1. NZ igovt/RealMe proposed consent service: overview Kantara eGov Working Group April 8 th 2013 CROWN COPYRIGHT © This work is licensed under the Creative Commons Attribution 3.0 New Zealand licence. In essence, you are free to copy, distribute and adapt the work, as long as you attribute the work to the Crown and abide by the other licence terms. To view a copy of this licence, visit http://creativecommons.org/licenses/by/3.0/nz/.http://creativecommons.org/licenses/by/3.0/nz/ Please note that no departmental or governmental emblem, logo or Coat of Arms may be used in any way which infringes any provision of the Flags, Emblems, and Names Protection Act 1981. Attribution to the Crown should be in written form and not by reproduction of any such emblem, logo or Coat of Arms.

2. BACKGROUND TO NZ’S IGOVT/REALME In New Zealand, the logon service has been in production since April 2007 and now provides citizens with federated pseudonymous authentication using SAML integration for about 40 different government service providers with about ¾ of a million users (17% of pop) and set to grow rapidly as IRS and SSA complete integrations in 2013. Separate from the logon service, the identity verification service provides a complementary online assertion of identity from authoritative government documents. Recent legislation permits the identity verification service to progress from pilot to full implementation for use by both the government and private sectors. Privacy legislation in New Zealand prohibits any unique identifier to be shared across organisations to link a citizen’s record at one agency with their record. Furthermore, two agencies may only share information where legislation permits the specific exchange, unless the individual explicitly provides consent for the information to be shared. These privacy principles are fundamental to the design of the logon service which maintains a separate pseudonymous identifier - a federated logon tag (FLT) for each service provider – i.e. each privacy domain. When an online business service needs to information from another organisation to fulfil the user’s service request, it becomes more challenging to extend the authentication while meeting the relevant privacy constraints. For more complex scenarios, reliance on browser redirects between service providers can become impractical as it relies on a continuous browser session.. This cross-agency online service objective has been achieved by a combination of browser and web services to maintain an extended authentication context management service (referred to as iCMS) that utilises a security token service based on WS-Trust messaging and SAML tokens. This stands in contrast what we understand the UK does – using SAML front channel. Each transaction between one service provider and another needs to be based on a user-centric flow that obtains consent for sharing any personal identity attributes. When the circle of trust extends to more than two service providers, or combines multiple identity attribute providers (IAPs), finding the means to obtain, store and access information sharing conditions and users’ consents becomes problematic. To address this need, we are implementing a centralised consent service. The consent service will provide three functions – a central repository of sharing terms (i.e. content of the sharing label), an archive of current and historical consents, and the ability to issue and validate consent tokens.

3. NZ igovt services (with the forthcoming RealMe ‘refresh’). Confirms that this is the same dog/person/entity as last interaction CONSISTENCY Other providers to come (if needed) identity assurance services login Service (currently igovt logon) Client has confidence in user’s identity (in advance of applying authz policy) Authentication is separated from identity and authorization Confirms the identity of the person wishing to use the client site UNIQUENESS IVS AVS

4. The upcoming design further separates the logon service, from assertion, and adds a consent service (discreet cloud services?)

5. Snapshot: The igovt logon service What it does: pseudonymous logon management (the FLT), carries no PI, designed in privacy.

6. Snapshot: The igovt identity verification service (customer view)

7. The notion of a privacy framework with a consent service:

8. Consent tokens (We are still working on the definition and design of the consent token concept). For the first iteration of the consent service, the consent token may be no more than a means to refer to a consent event recorded by the consent service. To comply with the New Zealand privacy principles we need to ensure that this reference cannot be used as a unique identifier to subsequently link a person across the privacy domains of two different service providers (RPs). In subsequent iterations, we anticipate that a consent token issued by the consent service will be something like a SAML authentication token or attribute assertion. It will provide sufficient information to the RPs or identity attribute providers (IAPs) in an information sharing exchange that allows them to determine not only if the user has provided consent, but that the key agreed sharing conditions for the exchange have been satisfied. While the label directly addresses the ability of the user to provide informed consent, we would like to see the approach cater for the ‘transformation’ of the key sharing terms so that these can be subsequently accessible by any of the downstream systems or organisations involved in multi-party business transactions.

9. www.standardlabel.org

10. The notion of a creative commons license * A thought for the next phase: The notion of a creative commons license * Example: Minimal – No Share – Single Transaction (min-no-1 license) It can be graphical:

11. Igovt/RealMe consent service - UX and Screen flow http://share.axure.com/NWNGLW/