IMS Security Audit: 2021

IMS Security Audit: 2021

IMS Final Release
Spec Version 1.0
IMS Final Release
Document Version: 1.0
Date Issued: December 1st, 2021
Status: This document is made available for adoption by the public community at large.
This version: https://www.imsglobal.org/spec/secaudit/v1p0/other/

IPR and Distribution Notice

Recipients of this document are requested to submit, with their comments, notification of any relevant patent claims or other intellectual property rights of which they may be aware that might be infringed by any implementation of the specification set forth in this document, and to provide supporting documentation.

IMS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on IMS's procedures with respect to rights in IMS specifications can be found at the IMS Intellectual Property Rights webpage: http://www.imsglobal.org/ipr/imsipr_policyFinal.pdf .

Use of this specification to develop products or services is governed by the license with IMS found on the IMS website: http://www.imsglobal.org/speclicense.html.

Permission is granted to all parties to use excerpts from this document as needed in producing requests for proposals.

The limited permissions granted above are perpetual and will not be revoked by IMS or its successors or assigns.

THIS SPECIFICATION IS BEING OFFERED WITHOUT ANY WARRANTY WHATSOEVER, AND IN PARTICULAR, ANY WARRANTY OF NONINFRINGEMENT IS EXPRESSLY DISCLAIMED. ANY USE OF THIS SPECIFICATION SHALL BE MADE ENTIRELY AT THE IMPLEMENTER'S OWN RISK, AND NEITHER THE CONSORTIUM, NOR ANY OF ITS MEMBERS OR SUBMITTERS, SHALL HAVE ANY LIABILITY WHATSOEVER TO ANY IMPLEMENTER OR THIRD PARTY FOR ANY DAMAGES OF ANY NATURE WHATSOEVER, DIRECTLY OR INDIRECTLY, ARISING FROM THE USE OF THIS SPECIFICATION.

Public contributions, comments and questions can be posted here: http://www.imsglobal.org/forums/ims-glc-public-forums-and-resources .

© 2022 IMS Global Learning Consortium, Inc. All Rights Reserved.

Trademark information: http://www.imsglobal.org/copyright.html

Executive Summary

Version 1.0 of the IMS Security Framework was released in May 2019 with version 1.1 released in August 2021. In the Security Framework document, IMS defined a set of patterns for security that all of IMS specifications MUST reference. The security patterns are based upon the appropriate standards and specifications published by other organizations. The aim was to make use of the appropriate solutions and best practices already adopted in the IT sector as a whole. The functionality addressed in the Security Framework will be extended in response to the new and changing requirements from the suite of published IMS specifications.

Once the Security Framework had been published, IMS established the Security Committee. The membership of the Security Committee is composed of the IMS Technical Staff and experts in Security drawn from the IMS Contributing Members. The first meeting of the IMS Security Committee was in October 2019. A key output required from the Security Committee is an annual audit document that reports on all aspects of security with respect to the IMS specifications. This 2020 IMS Security Audit document was the first such publication and this 2021 Audit document is the second. This audit covers the following areas:

  • Recommendations on how the adoption of the Security Framework can be improved in the published IMS specifications;
  • Recommendations on how the adoption of the Security Framework can be improved in the IMS specifications under development;
  • Recommendations on how the adoption of the Security Framework can be improved in the non-documentation artifacts published by IMS;
  • Recommendations to improve the Security Framework;
  • Recommendations to improve the effectiveness of the Security Committee.

Seventy (70) specifications were reviewed and thirty (30) recommendations were produced for thirty (30) of those specifications. The associated completion time line groups these recommendations into high (6), medium (8) and low (22) priorities. The aim is to complete all of the high priority recommendations by 2022-03-31, the medium by 2022-06-30 and the low by 2022-09-30.

1. Introduction

1.1 Scope and Context

Version 1.0 of the IMS Security Framework was released in May 2019 and version 1.1 in August 2021. In the Security Framework document, IMS defined a set of patterns for security that all of IMS specifications MUST reference. The security patterns are based upon the appropriate standards and specifications published by other organizations. The aim was to make use of the appropriate solutions and best practices already adopted in the IT sector as a whole. The functionality addressed in the Security Framework will be extended in response to the new and changing requirements from the suite of published IMS specifications.

IMS established the Security Committee to take responsibility for:

  • Monitoring the adoption and use of the recommended security patterns in the IMS specifications;
  • Development and maintenance of the security framework to reflect the changing requirements of the IMS specification suite and the evolving best practices from the broader security community.

The membership of the Security Committee is composed of the IMS Technical Staff and experts in Security drawn from the IMS Contributing Members. The first meeting of the IMS Security Committee was in October 2019. A key output required from the Security Committee is an annual audit document that reports on all aspects of security with respect to the IMS specifications. This 2021 IMS Security Audit document is the second such publication. This audit covers the following areas:

  • Recommendations on how the adoption of the Security Framework can be improved in the published IMS specifications;
  • Recommendations on how the adoption of the Security Framework can be improved in the IMS specifications under development;
  • Recommendations on how the adoption of the Security Framework can be improved in the non-documentation artifacts published by IMS;
  • Recommendations to improve the Security Framework;
  • Recommendations to improve the effectiveness of the Security Committee.

Finally, the audit includes a time line during which the set of recommendations SHOULD be completed.

1.3 Structure of this Document

The structure of the rest of this document is:

2. Review of the Recommendations Listed in the Security Audit 2020 A report on the completion status of the set of recommendations made in the Audit 2020.
3. Security Review of the IMS Specifications An overview of the set of IMS specification made under the detailed security review presented in Appendix C.
4. Review of the Security Framework 1.1 A review of the latest version of the Security Framework and identification of any actions requiring creation of a new version.
5. Review of the Security Committee Review of the composition and activities of the Security Committee.
6. Recommendations The detailed set of recommendations including the priority of those recommendations and the proposed time line for completing the recommendations.
APPENDIX A – Security Committee Terms of Reference The terms of reference under which the IMS Security Committee operates.
APPENDIX B – Members of the Security Committee Identification of the members of the security committee taken from the IMS Contributing Members and IMS staff.
APPENDIX C – Reviewed IMS Specifications The set of reports for the security reviews for each of the IMS specifications and for the relevant versions of a specification.
APPENDIX D – REVISION HISTORY History of the various published versions of this document. This includes details of the changes made with respect to the previously published version.
APPENDIX E – REFERENCES The details of the set of documents cited within this document.
APPENDIX F – LIST OF CONTRIBUTORS The people who were responsible for the creation of this document.

