Consortium Releases CARML (Client Attribute Requirements Markup Language) and Privacy Constraints Draft Specifications to Protect Personally Identifiable Information Across Applications and Networks
Liberty Alliance, the global identity community working to build a more trust-worthy internet for consumers, governments and businesses worldwide, today announced the first public release of components of the Liberty Identity Governance Framework. Developed with wide cross-industry support, the Liberty Identity Governance Framework (IGF) is the industry’s first programmatic and auditable open standards-based initiative designed to help organizations better govern and protect identity-related employee, customer and partner information as it flows across heterogeneous applications and networks.
The IGF helps organizations meet regulatory requirements such as the European Data Protection Initiative, Gramm-Leach-Bliley Act, PCI Security Standard and Sarbanes-Oxley by allowing enterprises to more easily determine and control how identity information, including personally identifiable information (PII), is used, stored and propagated across diverse systems, helping to ensure the information is easily auditable and not abused, compromised or misplaced. For example, with the IGF, an enterprise that may require customers to submit a social security number as part of account registration, could easily monitor which applications need to have access to social security numbers to ensure that only authorized credit verification services have direct access to this information.
Two draft specifications are included in today’s release:
CARML Specification – The CARML specification is a policy format that applications, devices and services can use to characterize required identity data, coupled with privacy constraints governing use. It allows auditors and deployers to understand what identity information an application requires so that services can be deployed flexibly over enterprise identity architectures based on LDAP, Liberty SAML 2.0 Federation, WS-Trust and Liberty Web Services (ID-WSF).
Privacy Constraints – The Privacy Constraints specification provides a means of expressing commitments and obligations about identity data. It defines a small set of privacy terms, concerned with purpose, propagation, storage and display of identity data, which can be further profiled for use by industry verticals and national jurisdictions.
“The speed at which work continues on the Liberty Identity Governance Framework reflects the wide-scale demand for identity-enabled applications that are secure and protect the privacy of individuals,” said Prateek Mishra, chair of the Liberty Alliance Technology Expert Group and director, Identity Management Standards, Oracle. “Developers, organizations and system integrators can now begin leveraging IGF to better manage and protect identity information across user-driven applications and the extended enterprise.”
The development of the Liberty Identity Governance Framework within Liberty Alliance has been based on the Liberty model of creating open and secure identity standards and business and policy frameworks in a collaborative environment where all members are invited to participate. This approach, where standards are developed only after well-defined market requirements are in place, helps to ensure the output of Liberty Alliance meets business and user requirements for interoperable, secure and privacy-respecting digital identity management solutions. Liberty Alliance released IGF market requirements in 2Q 07. The draft specifications released today are available online.
Ongoing IGF standards development is taking place within the Liberty Alliance Technology Expert Group and OpenLiberty.org, a community driven open source project formed to facilitate the development of interoperable, secure and privacy-respecting identity-enabled applications based on Liberty Alliance specifications. This dual approach to standards development helps to ensure the widest possible collaboration in the development of IGF by providing opportunities for all developers and members of the global open source community to participate in the process. Open source developers interested in furthering the development of IGF are encouraged to join the OpenLiberty.org community where formal membership within Liberty Alliance is not required.
“The first release of the Liberty Identity Governance Framework is a significant proof point in demonstrating how Liberty Alliance is committed to delivering the policy-based systems organizations need to build and deploy more successful enterprise and Web 2.0 applications,” said Brett McDowell executive director, Liberty Alliance. “Liberty Alliance and OpenLiberty.org welcome participation from the identity community to help collaboratively drive the next version of IGF.”
About Liberty Alliance
Liberty Alliance is the only global identity community with a membership base that includes technology vendors, consumer service providers and educational and government organizations working together to build a more trust-worthy internet by addressing the technology, policy and privacy aspects of digital identity management. Liberty Alliance is also the only identity organization with a history of testing vendor products for true interoperability of identity specifications. Nearly 80 products and identity solutions from vendors around the world have now passed Liberty Interoperable™ testing. Liberty Alliance works with identity organizations worldwide to ensure all voices are included in the global identity discussion and regularly holds and participates in public events designed to advance the harmonization and interoperability of CardSpace, Liberty SAML 2.0 Federation, Liberty Web Services, OpenID and WS-* specifications. More information about Liberty Alliance as well as information about how to join many of its public groups and mail lists is available at www.projectliberty.org.