ExpeditionWorkshop/ExploringIdentityManagementLandscapeInNationalPreparednessAndResponseScenarios 2008 04 30

Past and Future Collaborative Expedition Workshops    (3W77)

Collaborative Expedition Workshop #72, April 30, 2008, at NIST, Gaithersburg, MD in conjunction with Interoperability Week at NIST    (3W78)

Title: Exploring Identity Management: Global Landscape and Implications for Stakeholder Engagement Around the National Response Framework    (3WAC)

On-site registration for this workshop has closed; you must be pre-registered to attend. We have reached room capacity. You may still register to participate remotely. Contact Susan.Turnbull@gsa.gov    (3WNG)

Attention on-site attendees: please set aside half-an-hour for getting past the gate, badging and getting to the building. Therefore, please be at the gate by about 8:00am. US citizens will be required to provide some form of photo identification, non-US citizens will need their passport.    (3WND)

Workshop Location: NIST (100 Bureau Drive, Gaithersburg, Maryland, 20899) - Building 101 (Administration Building) - Employee Lounge. Ref.: driving map, directions & NIST campus map.' (Note: the "Visitor Center" is where everyone needs to go to first to get his/her badge. If you are driving, after you get your badge, you may drive into the campus, and park in the parking lot near Building 101)''    (3WNE)

• Location/ Directions and Remote Teleconferencing    (3W9Z)

• A. Draft Workshop Purpose    (3W7A)
• B. Draft Workshop Questions    (3W7B)
• C. Expected Participants    (3W7C)
• D. Draft Agenda    (3W7D)
• E. Draft Resources    (3W7E)
• F. Workshop Series Background    (3W7F)

A. Workshop Purpose    (3W7G)

This workshop will build on the implications of Preparedness as a dimension of the National Response Framework, for Identity Management (persons and objects) within a global context, and facilitate engagement by multiple communities advancing emergent national readiness including: identity management, enterprise architecture, disaster preparedness and response, cyber-security, ontology, modeling & simulation, and international digital standards.    (3WD9)

The workshop is responsive to expressed interest from Federal representatives to better appreciate identity management potentials and realities in light of ongoing research, standards development, and on-going national and global implementation strategies. This includes national and international groups working to develop standards across domains, such as Shibboleth, Security Assertion Markup Language (SAML 2.0), OpenID, Privacy, and authorization management. This broad and comprehensive context for shared understanding is of keen interest to the Coordinating Groups of the Subcommittee on Networking and Information Technology Research and Development (NITRD) including: Large Scale Networking, High Confidence Software and Systems, Human-Computer Interaction and Information Management, FASTER, Cyber-Security Information Assurance, and Social-Economic and Workforce Implications of IT.    (3WAE)

The workshop will build on the National Preparedness scenario introduced at the Feb. 19, 2008 Collaborative Expedition workshop to facilitate shared understanding among multiple communities overcoming "domain" insularity to advance broad public service goals associated with national preparedness and innovation.    (3WDD)

The workshop will highlight emerging organizing principles that include:    (3WD3)

• 1. Externalize the technology and internalize the risk assessment    (3WD4)
• 2. Determine appropriate level of "strength" for the setting. A range of "strengths" is needed on a continuum that includes lighter-weight for blogosphere and robust for Federal labs.    (3WD5)
• 3. Explicit mechanisms for credible commitments and risk mitigation associated with boundary conditions.    (3W7I)

In addition, the workshop will highlight priority areas for broad-based returns such as definition of US person with appropriate attributes as object classes (i.e. citizenship, customization from W3C Web Accessibility Initiative) and an assessment of readiness related equipment and appropriate attributes.    (3WDC)

This workshop will build on the Collaborative Expedition workshop on Identity Management workshop held on February 27, 2007 which included presentations on SAML, XACML, XRI, XDI, I-Name and Open-ID.    (3W7K)

In addition, the workshop will build on the March 4-6, 2008, Seventh Symposium on Identity and Trust on the Internet (IDTRust 2008) held at NIST.    (3W7L)

