stewards Council, just add your name to the list below. This WG will be open to all.

=== Licenses and/or Restrictions on Usage of Work Product ===
* Open Web Foundation for specs
* TBD: likely Apache 2.0 for code

=== Current Deliverables and Milestones ===

To be determined.

=== Current Meeting Schedule ===

To be determined.

=== Current Membership ===
This group has been proposed by Paul Trevithick. The following people have indicated interest in participating.

* Mikaël Ates
* Henrik Biering (Peercraft)
* John Bradley
* Ariel Gordon (Microsoft)
* Iain Henderson (Mydex)
* Rainer Hörbe
* Tom Jones (JWSecure)
* Mike McIntosh (Azigo)
* Susan Morrow (Avoco)
* Andrew Nash
* Axel Nennker
* Søren Peter Nielsen (DK Govt)
* Dale Olds (Novell)
* Sandy Porter (Avoco)
* Drummond Reed (Data Portability, OASIS XDI TC)
* Domenico Rotondi (TXT e-solutions SpA)
* Mary Ruddy (Meristic)
* RJ Schlecht (Booz Allen Hamilton)
* Don Thibeau (OIDF, OIX)
* Owen Thomas (Clique Space(TM))
* Paul Trevithick (Azigo)
* Michael Versace
* Colin Wallis (NZ Govt)
* David Wasley (InCommon)
* Peter Watkins (Province of British Columbia)
* Craig Wittenberg (Microsoft)

====To join====
# Add your name above (alphabetic by last name) if you'd like to participate. You can log in with any OpenID to this wiki.
# Join the [http://lists.idcommons.net/lists/info/claims-agent claims-agent list]

=== Current Stewards Council Representative and Alternate ===

The stewards council representative will be selected by the members of the working group.

=== Current Links ===

None at present.

=== Related Groups ===

* OpenID Artifact Binding Working Group
* [http://kantarainitiative.org/confluence/display/ulx/Home Kantara ULX WG] and [http://kantarainitiative.org/confluence/display/wgci Consumer Identity WG]
* [https://mozillalabs.com/blog/2010/03/account-manager/ Mozilla Account Manager]
* [http://code.google.com/p/openinfocard/ OpenInfoCard]
* [http://www.fc2-consortium.org/ FC2]
* [http://wiki.eclipse.org/Cloud_Selector_1.1 Higgins Cloud Selector]
* [http://wiki.eclipse.org/Active_Client_Overview Higgins Active Client]

=== History ===

This is where the group can share about how/why the group was founded and where will be where quarterly reports will be linked to.

Identity Landscape

2012-04-11T08:13:40Z

WikiSysop: Undo revision 6481 by Apollosan (talk)

{| align="right"
| __TOC__
|}
= Introduction =

The Identity Landscape is a community project to create a shared living "map" of the Internet identity space -- the projects, technologies, and standards that are coming together to create an interoperable identity layer for the Internet.

Note: this page is currently a placeholder for the outcome of presentations and discussions at the Internet Identity Workshop to be held in Mountain View December 4-6. In the meantime, feel free to add any content you feel would be appropriate to building an identity landscape.

A lot of the material in the next three sections was taken, with permission, from the blog article of Johannes Ernst at http://netmesh.info/jernst/Digital_Identity/who-is-what-in-identity.html.

Ryan Janssen joined Newbies for Newbies and has contributed significant updates.
[http://www.dissertationmojo.co.uk Dissertation Help]
[http://www.dissertationmojo.co.uk/masters-dissertation/ masters dissertation]
[http://www.dissertationmojo.co.uk/dissertation-writers/ dissertation writers]
[http://www.dissertationmojo.co.uk/dissertation-proposal/ Dissertation proposal]
[http://www.dissertationmojo.co.uk/pricing/ buy-Dissertation]
[http://www.mightydesigners.com logo design competition]
[http://www.dissertationmojo.co.uk/dissertation-topics/ dissertation topics]
[http://www.dissertationmojo.co.uk/mba-dissertation/ mba dissertation]
[http://www.dissertationmojo.co.uk/dissertation-writing-services/ Dissertation writing Services]

= Groups, Communities, Projects =

=== Bandit ===

Open-source project that builds a set of loosely-coupled components for Authentication, Authorization, and Auditing. Initiated by Novell. http://www.bandit-project.org.

