Interoperable Consent Management

From IIW

Session Topic: Interoperable Consent Management

Tuesday 1C

Convener: Steve Greenberg

Notes-taker: Eve Maler

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


Interesting efforts going on:


Authentication and Authorization in Constrained

Environments (ACE): IETF working group

XDI Link Constraints: OASIS technical committee

User-Managed Access (UMA): Kantara work group

KRL: technology platform from Phil Windley

OAuth: IETF standard/working group

Open Mustard Seed: effort

ID Data Web: company

Where Are You From (WAYF): federation

Consent Receipt: draft spec from Kantara Consent and

Information Sharing work group

Identity Broker: product from UnboundID

Open Digital Rights Language (ODRL): W3C standard

Health Level 7 (HL7): health standard

SBVL: standard business (something) language?

Extensible Access Control Markup Language (XACML): OASIS standard/technical committee

Platform for Privacy Preferences (P3P): (failed) W3C standard

Capabilities: security concept that is an alternative to access control


What's needed: common semantics and useful translations around: 1) identity, 2) data, 3) permissions, and 4) transactions.


Some themes to consider:


Consent versioning

Alice-to-Alice (app-to-app) vs. Alice-to-other-party

Synchronous (during access attempt) vs. asynchronous (before access attempt and after access attempt)