B. Workshop Questions    (3W7N)

• 1. As "build to share" cyberinfrastructures (i.e. collaboration workspaces) are advanced to address international and national challenges, what identity management issues (i.e. trust, privacy, accountability, attributes, etc.) must be addressed?    (3W7O)
• 2. What are the Identity Management challenges that need to be addressed to incorporate attributes that contribute to "Preparedness metrics" in the National Response Framework?    (3WA2)
  • See also: National Response Framework Resource Center    (3W7P)
• 3. Draft scenario for this workshop: regional, multi-state disaster management actions are being invoked and relevant parties, not all of whom are familiar with one another, need to be able to participate appropriately in "virtual, shared communication and collaboration space(s)" to advance two-way communications, situational awareness, documentation, and decision-support? Are we ready?    (3WA3)
  • Builds on need for greater transparency through a “capabilities-based” approach to preparedness that includes determining requirements for responding to all-hazards emergencies in the medical and public health sector.    (3WPK)
  • Supports deconstruction to standardized components and subcomponents (similar to fields, that will also "identify" items (equipment, etc.) with attributes, properties, and performance characteristics for an ontology that rolls-up to the composite picture needed.    (3WPL)
  • Builds capability beyond the development of electronic health records and sharing of patient data, that would support the ability to fuse widely disparate information and assessment systems across Federal and state government settings, that in turn can be accessed by operational centers, program managers, and response personnel.    (3WPM)
  • Advances a robust, yet agile services-oriented architecture with the capacity to generate resource requirements during preparedness and response phases, match requirements to resources in conjunction with risk management principles, and capture best practices for iterative improvement.    (3WPN)

• 4. 2008 Workshop Series Questions    (3WAB)

C. Expected Participants    (3W7V)

• /Workshop_2008_04_30_ExpectedParticipants    (3WCW)

D. Agenda    (3W7W)

8:30am - NIST Welcome to Interoperability Week - Green Auditorium (opposite the Employee's Lounge)    (3WPR)

8:40am - Interoperability Week Keynote: Challenges and Opportunities for Global Standards - Dr. Robert Sutor, VP, IBM Corp. - Green Auditorium    (3WPS)

9:15 - Welcome and Overview    (3W7Y)

SusanTurnbull, GSA, Co-chair, Emerging Technology Subcommittee, and Co-chair, Social, Economic and Workforce Implications of IT and IT Workforce Development Working Group, Subcommittee on Networking and Information Technology Research and Development    (3W7Z)

RichardSpivack, NIST, Co-chair, Emerging Technology Subcommittee    (3W80)

Duane Caneva, MD, Director, Medical Preparedness, White House Homeland Security Council    (3W81)

KenKlingenstein, Internet2    (3W83)

9:30am - - Identity Management in a National Preparedness Framework: Validation and Beyond How can we advance multi-sector capacity-building and collaboration for emergent readiness?    (3W85)

10:30am - BREAK    (3W87)

10:45 - Multi-stakeholder Panel: What is the continuum of capabilities needed from multiple communities? What are the characteristics relevant to a global humanitarian challenge and the National Preparedness/ Response scenario that all stakeholders, regardless of specialty, need to understand? SusanTurnbull, moderator    (3W88)

• Contribution of Identity Management - KenKlingenstein, Internet2    (3W8A)
• Contribution of Open Archival Information System (OAIS) Reference Model, JoshLubbell, NIST - information packaging metadata for repositories to know what you have and can share    (3W8B)
• Contribution of Enterprise Architecture, GeorgeThomas, GSA - including role of Model-Driven Acquisition    (3W8C)
• Contribution of Modeling and Simulation, Chuck McLean, NIST    (3W8D)
• Contribution of Ontology Development, LeoObrst, MITRE    (3W96)

12:00pm – Lunch    (3W8G)

1:00pm - Federated Identity in the Global Landscape, KenKlingenstein, Internet2    (3W8H)

1:30pm - Federated Identity Continuum: Global-National-Local: Multi-Purposes, Multiple Strengths, KenKlingenstein, Internet2, moderator    (3WAG)

• Federal Emergency Management Agency and the 9/11 Commission Act of 2007 (H.R.1) for Federal Preparedness, Chris Geldart, Director, FEMA National Capital Region Coordination (NCRC) and Craig A. Wilson, H.R. 1 Coordinator, National Preparedness Directorate, NCRC, FEMA    (3WE0)
  • This will include the standard for definition of a Federal Emergency Response Official (FERO)and how FEMA is leveraging HSPD-12 credentials to electronically type and validate FEROs.    (3WE1)

• InCommon and E-authentication pilot, Peter Alterman, National Institutes of Health and Federal PKI Authority slides    (3W8P)

• Highlights and Implications of the Department of Homeland Security Identity Management Interoperability Testbed    (3WE4)
  • Anil John, Enterprise Architect, Technical Lead for the DHS Science & Technology Directorate's Identity Management Testbed, Johns Hopkins University - APL    (3WE5)
  • Dr. John Hoyt, Research Director - Knowledge Management/ Threat Assessment, Command Control and Interoperability Division, DHS Science and Technology Directorate    (3WE6)
  • Herbert Engle,Program Manager, Test & Evaluation Programs, Command Control and Interoperability Division, DHS Science and Technology Directorate    (3WE7)
  • Karyn Higa, Engineer/PM, Command Control and Interoperability Division, DHS Science and Technology Directorate    (3WE8)