=== Concordia ===

Recently initiated in the context of the Liberty Alliance (see below), Concordia will initially focus on use cases for multi-protocol interoperability. Concordia is now a [http://kantarainitiative.org/confluence/display/concordia/Home discussion group] at the Kantara Initiative. The former URL http://projectconcordia.org in not operational any more.

=== DataPortability.org ===

The purpose of this project is to put existing technologies, techniques, policies and initiatives in context in order to facilitate translation, education, advocacy and ultimately implementation of data portability. http://dataportability.org/

=== FOAF+SSL ===

This project uses the SSL stack available in all current browsers to create a global single identity using the X509v3 Subject Alternative Name extension.
With this it is possible to create a global identity, one click sign on, access control for the Social Web. Reference to this work can be found on the wiki
http://esw.w3.org/topic/foaf+ssl
[http://www.dissertationinn.co.uk/ dissertation help] , [http://www.dissertationinn.co.uk/dissertation-proposal/ dissertation proposal] , [http://www.dissertationinn.co.uk/write-my-dissertation/ write my dissertation] , [http://www.dissertationinn.co.uk/dissertation-service/ dissertation service].

=== Higgins ===

An open-source project currently part of the Eclipse Foundation that develops multi-protocol software components. For example, the Higgins project is developing open-source information card selectors similar to Microsoft CardSpace for other platforms. http://www.eclipse.org/higgins.

=== Identity Commons ===
[http://www.dissertationinn.co.uk/undergraduate-dissertation/ undergraduate dissertation] , [http://www.dissertationinn.co.uk/dissertation-advice/ dissertation advice] , [http://www.dissertationinn.co.uk/law-dissertation/ law dissertation] , [http://www.dissertationinn.co.uk/nursing-dissertation/ nursing dissertation]

The Identity Commons is an industry association for the collaborative development of the technical, social and legal aspects of a user-centric identity layer on the internet. Many of the other initiatives listed here are chartered as working groups in the Identity Commons. Some of them are formed to accomplish a specific objective and disband shortly thereafter. Others are expected to keep going for a long time. You're already here.

=== Identity Gang ===

The Identity Gang is an invitation-based mailing list and public wiki bringing together most of the movers and shakers around identity. Operating as Working Group of the Identity Commons. http://identitygang.org.

=== IETF ===

A technical standards body for internet protocol standards. No identity-related work is currently performed there, but there are several related activities. http://www.ietf.org.

=== ITU-T Focus Group on Identity Management ===

The ITU is a technical standards body for telecommunications-related protocol standards following international standardization processes. The objective of the Focus Group is to facilitate the development of a generic Identity Management framework, by fostering participation of all telecommunications and ICT experts on Identity Management. http://www.itu.int/ITU-T/studygroups/com17/fgidm.

=== Kantara Initiative ===

Kantara Initiative is a robust and well-funded focal point for collaboration to address the issues shared across the identity community: Interoperability and Compliance Testing; Identity Assurance; Policy and Legal Issues; Privacy; Ownership and Liability; UX and Usability; Cross-Community Coordination and Collaboration; Education and Outreach; Market Research; Use Cases and Requirements; Harmonization; and Tool Development.

=== Kerberos Consortium ===

Just recently created, the MIT Kerberos Consortium intends "to establish Kerberos as the universal authentication platform for the world's computer networks.". http://www.kerberos.org.

=== Liberty Alliance ===

An industry association for the development and promotion of federated identity standards. Established in 2001, it has focused mostly on intra and inter-enterprise scenarios. http://projectliberty.org. UPDATE - As of June 2009, the work of the Liberty Alliance is transitioning to the Kantara Initiative.

=== Oath ===

Organization and technology standards to define open authentication protocols. for universal strong authentication on many kinds of devices and networks. http://www.openauthentication.org.

=== OASIS ===

A technical standards body for structured information standards. The development of XRI, XDI and SAML identity protocols resides here. http://www.oasis-open.org.

=== OpenID ===

OpenID is a community and a set of user-centric identity protocols, facilitated by the OpenID Foundation. OpenID is also chartered as a working group in the Identity Commons. http://openid.net.
*[http://www.headlicetreatmentworld.com head lice treatment]

=== OSIS ===

Organizes and harmonizes the development of software components for the internet-scale identity system by focusing on specific interoperability use cases, and demonstrating these multi-vendor scenarios at public events. Organized as a working group of the Identity Commons. http://osis.netmesh.org.

=== PRIME ===

European research project to develop a working prototype of a privacy-enhancing identity management system. https://www.prime-project.eu.

