1、 ATIS-0200008 ATIS Standard on - TRUSTED INFORMATION EXCHANGE (TIE) As a leading technology and solutions development organization, ATIS brings together the top global ICT companies to advance the industrys most-pressing business priorities. Through ATIS committees and forums, nearly 200 companies a
2、ddress cloud services, device solutions, M2M communications, cyber security, ehealth, network evolution, quality of service, billing support, operations, and more. These priorities follow a fast-track development lifecyclefrom design and innovation through solutions that include standards, specifica
3、tions, requirements, business use cases, software toolkits, and interoperability testing. ATIS is accredited by the American National Standards Institute (ANSI). ATIS is the North American Organizational Partner for the 3rd Generation Partnership Project (3GPP), a founding Partner of oneM2M, a membe
4、r and major U.S. contributor to the International Telecommunication Union (ITU) Radio and Telecommunications sectors, and a member of the Inter-American Telecommunication Commission (CITEL). For more information, visit . Notice of Disclaimer 2. Describes service enablers required for implementation;
5、 3. Highlights the source of the rules to be included; and 4. Identifies gaps that must be closed for implementation. Much existing work has already been completed on this topic. These components will be identified and included as appropriate. Specific examples and references are included in the Inf
6、ormative and Normative References. 1.3 Application The solution will utilize a goal-oriented approach in managing the information lifecycle between the ecosystem of cloud service providers, end users, and other members of the services supply chain. The solution will include a formalized methodology
7、that precisely discovers risk areas and proposes subsequent mitigations. Enforcement will utilize a uniform, reusable means of encoding and automation across the industry to accelerate the delivery of privacy protection. The solution will also consider existing industry standardization work, service
8、 provider implementation plans, and existing tangential requirements from adjacent industries (e.g., finance, health care, and communications CPNI). ATIS-0200008 3 2 Normative References The following standards contain provisions which, through reference in this text, constitute provisions of this A
9、TIS Standard. At the time of publication, the editions indicated were valid. All standards are subject to revision, and parties to agreements based on this ATIS Standard are encouraged to investigate the possibility of applying the most recent editions of the standards indicated below. 1 An Open Mar
10、ket Solution for Online Identity Assurance, March 2010, OIX Corporation.12 Personal Levels of Assurance (PLOA) White Paper v1.01.23 Preliminary FTC Staff Report: Protecting Consumer Privacy in an Era of Rapid Change (December 2010).34 FTC Report: Protecting Consumer Privacy in an Era of Rapid Change
11、 (March 2012).43 Informative References The following standards or organizations are provided for informative purposes. They address related or similar areas to the ATIS Trusted Information Exchange. At the time of publication, the editions indicated were valid. All standards are subject to revision
12、. 1 W3C Do Not Track 2 IETF OAUTH 3 IETF Repute 4 Kantara (European) 5 OASIS Open Reputation Management Systems (ORMS) TC 7 OIX 6 OpenID 4 Definitions, Acronyms, and (2) support for tiered exchange of information based on level of trust. ATIS-0200008 9 9 High Level Architecture The following high le
13、vel architecture is a combination of enablers from the desired cloud service, OIX Trust Framework, IMS Subscriber Data Management, and DNS/ENUM address translation. The end user intends to initiate a cloud service such as telepresence with another party, but there are several layers of interaction r
14、equired for the service to be delivered: 1. Initial resolution of the desired terminating users service provider. Completing this resolution does not ensure that service delivery can occur. 2. Delivery of a service request to the terminating users service provider. 3. Establishment of trust between
15、the originating and terminating service providers defined by the OIX trust framework and implemented through a service federation, brokerage, or similar function. 4. Delivery or denial of the requested service based on the framework rules. This includes appropriate information handling through the r
16、elationship lifecycle. Each service provider plays multiple roles in this attribute exchange. It performs the identity service provider role for its own subscribers while participating as the relying party for receiving information about the other users in the service. Figure 9: Trusted Information
17、Exchange Architecture 10 Written Policy The TIE framework supports user-understandable transactions within an agreed-to framework. The written specification defining the trust framework is a multi-faceted document that requires securing sensitive attributes as well as correlations. Some examples of
18、sensitive information are listed below: 1. Attribute is sensitive (e.g., subscription and billing information). ATIS-0200008 10 2. Correlation is sensitive (e.g., person and ip address are public, but the correlation of an ip address to a specific person is sensitive). 3. Attribute and Correlation a
19、re both sensitive (e.g., sensitive user preferences and a sensitive subscription are correlated using a sensitive correlation). The written specification shall include acceptable terms and conditions for handling this information both within and between cloud services providers. The written specific
20、ation shall contain levels of granularity that provide flexibility to the service provider but are simple enough to be understandable to the user. The written specifications rules shall be transparent to all participants of the trust framework. The written specification shall provide balanced respec
21、t for the needs of the originator and terminator of a transaction or session. 10.1 Sources Simplified Choice for Businesses and Consumers: Give consumers the ability to make decisions about their data at a relevant time and context, including through a Do Not Track mechanism, while reducing the burd
22、en on businesses of providing unnecessary choices; and Greater Transparency: Make information collection and use practices transparent. Active areas of FTC work in 2012-2013 (pp v-vi): Do Not Track: International standard for Do Not Track being worked by W3C for browser based implementations. Mobile
23、: The focus is on making disclosures on mobile devices more meaningful considering the small screen. Data Brokers: The report calls for increased transparency and access to the information being held by these brokers. The report further recommends exploring a centralized website for consumer interac
24、tion with these brokers. Large Platform Providers: Large platforms such as ISPs and social media that intend to comprehensively track consumer behavior will be investigated in more detail. A public workshop will be conducted in the second half of 2012 to discuss this issue. Promoting Enforceable Sel