1.4 Nomenclature & Terminology

Candidate Final
IMS Specifications which are marked as 'Candidate Final' are deemed by the corresponding Project Group to be stable solutions ready for early adoption. Therefore, IMS Contributing Members who undertake early adoption can achieve formal certification.
Charter Document
This is the first formal document that MUST be created by IMS Members to justify the establishment of a Project Group for the creation or revision of an IMS specification. The Charter Document establishes the core use-cases and the scope of the specification development work. The TAB votes on a Charter Document.
Contributing Member
IMS Contributing Members lead the development of IMS standards and strategic initiatives that save the edtech community millions of dollars and years of time accelerating digital transformation. Each Contributing Members has one representative on the IMS Technical Advisory Board.
Final Release
IMS Specifications which are marked as 'Final Release' have been approved for public release by the IMS Technical Advisory Board. Certification is available to IMS Members.
IMS Specification
A formal publication by IMS that addresses a specific interoperability problem for the edtech community. Each specification includes a technology binding definition and the implementation guide. In many cases, an edtech system will use more than one IMS specification.
IMS Technical Advisory Board (TAB)
The TAB operates as a committee of the whole to review and approve the activities of its various Task Forces and Project Groups which are the primary working bodies of the TAB for initial specification chartering and development. Each IMS Contributing Member has one TAB representative each of whom have one vote.
Project Group
Project Groups are small teams with at least five actively participating Contributing Members charged to carry out the specific development or coordination tasks described in an approved Charter. Project Groups are organized for a specific time specified in a Charter
Public Candidate Final
IMS Specifications which are marked as 'Public Candidate Final' have been approved for public release by the Project Group responsible for the development of the corresponding specification. These specifications are still undergoing development with IMS Contributing Members undertaking early adoption and formal certification.

1.5 Acronyms

AfA
Access for All
AfADRD
Access for All Digital Resource Description
AfAPNP
Access for All Personal Needs & Preferences
AMQP
Asynchronous Message Queuing Protocol
API
Application Programming Interface
APIP
Accessible Portable Item Protocol?
ASI
Assessment, Section & Item
CASE
Competencies and Academic Standards Exchange
CAT
Computer Adaptive Testing
CC
Common Cartridge
CLR
Comprehensive Learner Record
CM
Contributing Member
CPS
Course Planning & Scheduling
HTTP
Hypertext Transfer Protocol
HTTPS
Hypertext Transfer Protocol Secure
IEEE
Institute of Electrical and Electronics Engineers
IETF RFC
Internet Engineering Task Force Request For Comments
ISO/IEC
International Standards Organization/International Electrotechnical Committee
IWB/CFF
Interactive Whiteboard/Common File Format
JSON
JavaScript Object Notation
JSON-LD
JavaScript Object Notation Linked Data
LDAP
Lightweight Directory Access Protocol
LIP
Learner Information Package
LIS
Learning Information Services
LOM
Learning Object Metadata
LOR
Learning Object Repository
LTI
Learning Tools Interoperability
LTS
Learning Technology System
NISO
National Information Standards Organization
OR
OneRoster
PAS
Planning & Allocation System
PCI
Portable Custom Interaction
QTI
Question & Test Interoperability
RDCEO
Reusable Definition of Competency or Educational Objectives
REST
Representational State Transfer
RLI
Resource List Interoperability
SCORM
Shareable Content Object Reference Model
SIS
Student Information System
SOAP
Simple Object Access Protocol
SSL
Secure Sockets Layer
SSP
Shareable State Persistence
TAB
Technical Advisory Board
TCC
Thin Common Cartridge
TEI
Technology Enhanced Item
TLS
Transport Layer Security
URL
Uniform Resource Locator
VDEX
Vocabulary Definition Exchange
WSDL
Web Services Description Language
XML
Extensible Markup Language
XSD
XML Schema Definition

2. Review of the Recommendations Listed in the Security Audit 2020

The status of the set of recommendations from the Security Audit Report 2020 document are shown in the table below. A summary of the progress on the forty-one (41) recommendations is:

  • Nine (9) recommendations have been completed;
  • Twenty seven (27) recommendations are in 'Roll-over' status with the expectation they will be completed in 2022;
  • Three (3) recommendations are 'In-progress' with the changes under review by the corresponding Work Group/Task Force;
  • Two (2) recommendations are 'Outstanding' status with the expectation they will be completed in 2022. In both cases the recommendations are concerned with specifications (Caliper 1.1 and APIP 1.0) that have little recent or new adoption.

The permitted values for the status column are:

  • Complete - the recommendation has been completed (the date of completion is supplied);
  • Roll-over - the recommendation has not been started because the corresponding specification development phase has not been completed;
  • In-progress - the recommendation changes are underway and subject to completion/review;
  • Outstanding - no work has been undertaken on this recommendation.
List of specifications reviewed in the 2020 security audit.
Recommendation Specification Priority Status
2020-SPEC-01 Access for All Digital Resources Description (AfA DRD) 3.0 Low Roll-over
2020-SPEC-02 Access for All Personal Needs & Preferences (AfA PNP) 3.0 (1) Medium Roll-over
2020-SPEC-03 Access for All Personal Needs & Preferences (AfA PNP) 3.0 (2) Medium Roll-over
2020-SPEC-04 Access for All Personal Needs & Preferences (AfA PNP) 2.0 Medium COMPLETE (2021-11-08)
2020-SPEC-05 Caliper Analytics 1.2 High In-progress
2020-SPEC-06 Caliper Analytics 1.1 High Outstanding
2020-SPEC-07 Common Cartridge 1.4 High Roll-over
2020-SPEC-08 Thin Common Cartridge 1.4 High Roll-over
2020-SPEC-09 Competency & Academic Standards Exchange 1.0 High Roll-over
2020-SPEC-10 Comprehensive Learner Record 1.0 High COMPLETE (2021-01-14)
2020-SPEC-11 Computer Adaptive Testing 1.0 Medium Roll-over
2020-SPEC-12 LTI Advantage Core 1.3 Low Roll-over
2020-SPEC-13 LTI Advantage Deep Linking 2.0 Low Roll-over
2020-SPEC-14 LTI Advantage Assignment & Grade Service 2.0 Low Roll-over
2020-SPEC-15 LTI Advantage Names & Role Provisioning Service 2.0 Low Roll-over
2020-SPEC-16 Learning Tools Interoperability (LTI) Resource Search 1.0 Medium In-progress
2020-SPEC-17 OneRoster 1.2: Rostering Service Low Roll-over
2020-SPEC-18 OneRoster 1.2: Resources Service Low Roll-over
2020-SPEC-19 OneRoster 1.2: Gradebook Service Low Roll-over
2020-SPEC-20 Assessment Results Profile of the Gradebook Service 1.0 Low Roll-over
2020-SPEC-21 OneRoster 1.2: CSV Binding (1) Medium Roll-over
2020-SPEC-22 OneRoster 1.2: CSV Binding (2) Low Roll-over
2020-SPEC-23 OneRoster 1.2: European Profile 1.0 Low Roll-over
2020-SPEC-24 OneRoster 1.1 Service (REST API) High COMPLETE (2021-10-21)
2020-SPEC-25 OneRoster 1.1 CSV Binding High COMPLETE (2021-11-01)
2020-SPEC-26 Open Badges 2.1 Low In-progress
2020-SPEC-27 OpenVideo Metadata 1.0 Low Roll-over
2020-SPEC-28 Proctoring Service 1.0 Low Roll-over
2020-SPEC-29 Question & Test Interoperability (QTI) 3.0: Assessment, Section & Item (ASI) Low Roll-over
2020-SPEC-30 Question & Test Interoperability (QTI) 3.0: Metadata Low Roll-over
2020-SPEC-31 Question & Test Interoperability (QTI) 3.0: Results Reporting (1) Medium Roll-over
2020-SPEC-32 Question & Test Interoperability (QTI) 3.0: Results Reporting (2) Low Roll-over
2020-SPEC-33 Question & Test Interoperability (QTI) 3.0: Usage Data & Item Statistics (1) Medium Roll-over
2020-SPEC-34 Question & Test Interoperability (QTI) 3.0: Usage Data & Item Statistics (2) Low Roll-over
2020-SPEC-35 Question & Test Interoperability (QTI) 2.2: Results Reporting Medium COMPLETE (2021-11-02)
2020-SPEC-36 Question & Test Interoperability (QTI) 2.2: Usage Data & Item Statistics Low COMPLETE (2021-11-02)
2020-SPEC-37 Accessible Portable Item Protocol (APIP) 1.0 Medium Outstanding
2020-SPEC-38 Portable Custom Interaction (PCI) 1.0 High Roll-over
2020-SFWK-01 IMS Security Framework 1.0 (1) High COMPLETE (2021-08-01)
2020-SFWK-02 IMS Security Framework 1.0 (2) High COMPLETE (2021-08-01)
2020-SCOM-01 Security Committee High COMPLETE (2021-03-01)