• Emergence of Global Open Standards: Oasis XACML and SAML    (3WF8)
  • Anil Saldhana, Leader, JBoss Security and Identity Management, Red Hat Inc and Secretary, Oasis SAML Technical Committee and member, Oasis XACML Technical Committee.    (3WF9)

2:45 pm - Multi-community Panel: In light of on-going Federated Identity Initiatives, the National Response Framework, and the roles and responsibilities of your communities - What will work as we organize for integration, what is missing and what needs to be created or known? - RichardSpivack, moderator    (3W8Q)

• Digital Preservation perspective, JoshLubbell, NIST - information packaging metadata for repositories to know what you have and can share    (3W8R)
• Enterprise Architecture perspective, George Thomas, GSA - including role of Model-Driven Acquisition    (3W8S)
• Modeling and Simulation perspective, Chuck McLean, NIST    (3W8T)
• Ontology Development perspective, Leo Obrst, MITRE    (3W8U)
• E-Authentication Program, Myisha Frazier-McElveen, GSA, (invited)    (3WD8)

3:30 pm - Open Discussion    (3W8W)

4:15pm – Wrap-Up and Adjourn    (3W8Z)

E. DRAFT Resources    (3W90)

• Health-Grid: Grid Technologies for Biomedicine, US Army Research and Material Command, Telemedicine & Advanced Technology Research Center (TATRC), November, 2007    (3WDV)
• National Preparedness Guidelines, Department of Homeland Security, Sept. 2007    (3WEB)
• Identity Commons Wiki    (3WHV)
  • April 7-11, 2008 User-centric Identity Technology Interoperability Demonstration at RSA 2008 - 33 member organizations and 24 projects of OSIS will showcase network interoperability between identity providers, card selectors, browsers and Web sites, demonstrating practical uses for user-centric identity technology, including how users can "click-in" to Web sites via self-issued and managed Information Cards and OpenIDs.    (3WHW)
• W3C Emergency Information Interoperability Framework Incubator Group    (3WPZ)
• Voluntary Universal Healthcare Identifier    (3WDX)
• ANSI-HSSP Workshop on Credentialing/ Access Control for Managing Disasters, Oct. 2007    (3WEC)
• OECD Workshop on Digital Identity Management,Trondheim, Norway, 8-9 May, 2007    (3WDY)
• In the UK, JISC has pioneered a number of studies on the prospects of interfederation. They've approached it using JISC Legal, not technical perspective with compelling results    (3WD6)
  • see http://www.jisclegal.ac.uk/access/index.html (looks broadly at differences and similarities from a policy space among international federations.    (3WD7)
  • See also http://www.jisclegal.ac.uk/dataprotection/dataprotection.htm for a good basis for discussion.    (3WAJ)
• At the EU level, the EC IDABC eID Interoperability for PEGS project aims mostly at cross-national authentication of citizens (for instance, students enrolling to foreign universities).    (3WAK)
  • The project has published a couple of documents for pan-European authentication and authorisation of citizens:    (3WAL)
    • The Final Report on "Interoperable eIDM technical solutions" presents 9 technologies, including SAML2, Liberty, Shibboleth and WS-Fed    (3WAM)
    • The Final Report on "Comparison and assessment of eID management solutions interoperability" compares them    (3WAN)
    • the Final Report on "Proposal for a multi-level authentication mechanism and a mapping of existing authentication mechanisms" proposes 4 assurance levels for authentication in Europe. The document has got influence from NIST 800-63. This paper could be reused for LoA in higher education, too.    (3WAO)
    • the document "Draft Common Specifications for interoperable eID solutions" is not comppleted, Europeans expect it will propose a SAML2 based pan-European confederation architecture.    (3WAP)
• Transportation Worker Identification Credential    (3WAQ)
• JoshLubell - issues around the packaging of information in an archival system - specifically the metadata delimiting and identifying an information object's content and preservation-related information. The connection to identity management is that being able to identify what is in your repository is essential in order to manage what you've got, or for exchanging objects between repositories (or between repositories and their users). The Library of Congress maintains the Metadata Encoding and Transmission Standard (METS) which is widely used by digital libraries but (its developers claim) is also applicable to archives and records management. As the HealthGrid paper mentions, information packaging is part of the grid infrastructure needed to unify data sources across institutional boundaries.    (3WAR)
• UNDP report on the Tsunami of 2004 - Communicating Disasters: An Asia-Pacific Resource Book    (3VDK)
• Lubell, Mani, Subrahmanian, Rachuri, "Long Term Sustainment Workshop Report", National Institute of Standards and Technology, NISTIR 7496, March 2008    (3WDK)
• Secure E-Government Portals eGovernment and the Web Workshop, W3C, Washington DC, June 2007    (3WPT)
  • Workshop position paper by Anil Saldhana talks about the need to create secure e-government portals that provide sufficient trust context for citizens, including unification of eGovernment websites utilizing Identity Management [http://www.w3.org/2007/06/eGov-dc/presentations/SecureEGovernmentPortals_AnilSaldhana slides    (3WPU)