25、f-Regulatory Codes: The Department of Commerce will work with key industry stakeholders to develop sector-specific code of conduct. Adherence to strong, industry-specific privacy codes will be viewed favorably in future FTC legal action. The following Privacy Requirements are identified by the final
26、 report. These requirements are listed in pp vii-viii of the report. More detailed information and examples are contained within the document. These are categorized per the structure outlined in the framework. 1. Privacy by Design: Baseline Principle: Companies should promote consumer privacy throug
27、hout their organizations and at every stage of the development of their products and services. a. The Substantive Principles: Final Principle: Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and d
28、isposal practices, and data accuracy. b. Procedural Protections to Implement the Substantive Principles: Final Principle: Companies should maintain comprehensive data management procedures throughout the lifecycle of their products and services. 2. Simplified Consumer Choice: Baseline Principle: Com
29、panies should simplify consumer choice. a. Practices That Do Not Require Choice: ATIS-0200008 12 Final Principle: Companies do not need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the companys relationship with
30、the consumer, or are required or specifically authorized by law. To balance the desire for flexibility with the need to limit the types of practices for which choice is not required, the Commission has refined the final framework so that companies engaged in practices consistent with the context of
31、their interaction with consumers need not provide choices for those practices. b. Companies Should Provide Consumer Choice for Other Practices: Final Principle: For practices requiring choice, companies should offer the choice at a time and in a context in which the consumer is making a decision abo
32、ut his or her data. Companies should obtain affirmative express consent before: (1) using consumer data in a materially different manner than claimed when the data was collected; or (2) collecting sensitive data for certain purposes. The Commission commends industrys efforts to improve consumer cont
33、rol over online behavioral tracking by developing a Do Not Track mechanism, and encourages continued improvements and full implementation of those mechanisms. 3. Transparency: Baseline Principle: Companies should increase the transparency of their data practices. a. Privacy notices: Final Principle:
34、 Privacy notices should be clearer, shorter, and more standardized to enable better comprehension and comparison of privacy practices. b. Access: Final Principle: Companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensit
35、ivity of the data and the nature of its use. The Commission has amplified its support for this principle by including specific recommendations governing the practices of information brokers. c. Consumer Education: Final Principle: All stakeholders should expand their efforts to educate consumers abo
36、ut commercial data privacy practices. 11 Enforcement Mechanisms The trusted information exchange works by compartmentalizing information and sharing that information proportionally to the reputation of the requestor. The compartmentalization and reputation requirements are established by the trust f
37、ramework. The initial address resolution and service request are completed using public information. These steps do not exchange sensitive information and access to public DNS would be difficult to control. The identity management system in conjunction with the trust framework is responsible for est
38、ablishing trust. This system identifies the level of reputation of the relying party and ensures information is exchanged in accordance with the trust framework. Further auditing of this function is accomplished by the assessors who verify that all participants to the trust agreement are upholding t
39、heir obligations. ATIS-0200008 13 Figure 10: Reputation-based Response The above graphic illustrates the use of reputation as a mechanism for gating how and what information is shared. Service and user information is not stored as a blob, but rather is compartmentalized and shared based on known ope
40、rator reputation, user reputation, and preferences. The reputation and preference requirements are established in the trust agreement so that all parties understand the rules, and so that the implementation of those rules is transparent. The components in this illustration are an example and would b
41、e superseded by the terms of the inter-operator trust agreement. The trust agreement must also include a feedback mechanism that refines the terms of the agreement over time. This prevents abuse of the reputation system and improves the effectiveness of the solution over time. The high-level goals o
42、f the enforcement mechanisms are clear, but there is significant work needed to turn these goals into an automated system. Multiple Identity management solutions exist in the marketplace. Proprietary mechanisms exist for measuring reputation, but they are not coupled with standardsbased identity man
43、agement. The Trust Framework is defined in general, but it has yet to be implemented in systems architecture. The architecture and design for the enforcement mechanisms will be defined in a future document. 12 Industry Activity & Gap Analysis The basic service enablers required for TIE are defined,
44、but the specifics of their interaction and architecture require additional work. There are two major gaps that need to be closed in the implementation of TIE. The first is implementation of system architecture for the trust framework. The second is modification to subscriber data management systems
45、to support compartmentalized access to standards-based service schemas. 12.1 Trust Framework The OIX framework defines a construct for establishing trust relationships, but it does not include a run time environment (RTE). A RTE is required for the exchange of trusted, session-specific information a
46、ssociated with service delivery. This RTE can be implemented either as a service federation or broker. In the case of a federation, each service provider is responsible for implementing the contractual obligations of the trust framework. With a service broker, a third party will proxy the messages b
47、etween service providers to ensure that the rules are met. A federated relationship is more efficient with a small number of participating service providers, and a service broker provides single point of interconnect when the number of participating service providers is larger. There are multiple as
48、pects of the run time environment that must be defined. Clause 10, Written Policy, defines an initial set of recommendations that must be followed in the exchange of trusted information, but it does not define the mechanism or format for doing this. Architecture and design work needs to be completed
49、 to specify how and where the information will be stored. For example, the FTC privacy-by-design principle recommends that “Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy.” Each of the high level requirements below must be distilled into implementable technical requirements that can be designed into the system. ATIS-0200008 14 Data security Reasonable collection limits Sound retention