=== Shibboleth ===

Part of the Internet 2 project, Shibboleth is an open-source project that provides Web-based Single-Sign-On. http://shibboleth.internet2.edu.

=== VRM ===

Initiated by Doc Searls at the Berkman Center at the Harvard Law School, the Vendor Relationship Management project is a community-driven effort to support the creation and building of VRM tools. The VRM project is expected to be chartered under the Identity Commons. http://cyber.law.harvard.edu/projectvrm/Main_Page.
*[http://www.headlicetreatmentworld.com head lice treatment]

=== W3C ===

A technical standards body for web standards. No identity-related work is currently performed there, but there are several related activities. http://www.w3.org.

=== XDI.org ===

A non-profit governing the XDI and XRI infrastructure. It also holds the XRI and XDI intellectual property. http://www.xdi.org.

= Conferences=

=== Digital Identity World ===

The main identity trade show and conference in the United States.

=== Identity Open Space ===

A series of "unconference"-style events produced by Kaliya Hamlin, Doc Searls and Phil Windley, in association with other events such as Digital Identity World. See also Internet Identity Workshop.

=== Internet Identity Workshop ===

A series of "unconference"-style workshops produced twice a year by Kaliya Hamlin, Doc Searls and Phil Windley. It is the primary face-to-face gathering of the various individuals and groups working on user-centric identity. It operates as Working Group of the Identity Commons.

=== IDtrust at NIST ===

Annual conference at NIST in Gaithersburg, MD (D.C. area). Originally a PKI academic workshop, it has morphed into a more general identity symposium. Attendees consist largely of representatives from higher education and government (both domestic and foreign). http://middleware.internet2.edu/idtrust.

= Protocols, Technology, Projects =

=== Kerberos ===

Network authentication protocol developed at MIT and the basis for both Windows and Mac authentication. http://web.mit.edu/Kerberos/

=== I-Cards ===

=== LID ===

LID uses URLs as identifiers, is fully decentralized and supports multiple underlying protocols such as OpenID, Yadis and PGP/GPG. It was the first URL-based identity technology. http://lid.netmesh.org/

=== OpenID ===

OpenID is an open, decentralized, free framework for user-centric digital identity that takes advantage of of already existing internet technology (URI, HTTP, SSL, Diffie-Hellman). http://openid.net/

=== OAuth ===

OAuth allows the user to grant access to their private resources on one site (the Service Provider), to another site (called Consumer). OAuth is about giving access to your information without sharing all of your identity. http://oauth.net

=== SAML ===

Security Assertion Markup Language (SAML) is an XML security standard It's token based architecture serves as an important component in Liberty, Higgins, Cardspace, and Shibboleth. http://www.oasis-open.org/committees/security/

=== Shibboleth ===

Shibboleth is an open source middleware which uses SAML to provides web single sign-on across or within organizational boundaries. http://shibboleth.internet2.edu/

=== Sxip ===

=== WS-*, WS-Trust ===

=== X.509 ===

Cryptography standard that defines most elements of the internet's current PKI components (public key certificates, certificate revocation lists, and attribute certificates) http://www.itu.int/rec/T-REC-X.509/en

=== XDI ===

=== XRI ===

=== Yadis ===

Meta-data discovery framework for identity services. Now required for OpenID implementations, but useful for many other applications as well that need to discovery services from URLs or other identifiers. http://yadis.org.

=== VRM ===
VRM, or Vendor Relationship Management, is the reciprocal of CRM or Customer Relationship Management. It provides customers with tools for engaging with vendors in ways that work for both parties. http://www.projectvrm.org

= Items to Place =

This is simply a starting list of items in alphabetical order to place on the map (taken from a thread on the Identity Gang mailing list).

It's now what's left after the above.

* i-names and i-numbers
* OpenPGP
* Tor

See also

* http://openliberty.org/wiki/index.php/RelatedProjects

= Other Maps/Lists =

On the Identity Gang list, Ashraf Motiwala recommended the following:

* http://docs.safehaus.org/display/HAUS/Id+OSS+Map is a map of identity Open Source projects.
* http://identityaccessmanagement.blogspot.com/2005/05/vendor-list.html is a list of vendors in the identity space.

More maps

* http://www.xmlgrrl.com/blog/archives/2007/03/28/the-venn-of-identity/ is by Eve Maler and the Liberty Alliance
* http://identity4all.blogspot.com/2005/11/topology-of-identity-standards.html is a draft of standards and their inter-relations