Phase III IDEF Registry

Project details for Phase III are to be tracked here.

Phase II IDEF Registry is where the prior phase was tracked.

Requirements for Phase III

1. Trusted Identities in Cyberspace will continue as the primary goal.
2. Users can know that their personal information is:
   1. Acquired and used only on their consent and for the purposes agreed in advance.
   2. Only going to sites that have proven their identity and intent to the user.
   3. Will be securely protected wherever it is stored.
3. Users can easily learn about the ratings on registered web sites
4. Each Web site will present cryptographic proof of their identities, ratings and intentions about user information.

Requirements Documents

• Framework Profile
• Health Care Profile
• Financial Profile
• Consumer Ratings System

Use Cases

• Emergency Contact Information Use Case
• Patient with Lab and Referral Use Case
• Over 21 claim

Archive of Files

• Trusted Resolver
• Wiki page Privacy Profile is in development

Minutes of meetings

• Collected mins starting on 2018-01-08

Updates completed in Phase II

• Interop File:Interop Requirements Update.docx
• Privacy File:Privacy Requirements Update.docx
• Security File:Secure Requirements Update.docx
• Usable File:Usable Requirments Update.docx

Technology Short Comings

There are at least two identity challenges that need to be resolved before secure communications can be undertaken with web sites that have important personal information like health or financial information:

1. The identity of the web site itself is seldom clear. Some sites have urls that are easy to recognize, but many do not and even those that do are subject to spoofing by sites that deliberately try to confuse the user, often with alphabets that are very close to the Latin one we are familiar with. What the user needs is clear indication of who is responsible for the web site in a way that is easy for them to understand.
2. Documents that are delivered from health and financial sites very often is delivered by some site other that the one that created the information as is responsible for it. So it is important to package the information and display the owner of the information in a way that is easy for the user to understand. For example; in health care a variety of health care providers (primary care physician, lab) and data controllers (Epic, Cerner, AllScripts, etc.) are involved in provisioning patient information. When data is displayed to the user, it is seldom clear where the data originated and who controls access to the data. These need to be clear if the patient is a exercise their right to ultimate control of the information.

Both of these issues are known and solutions are being explored. These use case are built with the understanding that these problems will be fixed in the near term.

Work Product

1. Build example use case and sandbox for emergency contact information
2. Obtain funding to move forward with Web Site ratings
3. Obtain funding to build out a sandbox for the Trust Registry
4. Continue alignment with NIST specifications on Risk and Privacy.

Open Issues

Carry over from the Phase II team:

1. There will be multiple identifier frameworks (aka methods or profiles) which have their own set of identity requirements.
2. Our focus will be on the frameworks will be IDEF compliant.
3. All IDEF compliant frameworks will provide a machine-readable method to determine if a web site is a member of the framework
4. Especially at the start, most frameworks will not be IDEF compliant.
5. How should an IDEF compliant entity deal with identifiers that are:
   1. from within their own framework, ie within Healthcare or within the education internet 2 framework,
   2. from an external framework that is still IDEF compliant, ie a student being transfered from a school client to the healthcare hospital or from a VA hospital with a PIV card to a public hospital that cannot read it
   3. from an external framework it is not IDEF compliant, ie from a social network site like Google, FB, Microsoft, etc.
6. There is no advice available for entities that do not normally interact with the user on recovery and redress
7. No standard has been found that helps to describe how a site with no user connectivity can meet any privacy or security guideline.
8. While there is a federation metadata draft standard from OpenID, it is oriented to enterprise environments where there is already a relationship with the users, there is no similar metadata standard for open environments.

References