Difference between revisions of "Federation Trust Registry"
(→Context) |
(→External Sources) |
||
| (27 intermediate revisions by the same user not shown) | |||
| Line 9: | Line 9: | ||
When a US federal federal agency's mission requires that it disseminate controlled unclassified information (CUI) to non-executive branch entities, but prohibits it from entering into a contractual arrangement, the agency is nevertheless directed to seek the entity's protection of CUI in accordance with [https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information Executive Order 13556], Controlled Unclassified Information, or any successor order, and the CUI Program regulations, which include requirements to comply with [https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/archive/2016-12-20 NIST SP 800-171]. | When a US federal federal agency's mission requires that it disseminate controlled unclassified information (CUI) to non-executive branch entities, but prohibits it from entering into a contractual arrangement, the agency is nevertheless directed to seek the entity's protection of CUI in accordance with [https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information Executive Order 13556], Controlled Unclassified Information, or any successor order, and the CUI Program regulations, which include requirements to comply with [https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/archive/2016-12-20 NIST SP 800-171]. | ||
| + | |||
| + | Standards must be implemented, potentially with a profile, to ensure that the result is "as consistently as possible, follows implementation guides and authoritative best practices published by the applicable standards development organization (SDO). Minimizing variation in how standards are implemented will make it easier for others to connect to Electronic Health Information. Further, to the extent possible, Electronic Health Information stored in health IT products should be structured and coded using standardized vocabularies."<ref name='tefca'></ref> | ||
==Problem== | ==Problem== | ||
| − | So far every solution has been one-off and not applicable to the next federation with the same general problem. | + | *Users and participants in an [[Identity]] Federation need to understand in real-time whether any particular web site is comformant with federation rules. Or, in other words, the user must be aware of the rules that apply to their current activity. |
| + | *So far every solution has been one-off and not applicable to the next federation with the same general problem. | ||
==Solution== | ==Solution== | ||
| + | There will be a Nationwide, or Global, registry of all compliant federations. That is able to answer queries about whether any [[Web Site]] is currently compliant. Queries can have specific site [[Identifier]]s or any character sting that will return a list of participants that meet the query. This services is specifically designed to be user friendly. | ||
| + | |||
In order that a [[Federation]] can be expose both is principles and its membership to the public some data server needs to provide information about the existing membership and their status. There are two ways to do this: | In order that a [[Federation]] can be expose both is principles and its membership to the public some data server needs to provide information about the existing membership and their status. There are two ways to do this: | ||
#A list of the members and their status that can be viewed in a browser. | #A list of the members and their status that can be viewed in a browser. | ||
| Line 21: | Line 26: | ||
Of primary importance for a [[Federation]] that wants to allow user's to trust the members, is some easily accessible data service on a site that meets the following criteria<ref>Michael J. Carey +2, ''Data Services'' (2012-06) '''CACM 55''' No 6 Pp. 86-97</ref> | Of primary importance for a [[Federation]] that wants to allow user's to trust the members, is some easily accessible data service on a site that meets the following criteria<ref>Michael J. Carey +2, ''Data Services'' (2012-06) '''CACM 55''' No 6 Pp. 86-97</ref> | ||
# Reliable, always-on accessibility. | # Reliable, always-on accessibility. | ||
| − | # Meta-data descriptions of the contents of | + | # Meta-data descriptions of the contents of any federated [[Web Site]]. |
# Machine readable data as well as meta-data (called Service-Enabled Data Store). | # Machine readable data as well as meta-data (called Service-Enabled Data Store). | ||
# Data Security | # Data Security | ||
| + | # Contains no [[User Information]] and does not track the user, but is expected to respond [[Anonymous]]ly to [[User]] queries. | ||
| + | |||
| + | ===Federation Profile=== | ||
| + | Each federation will need to create their own set of specifications for determining those [[Web Site]]s and [[Subject]]s that may be registered. While that could be an independent effort, this page address those federations that define a [https://wiki.idesg.org/wiki/index.php/Framework_Profiles Framework Profile] of the IDEF registry. Only with a single rooted tree of registries can the user be sure of the source of trust. It is possible for the federation to break the [[Framework Profile]] into separate documents for security, privacy and interoperability as UK Open Banking did.<ref>''UK Open Banking OIDC Security Profile.'' https://bitbucket.org/openid/obuk/src/4630771db004da59992fb201641f5c4ff2c881f1/uk-openbanking-security-profile.md?at=master&fileviewer=file-view-default</ref> | ||
| + | |||
| + | Each federation will support one or more [[Federation API]]s that will enable any communicating [[Entity|Entities]] on the web to query the current status of each member. The [[Federation API]] page describes different sets of goals that depend on the purposes of the api, either technical or experiential. | ||
| − | + | ===Use Cases=== | |
| + | *[https://wiki.idesg.org/wiki/index.php/Federated_Strong_Employee_ID Federated Strong Employee ID] | ||
| + | ===Working Sample Site=== | ||
| + | The work product can be viewed at [http://trustregistry.us-east-2.elasticbeanstalk.com/ this site]. | ||
==References== | ==References== | ||
| Line 31: | Line 45: | ||
===External Sources=== | ===External Sources=== | ||
| + | *[https://kantarainitiative.org/confluence/display/LC/Federation+Operator+Guidelines+%28FOG%29+v1.0 Kantara Initiative Federation Operators Guidelines] | ||
*OAuth 2.0 Dynamic Client Registration Protocol RFC 7591 | *OAuth 2.0 Dynamic Client Registration Protocol RFC 7591 | ||
*[https://www.ietf.org/mail-archive/web/oauth/current/msg18101.html Email thread that suggests use of software statements to provide federation]. | *[https://www.ietf.org/mail-archive/web/oauth/current/msg18101.html Email thread that suggests use of software statements to provide federation]. | ||
*Application Bridging for Federated Access Beyond Web (ABFAB) '''Use Cases''' RFC 7832. | *Application Bridging for Federated Access Beyond Web (ABFAB) '''Use Cases''' RFC 7832. | ||
| + | *[https://wiki.shibboleth.net/confluence/display/CONCEPT/Metadata Shibboleth Metadata] refers to configuration data used to provision an SP or IdP to communicate with each other. Typically it exists in XML form, at least for publishing and interchange. | ||
| + | |||
| + | |||
| + | [[Category:Glossary]] | ||
| + | [[Category:Profile]] | ||
Revision as of 17:02, 8 April 2019
Contents
Full Title or Meme
Wherever a Web Sites wishes to take advantage of the benefits of belonging to a Federation it needs to be exposed in a Data Service that allows any user to ensure that the Web Site has been Validated by the Federation.
