Friday, May 09, 2008

Identity Rights Agreements

by another name.

Liberty Alliance TEG yesterday voted out for public review a 'Privacy Constraints' specification.

From the introduction

Privacy constraints describe fundamental constraints on the propagation, usage, retention, storage and display of
identity data. Increasingly, there is concern regarding appropriate use of identity data and Privacy constraints allow the expressions of constraints over the processing of such data.

This document describes a small set of atomic privacy constraints. They are not meant to be exhaustive and we fully expect that communities will define additional assertions based on geography, industry and law.

Using policy frameworks such as WS-Policy, authorities (custodians of identity data, end-users) and consumers (applications, enterprises) can use Privacy constraints to describe composite constraints on identity data. For authorities, this takes the form of indicating the conditions under which data is being released; for consumers this takes the form of indicating the conditions that will govern their use of data.

Privacy constraints describe conditions under which identity data is sought or released. Exactly how Privacy constraints would be used in practice is outside the scope of this work. Depending in business context, they may be added to message flows in protocols or viewed as meta-data associated with identity data.

Generally, when a privacy constraint is bound to a request for some attribute, it is interpreted as a ’commitment’ the requestor is making with respect to its actions should it receive the attribute, when bound to a response carrying an attribute, a constraint is interpreted as an ’obligation’ attendant upon the recipient.

While Liberty kicked this off, my personal view is that subsequent work needs to happen in the wider community - wherever the right place for that may be.


rmarkwhite said...

I am interested in what you are discussing is this anything close to what you want?

Paul Madsen said...

hi rmarkwhite, yes indeed, that paper describes what we want. What it describes as restrictions on usage, republication etc, we call constraints.

To date, we've been more focussed on scenarios where a single user is involved, rather than social cases.

We had a session on the topic at IIW and discovered some other work in the space at Univ of Washington