API

From MgmtWiki
Revision as of 14:20, 10 July 2018 by Tom (talk | contribs) (Information Sharing)

Jump to: navigation, search

Full Title or Meme

An Application Program Interface API in the area of Identity and Information Sharing.

Context

Within the context of establishing and maintaining a Trusted Identity in Cyberspace different digital entities will need to exchange information in a machine readable format. These exchanges can be represented as a Network Protocol on the way that the data flows among the various entities, or as an Application Program Interface for how one entity exposes the protocol to the network. This page is about the later.

There are three broad areas of sharing that occur in the maintenance of an Identity Ecosystem: credentials, grants and Information Sharing. In the case of credentialing, there is a huge asymmetry between the manner in which a web provider is expected to share credential versus an individual Subject, that teaches us to separate the types of API into these four categories:

  1. Federation or credential sharing and verification among web providers,
  2. Authentication or credential sharing and Assurance from an individual.
  3. Granting of consent by a Subject to a web site to act in its behalf, or as a fiduciary of the subject's property.
  4. Information Sharing including the reporting of information held by a web site on behalf of a Subject.

Problems

How can a Subject trust a web site with only that part of its personal information as is required to acquire access to the resources of the web site.

Solutions

Federation

  1. Kantara Federation Interoperability Work Group has published a SAML version of metadata exchange.
  2. OAuth 2.0 Authorization Server Metadata is now RFC 8414 (2018-06-26) [1]

Authentication

  1. SAML
  2. OpenID Connect
  3. NIST 800-63-3

Granting Consent

This effort requires a taxonomy of types of information to be shared, which is now available from several sources.

  1. No work is currently underway in granting consent beyond that buried in the Open ID Connect specification.
  2. Kantara Consent Receipt is now available in an implementer's draft.

Information Sharing

Information Sharing includes the broad list of all sort of information about a Subject that is collected by a web site. Not just Personal Information that is securely shared with user consent, but also the user behaviors like web site visits, searches and purchases as well.

This area would require a taxonomy of data types to be shared; for example the diagnostic codes used in health care.

References

  1. Mike Jones http://self-issued.info/?p=1883