"towards human usable transparency and control as a public utility"
Summary
- SSI - Controller Credential for Know Your Business (KYB) interactions and governance control flows.
- the specification addresses inherent risks due to a vulnerability, with technical identifier based systems.
- the more powerful the technology, , the higher the sensitivity, the
- this risk is mitigated with a controller credential for proof of transparency and by the performance of data control.
- Announcement June 9: This work group calls for interest in ToiP community to support the development and extension of decentralized data governance for decentralized digital identity management.
- This specification, specifies how to generate a controller credential by creating an ANCR's eNotice Record, and then using this record to generate an electronic eConsent Receipt.
- This document aims to bridge the ISO/IEC 29100 (formalized international security and privacy framework standard that is free) with 27002 ISO/IEC 27002 (formalized information security controls) to the trust over IP governance framework.
- The method is
- to specify the extension of notice records and consent receipts into micro-credentials with DiD's for to generate electronic eNotice and eConsent receipts that can utilize utilizing ToiP Governance Framework ecosystem.
- The controller credential is an extension of the Kantara Initiative, ANCR Notice Record specification, and apart of the eNotice record and eConsent receipt information structure used for the 0PN-AuthC Protocol.
- the specification addresses inherent risks due to a vulnerability, with technical identifier based systems.
- to get access to the current draft - please join a work group call and request it. In SSI the individual can create their own relationship record, proof of notice, and rights request receipt to demonstrate evidence of consent
Implementing true SSI with electronic notice and consent - using international governance frameworks for hyperlocal transparency and data control
...
- the default presented to the controller - using the controller credential
- a notice request is the provided aka - a request to track - to update the understanding
Scenario of Use
- In SSI the individual can create their own relationship record, proof of notice, and rights request receipt to demonstrate evidence of consent
References
- ISO/IEC 29100
- CoE 108+
- W3C Data Privacy Vocabulary
- Kantara ANCR
Terms & Definitions
- specific to this spec, in the annex - mapping semantics between frameworks ..
Security , Transparency & Governance Gap
...
Transparency Governance Framework - For Transparency Trust
0PN - 3 Vectors of Governance
- Personal Data Control (Gov) - (lower risk) uses micro-credentials
- the individual controls the source of data and verification
- attribute by attribute control
- Logging the access to the attribute for processing
- Co-Regulation : multi-party governed -
- Data trusts, where the individual + regulator and service co-regulate
- Logging the access to the processing
- Data Protection : Self-Regulated -
- the service provider regulates the processing of personal data
- Signed, verified and open code, with shared logging
...
The ANCR Record provides Consent Types to anchor the record trust record and an individual's understanding of the relationship. Specifically, root of trust record for the individual, which the individual owns and controls In a personal data store and profile.
Two types of Trust: OECD ref
type 1.
The individual trusting the system
type 2
the individual prooving who they are. so the system can trust them. e.g. with zero knowledge proof
The Record and Receipt specification uses ISO/IEC 29100 Security and Privacy techniques ref (free ISO specification) terms and definitions to identify the legal stakeholders(ref) and their roles in the processing and control of personal information. Using international standards for creation of record and receipts publicly.
...
- PII Controller Identifier [DiD]
- Credential ID
- Accountable Person
- Accountable Person rolerole
- Controller Notice Record Identifier
- Controller Receipt Identifier
- : As a DiD: Verified Credential
- Controller Type[Ctype]:
- Notice Controller,
- PII notice controller,
- PII controller,
- PII surveillance controller , (info not provided by PII Principle)
- [Ctype] controller operator,
- Accountable Person Type
Security Considerations
how to specify the
To address the security gap, the controller credential is presented in a privacy or security notice, prior to surveillance.
...
Human security, discovers or generates a controller credential to create human trust anchor record and credential (dial tone)independent of the Controller/Service provider.
Type 2: Technical Trust
This Controller Credential is
...
Mitigation Risk
Using standard framework for transparency of control with data control defaults
Micro-Credential
defined as a credential specified to a specific purpose.
Use Case
Assessment of transparency and performance of a micro-credential to mitigate risks with SSI
Examples
- Security,
- evidence
- fraud, traceabilty
- permission and access control transparency.
- Security of Security
- schema struture and use of object identifiers
- NIST - Privacy and Security Control framework
- NIST Language -
- evidence
- Auditing a ToiP implementation
...