3. Security Overview of IMS Specifications

The set of specifications that have been reviewed in this Security Audit are listed in Table 3.1. The detailed reviews of these specifications are presented in Appendix C. Seventy (70) specifications have been reviewed, with thirty-six (36) recommendations produced for thirty (30) of those specifications. The set of recommendations and the proposed time line for completion are discussed in Section 5.

Table 3.1 - List of specifications reviewed in the 2021 security audit.
Specification Set Specification Version Action Required
Access for All Access for All Digital Resources Description 3.0 Yes
Access for All Digital Resources Description 2.0 No
Access for All Personal Needs & Preferences 3.0 Yes
Access for All Personal Needs & Preferences 2.0 No
Caliper Caliper Analytics 1.2 Yes
Caliper Analytics 1.1 Yes
Caliper Analytics 1.0 No
Common Cartridge Common Cartridge 1.4 Yes
Common Cartridge 1.3 No
Common Cartridge 1.2 No
Thin Common Cartridge 1.4 Yes
Thin Common Cartridge 1.3 No
Thin Common Cartridge 1.2 No
Competency Definitions Competency & Academic Standards Exchange (CASE) 1.0 Yes
Reusable Definition of Competency or Educational Objectives (RDCEO) 1.0 No
Comprehensive Learner Record Comprehensive Learner Record (CLR) 2.0 Yes
Comprehensive Learner Record (CLR) 1.0 Yes
Computer Adaptive Testing Computer Adaptive Testing (CAT) 1.0 Yes
Content Packaging Content Packaging 1.2 No
Course Planning & Scheduling Course Planning & Scheduling (CPS) 1.0 No
ePortfolio ePortfolio 1.0 No
Interactive Whiteboard/Common File Format Interactive Whiteboard/Common File Format (IWB/CFF) 1.0 No
Learning Design Learning Design 1.0 No
Learner Information Package Learner Information Package (LIP) 1.0 No
Learning Information Services Learning Information Services (LIS) 2.0.1 No
Learning Tools Interoperability Learning Tools Interoperability (LTI) Advantage Core 1.3 Yes
LTI Advantage Deep Linking 2.0 Yes
LTI Advantage Assignment & Grade Service 2.0 Yes
LTI Advantage Names & Role Provisioning Service 2.0 Yes
Learning Tools Interoperability 1.1.2 No
Learning Tools Interoperability 1.1.1 No
LTI Deep Linking 1.0.1 No
LTI Deep Linking 1.0.1 No
LTI Basic Outcomes 1.1 No
LTI Names & Role Provisioning Service 1.0.1 No
LTI Names & Role Provisioning Service 1.0 No
LTI Resource Search LTI Resource Search 1.0 Yes
Metadata Metadata 1.3.2 No
OneRoster Rostering Service 1.2 Yes
Resources Service 1.2 Yes
Gradebook Service 1.2 Yes
Assessment Results Profile of the Gradebook Service 1.0 Yes
OneRoster: CSV Binding 1.2 Yes
OneRoster Service (REST API) 1.1 No
OneRoster CSV Binding 1.1 No
Open Badges Open Badges 3.0 Yes
Open Badges 2.1 Yes
Open Badges 2.0 No
OpenVideo Metadata OpenVideo Metadata 1.0 Yes
Proctoring Proctoring Service 1.0 Yes
Question & Test Interoperability Question & Test Interoperability (QTI): Assessment, Section & Item (ASI) 3.0 Yes
Question & Test Interoperability (QTI): Metadata 3.0 Yes
Question & Test Interoperability (QTI): Result Reporting 3.0 Yes
Question & Test Interoperability (QTI): Usage Data & Item Statistics 3.0 Yes
Question & Test Interoperability (QTI): Assessment, Section & Item (ASI) 2.2 No
Question & Test Interoperability (QTI): Metadata 2.2 No
Question & Test Interoperability (QTI): Result Reporting 2.2 No
Question & Test Interoperability (QTI): Usage Data & Item Statistics 2.2 No
Question & Test Interoperability (QTI): Assessment, Section & Item (ASI) 2.1 No
Question & Test Interoperability (QTI): Result Reporting 2.1 No
Question & Test Interoperability (QTI): Metadata & Usage Data 2.1 No
Question & Test Interoperability (QTI): Item 2.0 No
Question & Test Interoperability (QTI): Metadata & Usage Data 2.0 No
Question & Test Interoperability (QTI): 1.2.1 No
Accessible Portable Item Protocol (APIP) 1.0 Yes
Portable Custom Interaction (PCI) 1.0 Yes
Resource List Interoperability Resource List Interoperability (RLI) 1.0 No
Shareable State Persistence Shareable State Persistence (SSP) 1.0 No
Simple Sequencing Simple Sequencing 1.0 No
Vocabulary Definition Exchange Vocabulary Definition Exchange (VDEX) 1.0 No

4. Review of the Security Framework 1.1

This review is composed of the feedback from the Security Committee and the issues raised on the GitHub Repo for the Security Framework.

