Liberty Specifications: Privacy Constraints and CARML Profile
Liberty Alliance Announces First Release of Identity Governance Framework Components
Consortium Releases CARML (Client Attribute Requirements Markup Language) and Privacy Constraints Draft Specifications to Protect Personally Identifiable Information Across Applications and Networks
Monday, June 23, 2008.
Liberty Alliance, the global identity community working to build a more trust-worthy internet for consumers, governments and businesses worldwide, today announced the first public release of components of the Liberty Identity Governance Framework. Developed with wide cross-industry support, the Liberty Identity Governance Framework (IGF) is the industry's first programmatic and auditable open standards-based initiative designed to help organizations better govern and protect identity-related employee, customer and partner information as it flows across heterogeneous applications and networks.
The IGF helps organizations meet regulatory requirements such as the European Data Protection Initiative, Gramm-Leach-Bliley Act, PCI Security Standard, and Sarbanes-Oxley by allowing enterprises to more easily determine and control how identity information, including personally identifiable information (PII), is used, stored and propagated across diverse systems, helping to ensure the information is easily auditable and not abused, compromised or misplaced. For example, with the IGF, an enterprise that may require customers to submit a social security number as part of account registration, could easily monitor which applications need to have access to social security numbers to ensure that only authorized credit verification services have direct access to this information.
Two draft specifications are included in today's release:
The CARML specification is a policy format that applications, devices, and services can use to characterize required identity data, coupled with privacy constraints governing use. It allows auditors and deployers to understand what identity information an application requires so that services can be deployed flexibly over enterprise identity architectures based on LDAP, Liberty SAML 2.0 Federation, WS-Trust, and Liberty Web Services (ID-WSF).
Privacy Constraints Specification
The Privacy Constraints specification provides a means of expressing commitments and obligations about identity data. It defines a small set of privacy terms, concerned with purpose, propagation, storage and display of identity data, which can be further profiled for use by industry verticals and national jurisdictions.
"The speed at which work continues on the Liberty Identity Governance Framework reflects the wide-scale demand for identity-enabled applications that are secure and protect the privacy of individuals," said Prateek Mishra, chair of the Liberty Alliance Technology Expert Group and director, Identity Management Standards, Oracle. "Developers, organizations and system integrators can now begin leveraging IGF to better manage and protect identity information across user-driven applications and the extended enterprise."
The development of the Liberty Identity Governance Framework within Liberty Alliance has been based on the Liberty model of creating open and secure identity standards and business and policy frameworks in a collaborative environment where all members are invited to participate. This approach, where standards are developed only after well-defined market requirements are in place, helps to ensure the output of Liberty Alliance meets business and user requirements for interoperable, secure and privacy-respecting digital identity management solutions. Liberty Alliance released IGF market requirements in 2Q 2007. The draft specifications released today are available online.
Ongoing IGF standards development is taking place within the Liberty Alliance Technology Expert Group and OpenLiberty.org, a community driven open source project formed to facilitate the development of interoperable, secure and privacy-respecting identity-enabled applications based on Liberty Alliance specifications. This dual approach to standards development helps to ensure the widest possible collaboration in the development of IGF by providing opportunities for all developers and members of the global open source community to participate in the process. Open source developers interested in furthering the development of IGF are encouraged to join the OpenLiberty.org community where formal membership within Liberty Alliance is not required.
"The first release of the Liberty Identity Governance Framework is a significant proof point in demonstrating how Liberty Alliance is committed to delivering the policy-based systems organizations need to build and deploy more successful enterprise and Web 2.0 applications," said Brett McDowell executive director, Liberty Alliance. "Liberty Alliance and OpenLiberty.org welcome participation from the identity community to help collaboratively drive the next version of IGF."
About Liberty Alliance
Liberty Alliance is the only global identity community with a membership base that includes technology vendors, consumer service providers and educational and government organizations working together to build a more trust-worthy internet by addressing the technology, policy and privacy aspects of digital identity management. Liberty Alliance is also the only identity organization with a history of testing vendor products for true interoperability of identity specifications. Nearly 80 products and identity solutions from vendors around the world have now passed Liberty Interoperable testing. Liberty Alliance works with identity organizations worldwide to ensure all voices are included in the global identity discussion and regularly holds and participates in public events designed to advance the harmonization and interoperability of CardSpace, Liberty SAML 2.0 Federation, Liberty Web Services, OpenID, and WS-* specifications. More information about Liberty Alliance as well as information about how to join many of its public groups and mail lists is available at www.projectliberty.org.
Liberty IGF Privacy Constraints Specification. With schema file. Privacy constraints are atomic constraints on the use, display, retention, storage and propagation of identity data. When combined with policy frameworks such WS-Policy, such assertions can be used to describe composite constraints on identity data.
CARML Profile of the Liberty IGF Privacy Constraints Specification. With schema file. "This profile profiles the use of privacy constraints within CARML. It defines roles and URIs used when privacy constraints are used to constrain CARML interactions, roles, predicates or attributes.
Privacy constraints are utilized in CARML documents, describing constraints on the use of identity data by services or applications. These constraints may be contributed by:
- developers — reflecting decisions and implementation choices made during design and implementation. For example, whether identity data is persisted and, if so, whether it is encrypted.
- deployers — reflecting practice and choices made during service deployment. For example, the purpose for which identity is being sought or whether identity data would be propagated further to certain endpoints. This document builds on the Liberty Privacy Constraints specification by defining additional URIs needed to specify constraints for CARML elements. Developers and deployers would use WS-Policy constructs to create composite constraints based on the unitary privacy constraints
Liberty IGF Client Attribute Requirements Markup Language (CARML) Specification. With schema file. "Client Attribute Requirements Markup ('CARML') is a declarative format for expressing the requirements for identity-related data of a service, application, device, web site, corporation or other entities. Requirements for identity attributes, predicates, roles and search filters can be expressed using CARML. CARML also supports privacy policies that prescribe constraints on the use of identity data."
Prepared by Robin Cover for The XML Cover Pages archive. See: "Liberty Alliance Specifications for Federated Network Identification and Authorization."