Context
Several variations on the theme of a Federation Trust Registry exist already.
- Trust Services of TSCP the Transglobal Secure Collaboration Program (mostly focused on NATO A&D industry).
- UK Open Banking (focused on UK banks and payment processors)
- Recognized Coordinating Entity (RCE) (focused on the US Health Care community.)[1] See the page on TEFCA.
When a US federal federal agency's mission requires that it disseminate controlled unclassified information (CUI) to non-executive branch entities, but prohibits it from entering into a contractual arrangement, the agency is nevertheless directed to seek the entity's protection of CUI in accordance with Executive Order 13556, Controlled Unclassified Information, or any successor order, and the CUI Program regulations, which include requirements to comply with NIST SP 800-171.
Standards must be implemented, potentially with a profile, to ensure that the result is "as consistently as possible, follows implementation guides and authoritative best practices published by the applicable standards development organization (SDO). Minimizing variation in how standards are implemented will make it easier for others to connect to Electronic Health Information. Further, to the extent possible, Electronic Health Information stored in health IT products should be structured and coded using standardized vocabularies."[1]
Problem
- Users and participants in an Identity Federation need to understand in real-time whether any particular web site is comformant with federation rules. Or, in other words, the user must be aware of the rules that apply to their current activity.
- So far every solution has been one-off and not applicable to the next federation with the same general problem.
Solution
There will be a Nationwide, or Global, registry of all compliant federations. That is able to answer queries about whether any Web Site is currently compliant. Queries can have specific site Identifiers or any character sting that will return a list of participants that meet the query. This services is specifically designed to be user friendly.
In order that a Federation can be expose both is principles and its membership to the public some data server needs to provide information about the existing membership and their status. There are two ways to do this:
- A list of the members and their status that can be viewed in a browser.
- A data service that exposes the contents of the site in machine readable format.
This page is about the later case.
Of primary importance for a Federation that wants to allow user's to trust the members, is some easily accessible data service on a site that meets the following criteria[2]
- Reliable, always-on accessibility.
- Meta-data descriptions of the contents of any federated Web Site.
- Machine readable data as well as meta-data (called Service-Enabled Data Store).
- Data Security
- Contains no User Information and does not track the user, but is expected to respond Anonymously to User queries.
Federation Profile
Each federation will need to create their own set of specifications for determining those Web Sites and Subjects that may be registered. While that could be an independent effort, this page address those federations that define a Framework Profile of the IDEF registry. Only with a single rooted tree of registries can the user be sure of the source of trust. It is possible for the federation to break the Framework Profile into separate documents for security, privacy and interoperability as UK Open Banking did.[3]
Each federation will support one or more Federation APIs that will enable any communicating Entities on the web to query the current status of each member. The Federation API page describes different sets of goals that depend on the purposes of the api, either technical or experiential.
Use Cases
Working Sample Site
The work product can be viewed at this site.
References
- ↑ 1.0 1.1 The Office of the National Coordinator (ONC) for Health Information Technology, DRAFT TRUSTED EXCHANGE FRAMEWORK. (2018) Section 2 - How Will it Work p. 9ff https://www.healthit.gov/sites/default/files/draft-trusted-exchange-framework.pdf
- ↑ Michael J. Carey +2, Data Services (2012-06) CACM 55 No 6 Pp. 86-97
- ↑ UK Open Banking OIDC Security Profile. https://bitbucket.org/openid/obuk/src/4630771db004da59992fb201641f5c4ff2c881f1/uk-openbanking-security-profile.md?at=master&fileviewer=file-view-default
External Sources
- Kantara Initiative Federation Operators Guidelines
- OAuth 2.0 Dynamic Client Registration Protocol RFC 7591
- Email thread that suggests use of software statements to provide federation.
- Application Bridging for Federated Access Beyond Web (ABFAB) Use Cases RFC 7832.
- Shibboleth Metadata refers to configuration data used to provision an SP or IdP to communicate with each other. Typically it exists in XML form, at least for publishing and interchange.
