By Ken Klingenstein, Identity Evangelist
The Original Vision of federated identity anticipated a thriving ecosystem where attributes, more than identities, were carefully exchanged between holders of those attributes and relying parties to provide appropriate services. Privacy would be preserved; scalable access control would be enabled; users would be empowered.
What has emerged, however, is much less fluid. Concerned organizations have restricted the flow of attributes. Internationally, legislation has fractured a consistent global approach and within the US, state-based laws that try to fill a federal vacuum results in even more complexity. And user control is often completely left out.
Several mechanisms have been created to try and remedy the situation. The Research and Scholarship end-entity category (aka R&S) is supposed to encourage release by assuring identity providers that relying parties are only asking for necessary information and would be prudent in their use of what they received. However, adoption of R&S has been limited, due to privacy concerns and the lack of user control. Moreover, additional categories will be needed for other situations and the international process for creating such categories is slow. Some early consent mechanisms have been built, but they lack important features, such as a rich set of “informed content” that would allow users to make educated choices. And the idea of a single tool that could work across protocols has not emerged.
A set of videos that show CAR in action are available on YouTube: an introduction and one that provides a view into the management tools that users and institutions have that allow consent and notification to scale to a large number of sites.
Until now. CAR (Consent-informed Attribute Release) has been developed by Duke University, leveraging a “Scalable Privacy” grant that Internet2 received from NIST several years ago.
A set of videos that show CAR in action are available on Youtube. The first one is an introduction, including the basics of the consent screen, storing and revoking consent, and having different institutional release policies applying to faculty and students. The second provides a view into the management tools that users and institutions have that allow consent and notification to scale to a large number of sites. Additional videos will be added to show other advanced features, such as selective release and delegated institutional policy setting. A number of universities are “kicking the wheels” on CAR and sessions are planned for TechEx.
In the long arc of federated identity development, consent was always envisioned as the capstone of the infrastructure. It provides privacy and user control. After many years, the capstone may be ready to be placed.