4.1 Review by the Security Committee

All of the issues raised by the Security Committee's review of the Security Framework were addressed as part of the Security Framework 1.1 revision.

4.2 Issues Raised on the Security Framework 1.0

All issues raised are listed under the GitHub Repo for the Security Framework.

All of the outstanding issues were resolved as part of the Security Framework 1.1 revision. At present there are no outstanding issues.

5. Review of the Security Committee

During 2021 the Security Committee has been meeting, virtually, once per month. The current membership of the Security Committee is listed in Appendix B. The membership consists of three IMS Staff and six representatives from the IMS Contributing Members. As recommended in the 2020 audit, the Membership of the committee was changed in 2021 with the addition of Kristian Horwood (D2L) and Sriram Seshadri (Clever). No further changes are planned in 2022.

The Terms of Reference for the Security Committee given in Appendix A. Technical perspectives that have been discussed by the Security Committee are:

  • The use of WebAuthN should be considered for inclusion. WebAuthN is an alternative to the use of passwords and is an authentication standard supported by OAuth 2.0. Further investigation on the usage of WebAuthN will be undertaken;
  • The IETF are working on a draft RFC for OAuth 2.1 (the latest working document was released in July 2020). A key difference between this new version and 2.0 is deprecation of the 'Implicit' and 'Password Grant' flows (neither of which are permitted in the Security Framework). The development of this new version of OAuth 2.1 is being tracked;
  • More discussions on the security considerations for Publish/Subscribe and Asynchronous service support were held. The EDU-API Working Group are developing an Asynchronous Publish/Subscribe service binding using the Asynchronous Message Queuing Protocol (AMQP) 1.0. Further discussions by the Security Committee will be held once the initial draft documents have been made available by the EDU-API Working Group;
  • HTTP 2 is now being deployed in some EdTech systems. At present usage of HTTP 2.0 is not expected to alter the Security Framework patterns;
  • The replacement of the use of Cookies in LTI 1.3. It is expected that the LTI Working Group will present the proposed replacement technique to the Security Committee in 2022.

There are no RECOMMENDATIONS regarding these technical developments. The Security Committee will monitor these technologies and act appropriately.

6. Recommendations

The set of recommendations identified by this audit are listed in the set of Tables below. Each recommendation includes:

  • A unique identifier for the recommendation;
  • Identification of the subject of the recommendation (specification, document, group);
  • Priority for completion (high, medium, low);
  • The nature of the action required to complete the recommendation;
  • A brief description of the activity required to complete the recommendation.

The 36 recommendations are grouped as: High (6), Medium (8) and Low (22).

