...
# | Description | Status | References | Next Steps | Comments |
---|---|---|---|---|---|
1 | Update (i.e., make current) the set of use cases previously developed by the Social Identities Working Group. This should include use cases for the following situations
| Complete | N/A |
| |
2 | Develop a set of criteria for selecting external providers in a variety of usage scenarios. Ensure that both social providers (e.g., Google, Facebook, Twitter) and non-social providers (e.g., Microsoft, PayPal, VeriSign) are included. | Complete | Evaluating External Identity Providers, and included in final report drafts | N/A |
|
3 | Identify and document properties of external accounts that would be of interest to web application owners and other relying parties. This should include both
| Complete | Evaluating External Identity Providers and included in final report drafts | N/A | Combined with #2. |
4 | Define and document how a gateway would represent the properties of an external account to an application. | Not Done |
| Recommend as future work. | The group did not focus on the specifics of how attributes would be represented. The work group did discuss approaches for implementing integration, which is included in the report. |
5 | Contrast a central gateway with a local gateway. List the advantages and disadvantages of each deployment model. | DoneComplete | Account Linking Approaches with Risks and incorporated in final document. | N/A | In the final report, the information from the document listed here was split some across multiple sections, but the contrast between the approaches was discussed. |
6 | Provide application owners with recommendations regarding risk profiles when using external identities. (These profiles need not be based on the traditional 800-63 categories.) Describe various approaches to risk management. | DoneComplete | External Identities Workgroup Meeting at ACAMP - 2014-10-27 and incoporated and expanded upon in final document. | N/A | This was done more as stating the risks and calling out use cases that affect assessment of risk than defining formal risk profiles. |
7 | Document various approaches to account linking:
| DoneComplete | Account Linking Approaches with Risks and in final document | N/A | These topics were all addressed, with the possible exception of #3, where the concept of an "identifier" is defined, but requirements of external identity properties were not elaborated upon. |
8 | Produce a set of longer-lived recommendations for practitioners, roughly comparable to the NMI-DIR documents (e.g., papers, not just wiki pages). | DoneComplete? | The final document is intended to meet this role. Out for comment to see how well it holds up to the desire. |
|
|
|
|
|
|
|
|
...