1. The Identity Management Landscape    (3WAS)

• 1.1 XACML - Access Control Markup Language    (3WAT)
  • a) Intro: "Identity" alone is not enough to provide security or privacy for computer applications - there is also a need to know what that identity is allowed to do. The ITU-T and OASIS Standard eXtensible Access Control Markup Language (XACML) is a standard way to write and evaluate policies that describe "who is allowed to do what under which conditions". Among its features are support for distributed policy management, fine-grained access control for XML documents, role based access control, privacy policies, and integration with the ITU-T and OASIS Standard Security Assertion Markup Language (SAML). By using a standard language for such policies, multiple applications can share policies and policy management tools.    (3WAU)
  • b) OASIS XACML Technical Committee Home Page: contains links to all the XACML specifications, as well as links to work in progress: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml    (3WAV)
  • c) List of references to papers, articles, presentations, known adoptions, and products using XACML: http://docs.oasis-open.org/xacml/xacmlRefs.html    (3WAW)
  • d) Unencumbered open source Java implementation of XACML: http://sunxacml.sourceforge.net    (3WAX)
  • e)Oasis XACML Interoperability Event at the RSA Conference 2008 This interoperability event dealt with Patient Privacy Directives and HL7 Confidentiality Codes (including emergency override cases where by physicians can get access to Patient Records in Emergencies. This may be relevant to the National Response Framework - relevant links:    (3WPV)
    • http://www.oasis-open.org/news/oasis-news-2008-04-07.php    (3WPW)
    • http://anil-identity.blogspot.com/2008/04/summary-review-oasis-xacml.html    (3WPX)
    • http://www.axiomatics.com/media/xacml_interop.pdf    (3WPY)

• 1.2 XRI, XDI, I-Names & OpenID    (3WAY)
  • I-Names - http://en.wikipedia.org/wiki/I-name & http://inames.net    (3WAZ)
  • eXtensible Resource Identifier (XRI) - http://en.wikipedia.org/wiki/XRI    (3WB0)
  • XRI Data Interchange (XDI) - http://xdi.org    (3WB1)
  • OpenID - http://en.wikipedia.org/wiki/OpenID    (3WB2)
  • Identity Commons - http://wiki.idcommons.net/moin.cgi/FrontPage    (3WB3)
  • Whitepaper - The Social Web: Creating An Open Social Network with XDI    (3WB4)

• 1.3 NIST: Personal Identity Verification    (3WB5)

• 1.4 OpenSAML    (3WDU)

• 1.5 Federal e-authentication    (3WBH)
• 1.6 Homeland Security Privacy Directive -12    (3WBI)
  •    (3WBJ)
    • GSA Federal Identity Credentialing Committee (FICC) http://www.cio.gov/ficc/    (3WBK)
    • GSA Federal Smart Card Project Managers Group (FSCPM) http://www.smart.gov/    (3WBL)
    • GSA Center for Smart Card Solutions/GSA Smart Card Contract http://www.gsa.gov/smartcard/    (3WBM)
    • NIST Personnel Identity Verification (PIV) Project http://csrc.nist.gov/piv-program/    (3WBN)
    • NIST Summary of Basic Documents - http://piv.nist.gov/    (3WBO)
    • NIST Personal Identity Verification Program -http://csrc.nist.gov/npivp/    (3WBP)
    • Smart Card Alliance (SCA) - http://www.smartcardalliance.org/    (3WBQ)
    • List of All Presidential Directives - http://www.fas.org/irp/offdocs/nspd/index.html    (3WBR)
• 1.7 FEAPMO Security and Privacy Profile Version 2.0    (3WBS)
• 1.8 Initiative for Open Authentication (or OATH) - http://www.openauthentication.org/. OATH is an industry-wide collaboration to develop an open reference architecture by leveraging existing open standards for the universal adoption of strong authentication.    (3WBT)
• 1.9 Organization for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data    (3WBU)
• 2.0 http://giglite.org, See TAB (Trusted Authentication Broker) and TAPE (Trusted Authentication Policy Engine).    (3WBV)
• 2.1 Identity in Digital Government, Research Report of the Digital Government Civic Scenario Workshop, 2003, Sponsored by NSF and Kennedy School of Government    (3WBW)
• 2.2 UNESCO Report on the ethical implications of identity management, web services, grids, semantic web, RFID and other emerging IT technologies.    (3WBX)

F. Workshop Series Background    (3W91)

• /MeetingsCalls_2008_03_31    (3WBY)