Scalable Consent is an initiative to develop a framework, and working code, in support of effective and informed end-user consent at Internet scale. The intent is to support fine-grained, revocable, informed, and well managed consent services that will allow both user and organization to control the release of their attributes to relying parties throughout an identity ecosystem. The work was catalyzed by an NSTIC grant from NIST, and is being enhanced and maintained by the TIER activity within Internet2.
The deliverables include:
an architectural model and APIs associated with each flow and component within the model
working code, both as a standalone service and embedded within a Shibboleth IdP, that implements scalable consent across a variety of protocols, including SAML,OIDC, OAuth, etc.
a next-gen UI that allows the user to manage their attribute release in an informed and effective manner
API's and sample connectors that deliver the information for informed consent - services such as service identification, minimal and optional attributes, information dialogues, histories of prior and siimilar releases, etc.
enterprise management services to help an organization deploy and management attribute release that integrates both end-user and institutional policies.
planning documents, discussion materials, and inter-institutional communications to facilitate deployments
The work is intended to help foster an open and interopable identity ecosystem. Goals include identity portability, improved support for accessibility, and consent that is usable and privacy preserving. All the specifications and code will be open-source.
Scalable Consent Requirements Scalable Consent Requirements.pdf
Areas of Work Going Forward
- API's and Development of Code
- Finalize components, flows and API's
- Develop working code
- stand-alone consent as a service
- embedded in a Shib IdP
- controlling an integrated set of token issuing protocols
- Establishing a draft attribute release preference record
- Liaison with other protocols and flows that need consent; circulate architecture and protocols
- Current technical drafts and documents Current technical drafts and documents
- Informed Consent Support
- Identify the major information needs for the UI, including graphics, information dialogues, histories, minimal and required attributes, etc
- Identify sources for information feeds, including metadata, well-known URI and software statements,
- Deciding content/complexity relative to Refeds discussions, etc.
- fields, graphics
- Friendly name/value translation
- Adapting PrivacyLens to the new internals
- Replumbing PrivacyLens to the new internals
- Adding UI components to reflect new internal capabilities, such as off-line consent, limited delegation,
- Refining UI in response to feedback and new research
- Enterprise Management Services
- Configuration Support
- Measurement
- Security
- Audit Log Management
- Local application metadata integration
- Others
- Deployment Discussions
- Relating to IdP v3 consent
- Relating to GDPR and the proper/improper use of consent - GDPR and Consent
- Planning documents and discussion groups
- Help desk issues
- Facilitating inter-institutional discussions on deployments
- Internal I2 resources
- Communications
- Represent to external constituencies
Putting the pieces together
- https://work.iamtestbed.internet2.edu/drupal/
Scalable Consent Development Plan Scalable Consent Development Plan.pdf
Scalable Consent Communication/Activity Plan Scalable Consent Communications Plan.pdf