ID 2021-SPEC-01
Specification Comprehensive Learner Record 1.0
Priority Low
Nature Minor Documentation Update
Description The CLR 1.0 documentation needs to be revised to cite IMS Security Framework 1.1 specification. This is a documentation revision only and NOT a new version of the specification.
ID 2021-SPEC-02
Specification Comprehensive Learner Record 2.0
Priority Low
Nature Review of Proposed Final Release by Security Committee
Description Before Final Release, this specification MUST be formally reviewed by the Security Committee.
ID 2021-SPEC-03
Specification Open Badges 3.0
Priority Low
Nature Review of Proposed Final Release by Security Committee
Description Before Final Release, this specification MUST be formally reviewed by the Security Committee.
ID 2020-SPEC-01
Specification Access for All Digital Resources Description (AfA DRD) 3.0
Priority Low
Nature Review of Proposed Final Release by Security Committee
Description Before Final Release, this specification MUST be formally reviewed by the Security Committee.
ID 2020-SPEC-02
Specification Access for All Personal Needs & Preferences (AfA PNP) 3.0
Priority Medium
Nature Implementation Guide Update
Description Update the Implementation Guide to include recommendations for secure exchange of an AfA PNP XML instance.
ID 2020-SPEC-03
Specification Access for All Personal Needs & Preferences (AfA PNP) 3.0
Priority Medium
Nature Review of Proposed Final Release by Security Committee
Description Before Final Release, this specification MUST be formally reviewed by the Security Committee.
ID 2020-SPEC-05
Specification Caliper Analytics 1.2
Priority High
Nature Minor Specification Documentation Editorial Revision
Description A Caliper Sensor is REQUIRED to use an OAuth 2.0-based authentication mechanism. This specification MUST be revised so that it fully aligns with the IMS Security Framework 1.1. This MAY be achieved as a documentation update.
ID 2020-SPEC-06
Specification Caliper Analytics 1.1
Priority High
Nature Minor Specification Documentation Editorial Revision
Description A Caliper Sensor is REQUIRED to use an OAuth 2.0-based authentication mechanism. This specification MUST be revised so that it fully aligns with the IMS Security Framework 1.1. This MAY be achieved as a documentation update.
ID 2020-SPEC-07
Specification Common Cartridge 1.4
Priority High
Nature Review of Proposed Final Release by Security Committee
Description Before Final Release, this specification MUST be formally reviewed by the Security Committee.
ID 2020-SPEC-08
Specification Thin Common Cartridge 1.4
Priority High
Nature Review of Proposed Final Release by Security Committee
Description Before Final Release, this specification MUST be formally reviewed by the Security Committee.
ID 2020-SPEC-09
Specification Competency & Academic Standards Exchange 1.0
Priority High
Nature Implementation Guide Update
Description Update the Implementation Guide to include recommendations for secure exchange, when applicable, using OAuth 2 Client Credentials as defined in the IMS Security Framework 1.1.
ID 2020-SPEC-11
Specification Computer Adaptive Testing 1.0
Priority Medium
Nature Review of Proposed Final Release by Security Committee
Description Before publication as a Final Release, this specification MUST undergo formal review by the IMS Security Committee.
ID 2020-SPEC-12
Specification LTI Advantage Core 1.3
Priority Low
Nature Minor Specification Revision
Description At the next revision of the specification and/or documentation, alignment with IMS Security Framework 1.1 MUST be established. At the next revision of the specification and/or documentation, alignment with IMS Security Framework 1.1 MUST be established.
ID 2020-SPEC-13
Specification LTI Advantage Deep Linking 2.0
Priority Low
Nature Minor Specification Revision
Description At the next revision of the specification and/or documentation, alignment with IMS Security Framework 1.1 MUST be established.
ID 2020-SPEC-14
Specification LTI Advantage Assignment & Grade Service 2.0
Priority Low
Nature Minor Specification Revision
Description At the next revision of the specification and/or documentation, alignment with IMS Security Framework 1.1 MUST be established.
ID 2020-SPEC-15
Specification LTI Advantage Names & Role Provisioning Service 2.0
Priority Low
Nature Minor Specification Revision
Description At the next revision of the specification and/or documentation, alignment with IMS Security Framework 1.1 MUST be established.
ID 2020-SPEC-16
Specification Learning Tools Interoperability (LTI) Resource Search 1.0
Priority Medium
Nature Implementation Guide Update
Description Update the Implementation Guide to include recommendations for secure exchange of LTI Resource Search JSON payloads.
ID 2020-SPEC-17
Specification OneRoster 1.2: Rostering Service
Priority Low
Nature Review of Proposed Final Release by Security Committee
Description Before publication as a Final Release, this specification MUST undergo formal review by the IMS Security Committee.
ID 2020-SPEC-18
Specification OneRoster 1.2: Resources Service
Priority Low
Nature Review of Proposed Final Release by Security Committee
Description Before publication as a Final Release, this specification MUST undergo formal review by the IMS Security Committee.
ID 2020-SPEC-19
Specification OneRoster 1.2: Gradebook Service
Priority Low
Nature Review of Proposed Final Release by Security Committee
Description Before publication as a Final Release, this specification MUST undergo formal review by the IMS Security Committee.
ID 2020-SPEC-20
Specification Assessment Results Profile of the Gradebook Service 1.0
Priority Low
Nature Review of Proposed Final Release by Security Committee
Description Before publication as a Final Release, this specification MUST undergo formal review by the IMS Security Committee.
ID 2020-SPEC-21
Specification OneRoster 1.2: CSV Binding
Priority Medium
Nature Implementation Guide Update
Description Update the Implementation Guide to include recommendations for secure exchange of the CSV files.
ID 2020-SPEC-22
Specification OneRoster 1.2: CSV Binding
Priority Low
Nature Review of Proposed Final Release by Security Committee
Description Before publication as a Final Release, this specification MUST undergo formal review by the IMS Security Committee.
ID 2020-SPEC-23
Specification OneRoster 1.2: European Profile 1.0
Priority Low
Nature Review of Proposed Final Release by Security Committee.
Description Before publication as a Final Release, this specification MUST undergo formal review by the IMS Security Committee.
ID 2020-SPEC-26
Specification Open Badges 2.1
Priority Low
Nature Review of Proposed Final Release by Security Committee
Description Before publication as Final Release this specification needs to be reviewed by the IMS Security Committee for alignment with the IMS Security Framework 1.1.
ID 2020-SPEC-27
Specification OpenVideo Metadata 1.0
Priority Low
Nature Review of Proposed Final Release by Security Committee
Description Before publication as Final Release this specification needs to be reviewed by the IMS Security Committee to confirm that the Security Framework does not apply.
ID 2020-SPEC-28
Specification Proctoring Service
Priority Low
Nature Review of Proposed Final Release by Security Committee
Description Before Final Release, the Proctoring Service MUST be reviewed by the Security Committee to ensure the service is correctly aligned with the IMS Security Framework 1.1.
ID 2020-SPEC-29
Specification Question & Test Interoperability (QTI) 3.0: Assessment, Section & Item (ASI)
Priority Low
Nature Review of Proposed Final Release by Security Committee
Description Before publication as Final Release this specification needs to be reviewed by the IMS Security Committee to confirm that the Security Framework does not apply.
ID 2020-SPEC-30
Specification Question & Test Interoperability (QTI) 3.0: Metadata
Priority Low
Nature Review of Proposed Final Release by Security Committee
Description Before publication as Final Release this specification needs to be reviewed by the IMS Security Committee to confirm that the Security Framework does not apply.
ID 2020-SPEC-31
Specification Question & Test Interoperability (QTI) 3.0: Results Reporting
Priority Medium
Nature Implementation Guide Update
Description Update the Implementation Guide to include recommendations for secure exchange of a QTI Results Report XML instance.
ID 2020-SPEC-32
Specification Question & Test Interoperability (QTI) 3.0: Results Reporting
Priority Low
Nature Review of Proposed Final Release by Security Committee
Description Before publication as Final Release this specification needs to be reviewed by the IMS Security Committee.
ID 2020-SPEC-33
Specification Question & Test Interoperability (QTI) 3.0: Usage Data & Item Statistics
Priority Medium
Nature Implementation Guide Update
Description Update the Implementation Guide to include recommendations for secure exchange of a QTI Usage Data & Item Statistics XML instance.
ID 2020-SPEC-34
Specification Question & Test Interoperability (QTI) 3.0: Usage Data & Item Statistics
Priority Low
Nature Review of Proposed Final Release by Security Committee
Description Before publication as Final Release this specification needs to be reviewed by the IMS Security Committee.
ID 2020-SPEC-37
Specification Accessible Portable Item Protocol (APIP) 1.0
Priority Medium
Nature Implementation Guide Update
Description Update the Implementation Guide to include recommendations for secure exchange of APIP data instances.
ID 2020-SPEC-38
Specification Portable Custom Interaction (PCI) 1.0
Priority High
Nature Review of Proposed Final Release by Security Committee
Description Before Final Release this specification MUST undergo formal review by the IMS Security Committee.

6.1 Implementing the Recommendations

The proposed time line for the completion of the above set of recommendations is detailed in the Table below. The recommended timescales are:

