Introductions & Agenda Review
After a round of introductions, the agenda
was reviewed and a new item added: Digital Identity and Privacy.
Key Objectives for the Identity Management Forum through 2007
The IdM Forum emerged from the Directory Interoperability Forum
(DIF), which completed its work on LDAP and saw spin-off opportunities
for identity management work. It therefore formalized this move by
renaming itself the Identity Management Forum. We now find that the
spin-off work is nearing conclusion as far as the original DIF
participants are concerned, although Identity Management remains a topic
which continues to attract significant interest. The overlap with the
Security Forum has been near 100% since the start of the IdM Forum -
from the Security Forum members' viewpoint, identity and identity
management are all about authentication of digital identities, which are
key parts of information security, though the provisioning aspects of
Identity Management are additional (we have done no work on the
non-security aspects of IdM, such as provisioning, customizing, RFID).
After further discussion, members concluded we should continue
unchanged.
This joint project with ISO/IEC JTC1 SC27 WG5 is continuing at the
relatively slow pace determined by SC27 WG5. We will update the IdM
Forum web page (www.opengroup.org/projects/idm)
to refresh the current review draft and add The Open Group review
comments submitted to date. We have further comments to submit, for
review undertaken during 2006, and we should call for members to
contribute further comments in time for the next deadline:
Action: All to review the latest SC27 WG5 draft N5517 (available
from the IdM Forum web site) and return comments.
Action: Ian to collate existing and new feedback on SC27 WG5 draft 5517
and submit this before the SC27 WG5 deadline.
Note that SC27 WG5 have subsumed this draft document in a new 3-part
project which includes Biometrics and Privacy - see below - and issued a
new liaison request inviting our participation in this wider objective.
Digital Identity project part-funded though EC FP7
The European Commission is continuing to part-fund IT research aimed
at promoting development of IT-based economy within its member states
and extending globally. In January 2007 it formally issued its Framework
Program 7 (FP7), and Objective 3.1.1.3 (see FP7.txt) addresses Digital Identity. The
Jericho Forum is interested in participating with other partners in
bidding for approval of an EC part-funded project under FP7 Objective
3.1.1.3, and the Identity Management Forum members may be similarly
interested.
Action: Members will review the European Commission's FP7 Objective
3.1.1.3 with a view to indicating interest or otherwise in partnering in
a bid coordinated by The Open Group.
Digital Identity and Privacy
A member described a project in the Dutch Ministry of Justice, where
the objective is to assign digital identities to their employees, suppliers,
and external contractors on the one hand, and also to those
persons who to some degree are their clients (prisoners, those on
probation, accused, etc.). These digital identities will be shared with
cooperating services across the value chain of the Justice Department,
with includes police and other relevant local and national government
agencies/service providers. The solution must of course not conflict
with European and Dutch privacy legislation. To comply with privacy
legislation, we must accept that a person's identity is the property of
that person, so it should be secret and owned by that person. A solution
is to have a derived identity that is cryptographically derived from the
person's real identity so the person's identity is not exposed to anyone
who does not have the crypto-key, and it is the person who owns that
identity who hold this crypto-key, and therefore only that person can
expose their real identity. By creating domains of identities - one for
the employee/supplier/contractor group, and the other for the client
group - only identities within a domain can be accessed by others in
that same domain, so complete isolation of identity information between
domains is achieved. Taking this model further, citizen digital identity
information can be shared in a number of separate domains - education,
medical, employee, customer, etc. So far, eight independent domains have
been proposed which by their nature should be separate. Of course domain
owners are needed.
In discussion, it was noted that for citizens the natural owner is
the national government; for medical the owner must be the medical
physician; etc. Also the notion and implications of a root identity, and
federation of identities (perhaps between domains), needs to be
considered. Some implementation of this approach exists in the Austrian
ID Card, which uses three domains - further information on this
implementation is available at www.buergerkarte.at.
Considering this further, each corporation doing business online
could have its own domains; e.g., customers, suppliers, employers. Also,
a policy framework could define policy domains and policy boundaries,
plus possible overlaps and relationships between domains which are
only allowed when explicitly authorized ... by whom? - necessarily by
sovereign authority issued only under legal order. Then there is always
the need to provide against unauthorized access to information by system
administration personnel.
Discussion concluded this is an interesting approach to managing
privacy and digital identities. Those interested have been offered
insights and reference sources to investigate further.
Liaison Statement N5513 from SC27 WG5
ISO/IEC JTC1 SC27 WG5 passed a resolution 15 (contained in SC 27 N5513)
at its meeting held in South Africa during November 2006, inviting The
Open Group to participate in the development of a set of documents
covering Biometrics, Identity Management, and Privacy, under its Category C Liaison agreement with SC27 WG5.
The set of documents are:
- N5515 - Authentication Context for Biometrics
- N5517 - A Framework for Identity Management
- N5519 - A Privacy Framework
Document 5517 is the same as we are currently
collaborating on - see Standard for Framework for IdM
Architectures
above. Liaison Statement 5513 requests our confirmation that The Open group will participate in development of this
wider-coverage document. To commit to doing so will involve investing
time and energy doing serous review of successive drafts. A member noted
that one of the problems that SC 27 WG5 has is lack of breadth of the
constituency of reviewers, so from this point of view volunteering to
extend our existing commitment (on review of the Identity Management
Framework document) would be a good thing. Added to this it was noted
that none of these documents are of great length (at present at least)
so reviewing them will not require a lot of time. Three members
expressed firm interest in committing to this review/comment work, and
no-one expressed opposition to doing so.
Action: Ian will accept the ISO/IEC JTC1 SC27 WG5 N5513 Liaison
Statement on behalf of the Identity Management Forum, under The Open
Group's Category C liaison agreement.
Collaboration with ITU-T SG17
We have received a report (slide set ITU_T-cs1070029) from INCITS CS1
on a meeting of the ITU-T which has decided to set up an SG17 to
work on Digital Identity, focusing on interoperability/interworking, common data models, discovery, privacy, and governance.
We have also received expressions of interest from Nortel (who provide
the chair of ITU-T SG16) in collaborating with our Identity Management
Forum. The terms for engaging with SG17 are special in that they do not
involve fees. The slide set explains the plans and timelines for
achieving their goal - effectively four week-long meetings through 2007.
Arising from discussion, no-one volunteered during this meeting to
represent either the IdM Forum or their own company in the ITU-T SG17
work, though this remains an open invitation and individual members may
yet volunteer, either as an IdM Forum representative or representing
their own company, or even individually.
