Announcements |   placeholder

25 - Consent-Informed Attribute Release (CARMA)

Ken Klingenstein

Abstract In the past year, consent for the release of attributes, and more generally for personal information items, has become a highly active area of Internet identity. Drivers are numerous, including GDPR, the new draft of NIST 800-63-3, and the challenges R&E federations are facing in attribute release. While policy regulations such as GDPR typically are protocol neutral, the technical approaches to date have been protocol specific. While the requirements are universal, the implementations tend to weld in local considerations and have scale issues. This talk will demonstrate the CAR – Consent-informed Attribute Release – system, a multi-protocol (SAML, OIDC, OAuth, UMA) attribute release engine that integrates organizational and individual preferences for attribute release. It also has a well-engineered and adaptive UI, a variety of user controlled consent suppression and revocation mechanisms, and a notification/audit service. CAR can be integrated into the Shib v3 IdP and other SAML IdP’s, and can be used for OIDC and OAuth consent and release needs. CAR is a product of the Internet2 Trust and Identity initiative in TIER software development and catalyzed by a NIST grant. CAR is being put into production at scale this summer. Early user testing has indicated their understanding and interest in consent. The talk will also mention the areas that still need work, most notably the development of “informed content”. These are the materials - IdP and RP logos, display names for attributes and their values, etc – and the shared practices – determining required vs optional attributes, privacy policies and intents to use, etc. – that allows users to make effective decisions on attributes. Some of this information can be harvested from federation metadata or metadata statements associated with OIDC apps, but there are major gaps in both standards and actual deployments.

Download file