  • High - to be completed before 2022-03-31;
  • Medium - to be completed before 2022-06-30;
  • Low - to be completed before 2022-09-30.
Timeline for Completing the Recommendations
Priority ID Target Date Description
High 2020-SPEC-05 2021-03-31 Minor Specification Revision of the Caliper Analytics 1.2
2020-SPEC-06 2021-03-31 Minor Specification Revision of the Caliper Analytics 1.1
2020-SPEC-07 2021-03-31 Review of Proposed Final Release by Security Committee of the Common Cartridge 1.4
2020-SPEC-08 2021-03-31 Review of Proposed Final Release by Security Committee of the Thin Common Cartridge 1.4
2020-SPEC-09 2021-03-31 Implementation Guide Update of the Competency & Academic Standards Exchange 1.0
2020-SPEC-38 2021-03-31 Review of Proposed Final Release by Security Committee of the Portable Custom Interaction 1.0
Medium 2020-SPEC-02 2021-06-30 Implementation Guide Update of the Access for All Personal Needs & Preferences 3.0
2020-SPEC-03 2021-06-30 Review of Proposed Final Release by Security Committee of the Access for Access for All Personal Needs & Preferences 3.0
2020-SPEC-11 2021-06-30 Review of Proposed Final Release by Security Committee of the Computer Adaptive Testing 1.0
2020-SPEC-16 2021-06-30 Implementation Guide Update of the Access for Learning Tools Interoperability Resource Search 1.0
2020-SPEC-21 2021-06-30 Implementation Guide Update of the OneRoster 1.2: CSV Binding
2020-SPEC-31 2021-06-30 Implementation Guide Update of the Question & Test Interoperability 3.0: Results Reporting
2020-SPEC-33 2021-06-30 Implementation Guide Update of the Question & Test Interoperability 3.0: Usage Data & Item Statistics
2020-SPEC-37 2021-06-30 Implementation Guide Update of the Question & Test Interoperability 2.2: Accessible Portable Item Protocol 1.0
Low 2021-SPEC-01 2022-09-30 Minor Documentation Update of the Comprehensive Learner Record 1.0
2021-SPEC-02 2022-09-30 Review of Proposed Final Release by Security Committee of the Access for Comprehensive Learner Record 2.0
2021-SPEC-03 2022-09-30 Review of Proposed Final Release by Security Committee of the Access for Open Badges 3.0
2020-SPEC-01 2021-09-30 Review of Proposed Final Release by Security Committee of the Access for All Digital Resources Description 3.0
2020-SPEC-12 2021-06-30 Minor Specification Revision of the LTI Advantage Core 1.3
2020-SPEC-13 2021-06-30 Minor Specification Revision of the LTI Advantage Deep Linking 2.0
2020-SPEC-14 2021-06-30 Minor Specification Revision of the LTI Advantage Assignment & Grade Service 2.0
2020-SPEC-15 2021-06-30 Minor Specification Revision of the LTI Advantage Names & Role Provisioning Service 2.0
2020-SPEC-17 2021-06-30 Review of Proposed Final Release by Security Committee of the OneRoster 1.2 Rostering Service
2020-SPEC-18 2021-06-30 Review of Proposed Final Release by Security Committee of the OneRoster 1.2 Resources Service
2020-SPEC-19 2021-06-30 Review of Proposed Final Release by Security Committee of the OneRoster 1.2 Gradebook Service
2020-SPEC-20 2021-06-30 Review of Proposed Final Release by Security Committee of the Assessment Results Profile of the Gradebook Service 1.0
2020-SPEC-22 2021-06-30 Review of Proposed Final Release by Security Committee of the OneRoster 1.2: CSV Binding
2020-SPEC-23 2021-06-30 Review of Proposed Final Release by Security Committee of the OneRoster 1.2: European Profile 1.0
2020-SPEC-26 2021-06-30 Review of Proposed Final Release by Security Committee of the Open Badges 2.1
2020-SPEC-27 2021-06-30 Review of Proposed Final Release by Security Committee of the OpenVideo Metadata 1.0
2020-SPEC-28 2021-06-30 Review of Proposed Final Release by Security Committee of the Proctoring Service 1.0
2020-SPEC-29 2021-09-30 Review of Proposed Final Release by Security Committee of the Question & Test Interoperability 3.0: Assessment, Section & Item (ASI)
2020-SPEC-30 2021-09-30 Review of Proposed Final Release by Security Committee of the Question & Test Interoperability 3.0: Metadata
2020-SPEC-32 2021-09-30 Review of Proposed Final Release by Security Committee of the Question & Test Interoperability 3.0: Results Reporting
2020-SPEC-34 2021-09-30 Review of Proposed Final Release by Security Committee of the Question & Test Interoperability 3.0: Usage Data & Item Statistics
2020-SPEC-36 2021-09-30 Implementation Guide Update of the Question & Test Interoperability 3.0: Usage Data & Item Statistics

A. Security Committee Terms of Reference

A.1 Aims & Objectives

The aim of the Security Committee is to provide the technical work within IMS with the appropriate security expertise oversight. To achieve this are the following objectives:

  • Oversight of the maintenance and revision of the IMS Security Framework;
  • Monitoring of the use of the Security Framework as the IMS specifications are created, maintained and revised;
  • Completion of the annual audit of the IMS specifications and related technical work with respect to the Security Framework;
  • Providing awareness and insights into the new requirements, technical developments and best practices in the field of security with respect to EdTech.

A.2 Responsibilities & Outputs

The responsibilities for the Security Committee are:

  • Reviewing of an IMS specification as part of the development of that specification. Each review will focus on the security aspects within the specification and will be undertaken as part of the completion of the Final Release documentation to be submitted to the IMS TAB. This review is to confirm that the Working Group has made appropriate use of the IMS Security Framework. Each review will be undertaken by IMS technical staff who are part of the Security Committee. The review will identify any changes to be made to the specification to ensure compliance with the Security Framework. Each review will itself be reviewed by the Security Committee. Review by the Security Committee will take place electronically with formal sign-off recorded at the following Security Committee meeting;
  • Completing the annual Security Audit and implementation of the recommendations from the audit report published in the previous year. The scope of the audit report is:
    • How the adoption of the Security Framework can be improved in the published IMS specifications;
    • How the adoption of the Security Framework can be improved in the IMS specifications under development;
    • How the adoption of the Security Framework can be improved in the non-documentation artifacts published by IMS;
    • How to improve the Security Framework;
    • How to improve the effectiveness of the Security Committee.

The formal outputs from the Security Committee are:

  • The written reviews of an IMS specification. These will be in the form of an email to the appropriate Working Group from the IMS Chief Architect, and copied to the Security Committee forum;
  • The annual Security Audit document. This will be published in the December of the corresponding year, and so a retrospection, and will be circulated to the IMS TAB.

A.3 Method of Working

The method of working for the Security Committee is:

  • The group will meet on a regular schedule (typically once per month) or as they deem appropriate;
  • Most meetings will take place electronically with the agenda circulated one week prior to the meeting;
  • Presentations will be made by the committee at the annual Learning Impact event and the Technical Congress held at the IMS Quarterly meeting in August.

A.4 Members and Membership of Committee

This is a standing committee with rotational membership comprised of providers that perform different roles in the education technology ecosystem including Enterprise Platforms, Identity Providers, Software Apps and Tool providers. Terms for the committee are estimated to last between 2-3 years.

A key requirement is that the Security Committee is composed of the appropriate security expertise taken from the IMS Contributing Members. Membership of the Security Committee is restricted to:

  • The appropriate IMS Staff;
  • 6-8 representatives from the IMS Contributing Members of which 4-6 (at least 50% of the total taken from the Members) will be recognized experts in security.

A.5 Relationship with Other IMS Activities

It is important to note that IMS regularly refine the ways in which IMS specifications are created, revised and maintained. We are continually improving our processes and this will be the same for the Security Committee.

A.5.1 Relationship with the IMS Technical Advisory Board

The IMS TAB is responsible for voting to approve a proposal to work on a specification (the Charter Document) and for formally releasing a completed specification. The Security Committee will circulate, for information, the annual Security Audit report to the TAB.

A.5.2 Relationship with Project Groups

The IMS staff working on a specification, the Technical Architect and the Technical Program Manager, are the link between the Security Committee and a Project Group. The Security Committee is responsible for formally reviewing the specification documentation and other artifacts before public release.

B. Members of the Security Committee

The members of the IMS Security Committee for the 2019-2020 period are listed in the Table below.

