Versions Compared

Old Version 30

changes.mady.by.user Mark Lizar

Saved on

compared with

New Version 31

changes.mady.by.user Mark Lizar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

"towards human usable transparency and control as a public utility" 

Summary 

  • SSI - Controller Credential for Know Your Business (KYB) interactions and governance control flows.
    • the specification addresses inherent risks due to a vulnerability, with technical identifier based systems.
      • the more powerful the technology, , the higher the sensitivity, the  
    • this risk is mitigated with a controller credential for proof of transparency and by the performance of data control. 
    • Announcement June 9: This work group  calls for interest in ToiP community to support the development and extension of decentralized data governance for decentralized digital identity management.   
    • This specification, specifies how to generate a controller credential by creating an ANCR's eNotice Record, and then using this record to generate an electronic eConsent Receipt. 
    • This document aims to bridge the ISO/IEC 29100  (formalized international security and privacy framework standard that is free) with   27002 ISO/IEC  27002 (formalized information security controls)  to the trust over IP governance framework.
    • The method is
      • to specify the extension of  notice records and consent receipts into micro-credentials with  DiD's for to generate electronic eNotice and eConsent receipts that can utilize utilizing ToiP Governance Framework ecosystem. 
    • The controller credential is an extension of the Kantara Initiative, ANCR Notice Record specification, and apart of the  eNotice record and eConsent receipt information structure used for the 0PN-AuthC Protocol.
  • to get access to the current draft - please join a work group call and request it. In SSI the individual can create their own relationship record, proof of notice, and rights request receipt to demonstrate evidence of consent  


Implementing true SSI with electronic notice and consent - using international governance frameworks for hyperlocal transparency and data control

...

  • the default presented to the controller - using the controller credential 
  • a notice request is the provided aka - a request to track - to  update the understanding 

Scenario of Use 

  • In SSI the individual can create their own relationship record, proof of notice, and rights request receipt to demonstrate evidence of consent  


References

  • ISO/IEC 29100
  • CoE 108+
  • W3C Data Privacy Vocabulary 
  • Kantara ANCR


Terms & Definitions

  • specific to this spec, in the annex - mapping semantics between frameworks ..
  •   

Security , Transparency & Governance Gap

...

Transparency Governance Framework - For Transparency Trust 


0PN - 3 Vectors of Governance 

  1. Personal Data Control (Gov) - (lower risk) uses micro-credentials 
    1. the individual controls the source of data and verification 
    2. attribute by attribute control 
    3. Logging the access to the attribute for processing 
  2. Co-Regulation : multi-party governed - 
    1. Data trusts, where the individual + regulator and service co-regulate
    2. Logging the access to the processing 
  3. Data Protection : Self-Regulated -
    1. the service provider regulates the processing of personal data
    2. Signed, verified and open code, with shared logging

...

The ANCR Record provides Consent Types to anchor the record trust record and an individual's understanding of the relationship.  Specifically, root of trust record for the individual, which the individual owns and controls In a personal data store and profile. 

Two types of Trust: OECD ref

type 1. 


The individual trusting the system 

type 2

the individual prooving who they are. so the system can trust them. e.g. with zero knowledge proof 

The Record and Receipt specification uses ISO/IEC 29100 Security and Privacy techniques ref (free ISO specification) terms and definitions to identify the legal stakeholders(ref) and their roles in the processing and control of personal information.    Using international standards for creation of  record and receipts publicly. 

...

  1. PII Controller Identifier [DiD] 
    1. Credential ID 
    1. Accountable Person 
    2. Accountable Person rolerole 
    1. Controller Notice Record Identifier 
    1. Controller Receipt Identifier 
    1. : As a DiD: Verified Credential  
  1. Controller Type[Ctype]:  
  2. Notice Controller,  
  3. PII notice controller,  
  4. PII controller,    
  5. PII surveillance controller , (info not provided by PII Principle) 
  6. [Ctype] controller operator, 
  7. Accountable Person Type

Security Considerations

how to specify the 

To address the security gap, the controller credential is presented in a privacy or security notice, prior to surveillance.

...

Human security, discovers or generates a controller credential to create human trust anchor record and credential (dial tone)independent of the Controller/Service provider. 

Type 2: Technical Trust 

This Controller Credential is 

...


Mitigation Risk

Using standard framework for transparency of control with data control defaults 


Micro-Credential 

defined as a credential specified to a specific purpose. 


Use Case

Assessment of transparency and performance of a micro-credential to mitigate risks with SSI


 Examples

  1. Security, 
    1. evidence 
      1. fraud, traceabilty
      2. permission and access control transparency. 
    2. Security of Security 
      1. schema struture and use of object identifiers 
      2. NIST - Privacy and Security Control framework 
        1. NIST Language - 
  2. Auditing a ToiP implementation

...