Members of the Security Committee
Name Affiliation
Eric Galis Cengage
Karen Hartman Blackboard
Dereck Haskins IMS Global
Kristian Horwood D2L
Mark Leuba IMS Global
Mark McKell IMS Global
Burton Perkins Savvas
Sriram Seshadri Clever
Colin Smythe IMS Global
Uppili Srinivasan Oracle

NOTE:

  1. Mark McKell has left IMS Global and so did not participate after August 2021.

C. Reviewed IMS Specifications

C.1 Access for All (AfA)

Title Access for All Digital Resources Description (AfA DRD)
Version 3.0
Release Date September 2012 - Candidate Final Release 1.0 [AFA-DRD-30]
Description The AccessForAll DRD Specification provides a common language to describe digital learning resources to facilitate matching of those resources to learners' accessibility needs and preferences. Metadata can be used for at least two accessibility-related purposes: to record compliance to an accessibility specification or standard e.g. for adherence to legislated procurement policies and to enable the delivery of resources that meet a user’s needs and preferences. The AccessForAll DRD Specification is intended to describe aspects of a computer system (including networked systems) that can be adjusted to improve accessibility. They are not intended to address non-digital systems that can include physical location, other people, external processes, etc.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. There are no security concerns regarding the exchange of this metadata.
Recommendations Before Final Release, this specification MUST be formally reviewed by the Security Committee. This recommendation is now set for completion in 2022.
Title Access for All Personal Needs & Preferences (AfA PNP)
Version 3.0
Release Date February 2017 - Candidate Final Release 2.0 [AFA-PNP-30]
Description The AccessForAll PNP specification provides a common language for describing the learner or user needs and preferences when accessing digitally delivered resources or services. This description is one side of a pair of descriptions used in matching user needs and preferences with digital delivery. The AfA PNP specification is intended to meet the needs of learners with disabilities and for anyone in a disabling context. The purpose of the AfA PNP Specification is to provide a machine-readable method of stating user needs and preferences with respect to digitally based education or learning. The Candidate Final Release 2.0 revised the specification to align more closely with the needs of the QTI 3.0 ASI specification.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. An AfA PNP XML instance may contain sensitive personal information. Recommendations for securing the exchange of such instances MUST be addressed in the Implementation Guide.
Recommendations
  • Update the Implementation Guide to include recommendations for secure exchange of an AfA PNP XML instance. This recommendation is now set for completion in 2022.
  • Before Final Release, this specification MUST be formally reviewed by the Security Committee. This recommendation is now set for completion in 2022.
Title Access for All Digital Resources Description (AfA DRD)
Version 2.0
Release Date October 2009 - Final Release [AFA-DRD-20]
Description The AccessForAll DRD Specification provides a common language to describe digital learning resources to facilitate matching of those resources to learners' accessibility needs and preferences. Metadata can be used for at least two accessibility-related purposes: to record compliance to an accessibility specification or standard e.g. for adherence to legislated procurement policies and to enable the delivery of resources that meet a user’s needs and preferences. The AccessForAll DRD Specification is intended to describe aspects of a computer system (including networked systems) that can be adjusted to improve accessibility. They are not intended to address non-digital systems that can include physical location, other people, external processes, etc. This specification is also published as ISO Standard [ISO24751-3].
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. There are no security concerns regarding the exchange of this metadata.
Recommendations None
Title Access for All Personal Needs & Preferences (AfA PNP)
Version 2.0
Release Date October 2009 - Final Release [AFA-PNP-20]
Description The AccessForAll PNP specification provides a common language for describing the learner or user needs and preferences when accessing digitally delivered resources or services. This description is one side of a pair of descriptions used in matching user needs and preferences with digital delivery. The AfA PNP specification is intended to meet the needs of learners with disabilities and for anyone in a disabling context. The purpose of the AfA PNP Specification is to provide a machine-readable method of stating user needs and preferences with respect to digitally based education or learning. This specification is also published as ISO Standard [ISO24751-2].
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. An AfA PNP XML instance may contain sensitive personal information. Recommendations for securing the exchange of such instances MUST be addressed in the Implementation Guide.
Recommendations None

C.2 Caliper Analytics

Title Caliper Analytics
Version 1.2
Release Date September 2020 - Final Release [CALIPER-12]
Description IMS Caliper Analytics is a technical specification that describes a structured set of vocabulary that assists institutions in collecting learning and usage data from digital resources and learning tools. This data can be used to present information to students, instructors, advisers, and administrators in order to drive effective decision making and promote learner success. The Caliper Analytics specification provides a structured approach to describing, collecting and exchanging learning activity data. Establishing a common vocabulary for describing learning interactions is a central objective. Promoting data interoperability, data sharing and data-informed decision making are also important goals. Caliper also defines an application programming interface (the Sensor API) for marshaling and transmitting event data from instrumented applications to target endpoints for storage, analysis and use.
Security The specification cites the use of the IMS Security Framework 1.0 and the use of TLS. It is also recommended that a Sensor SHOULD use RFC 6750 "Bearer" authentication [RFC6750].
Recommendations A Caliper Sensor is REQUIRED to use an OAuth 2.0-based authentication mechanism. This specification MUST be revised so that it fully aligns with the IMS Security Framework 1.1. This MAY be achieved as a documentation update. Completion of this recommendation is 'In-progress'.
Title Caliper Analytics
Version 1.1
Release Date January 2018 - Final Release [CALIPER-11]
Description The Caliper Analytics specification provides a structured approach to describing, collecting and exchanging learning activity data. Establishing a common vocabulary for describing learning interactions is a central objective. Promoting data interoperability, data sharing and data-informed decision making are also important goals. Caliper also defines an application programming interface (the Sensor API) for marshaling and transmitting event data from instrumented applications to target endpoints for storage, analysis and use.
Security A Caliper Sensor is REQUIRED to use a connection secured using TLS. It MUST also be capable of accessing standard HTTP request headers and support message authentication that utilizes the HTTP Authorization request header “Bearer” authentication scheme as described in RFC 6750 (Section 2.1) [RFC6750].
Recommendations A Caliper Sensor is REQUIRED to use an OAuth 2.0-based authentication mechanism. This specification MUST be revised so that it fully aligns with the IMS Security Framework 1.1. This MAY be achieved as a documentation update. Completion of this recommendation is 'Outstanding'.
Title Caliper Analytics
Version 1.0
Release Date October 2015 - Final Release [CALIPER-10]
Description The IMS Caliper Analytics Learning Measurement Framework represents a valuable, standards oriented, high impact solution to a very significant problem amidst the online learning delivery ecosystem. Currently, this ecosystem has an insufficient, inconsistent, and fragmented underlying measurement and metrics capability across fast emerging, federated content/learning activity elements sourced from a wide array of providers. By providing the necessary alignment and structure to what is and should be measured, along with a framework to support the capture and marshaling of data, IMS Caliper version 1.0 represents an achievable and valuable starting position. Moreover, the Caliper framework is extensible and aims to facilitate the likely iterative build-out, refinement, and enhancement of its capabilities.
Security The best practice document recommends the use of SSL/HTTPS. The authentication recommendations are the use of OAuth and the calls to an Event Store should be secured by an API Key. For the JavaScript sensors the call to the Consumer Event Store should be performed server-to-server to ensure the integrity of the key. The API key is stored in the authorization header.
Recommendations This version is superseded by versions 1.1 and 1.2 and so no recommendations for changes are made.

C.3 Common Cartridge/Thin Common Cartridge

Title Common Cartridge
Version 1.4
Release Date September 2020 - Candidate Final [CC-14]
Description Common Cartridge solves two problems. The first is to provide a standard way to represent digital course materials for use in online learning systems so that such content can be developed in one format and used across a wide variety of learning systems (often referred to as course management systems, learning management systems, virtual learning environments, or instructional management systems). The second is to enable new publishing models for online course materials and digital books that are modular, web-distributed, interactive, and customizable. The focus of Common Cartridge is interactive collaborative learning situations, typically with a teacher, professor, or instructor involved in guiding learners. The learning materials can be online, offline, or both - a situation often referred to as hybrid or blended learning.
Security This is a data-model only binding with the cartridge exchanged as a zip file. The manner in which the data is exchanged is beyond the scope of this specification. Support for LTI links are included and so the use of these links requires support for the associated security framework.
Recommendations Before Final Release, this specification MUST be formally reviewed by the Security Committee. This recommendation is now set for completion in 2022.
Title Common Cartridge
Version 1.3
Release Date July 2013 - Final Release [CC-13]
Description Common Cartridge solves two problems. The first is to provide a standard way to represent digital course materials for use in online learning systems so that such content can be developed in one format and used across a wide variety of learning systems (often referred to as course management systems, learning management systems, virtual learning environments, or instructional management systems). The second is to enable new publishing models for online course materials and digital books that are modular, web-distributed, interactive, and customizable. The focus of Common Cartridge is interactive collaborative learning situations, typically with a teacher, professor, or instructor involved in guiding learners. The learning materials can be online, offline, or both - a situation often referred to as hybrid or blended learning.
Security This is a data-model only binding with the cartridge exchanged as a zip file. The manner in which the data is exchanged is beyond the scope of this specification. Support for LTI links are included and so the use of these links requires support for the associated security framework.
Recommendations None
Title Common Cartridge
Version 1.2
Release Date October 2011 - Final Release [CC-12]
Description Common Cartridge solves two problems. The first is to provide a standard way to represent digital course materials for use in online learning systems so that such content can be developed in one format and used across a wide variety of learning systems (often referred to as course management systems, learning management systems, virtual learning environments, or instructional management systems). The second is to enable new publishing models for online course materials and digital books that are modular, web-distributed, interactive, and customizable. The focus of Common Cartridge is interactive collaborative learning situations, typically with a teacher, professor, or instructor involved in guiding learners. The learning materials can be online, offline, or both - a situation often referred to as hybrid or blended learning.
Security This is a data-model only binding with the cartridge exchanged as a zip file. The manner in which the data is exchanged is beyond the scope of this specification. Support for LTI links are included and so the use of these links requires support for the associated security framework. This is a data-model only binding with the cartridge exchanged as a zip file. The manner in which the data is exchanged is beyond the scope of this specification. Support for LTI links are included and so the use of these links requires support for the associated security framework.
Recommendations None
Title Thin Common Cartridge
Version 1.4
Release Date September 2020 - Candidate Final [TCC-14]
Description Thin Common Cartridge (TCC) is based upon the equivalent version of full Common Cartridge. The primary difference is that a TCC supports ONLY two resources types i.e. LTI Links and Web Links.
Security This is a data-model only binding with the cartridge exchanged as a zip file. The manner in which the data is exchanged is beyond the scope of this specification. Support for LTI links are included and so the use of these links requires support for the associated security framework.
Recommendations Before Final Release, this specification MUST be formally reviewed by the Security Committee. This recommendation is now set for completion in 2022.
Title Thin Common Cartridge
Version 1.3
Release Date May 2015 - Final Release [TCC-13]
Description Thin Common Cartridge (TCC) is based upon the equivalent version of full Common Cartridge. The primary difference is that a TCC supports ONLY two resources types i.e. LTI Links and Web Links.
Security This is a data-model only binding with the cartridge exchanged as a zip file. The manner in which the data is exchanged is beyond the scope of this specification. Support for LTI links are included and so the use of these links requires support for the associated security framework.
Recommendations None
Title Thin Common Cartridge
Version 1.2
Release Date May 2015 - Final Release [TCC-12]
Description Thin Common Cartridge (TCC) is based upon the equivalent version of full Common Cartridge. The primary difference is that a TCC supports ONLY two resources types i.e. LTI Links and Web Links. Thin Common Cartridge (TCC) is based upon the equivalent version of full Common Cartridge. The primary difference is that a TCC supports ONLY two resources types i.e. LTI Links and Web Links.
Security This is a data-model only binding with the cartridge exchanged as a zip file. The manner in which the data is exchanged is beyond the scope of this specification. Support for LTI links are included and so the use of these links requires support for the associated security framework.
Recommendations None.

C.4 Competency Definitions

Title Competency & Academic Standards Exchange (CASE)
Version 1.0
Release Date July 2017 - Final Release [CASE-10]
Description The Competencies and Academic Standards Exchange (CASE) Service specification is the definition of how systems achieve the exchange of information about learning standards and/or competencies. The key aim is to replace the current ways of documenting a learning standard and competency, typically a PDF or HTML document, by one which is machine readable both syntactically and semantically. Further, using this new specification it will be possible to electronically exchange these definitions so that applications, systems and tools can readily access this data. Implementation of this service is based upon the use of a set of REST/JSON endpoints.
Security The Project Group strongly defended the position that there MUST be NO protection of the endpoints. Therefore the IMS Security Framework is not used.
The CASE Network service provided by IMS makes use of the CASE REST/JSON API. For the CASE Network a number of the endpoints are protected using OAuth 2 Client Credentials as defined in the IMS Security Framework 1.1.
Recommendations Update the Implementation Guide to include recommendations for secure exchange, when applicable, using OAuth 2 Client Credentials as defined in the IMS Security Framework 1.1. This recommendation is now set for completion in 2022.
Title Reusable Definition of Competency or Educational Objectives (RDCEO)
Version 1.0
Release Date October 2002 - Final Release [RDCEO-10]
Description The Reusable Definition of Competency or Educational Objective specification defines an information model for describing, referencing, and exchanging definitions of competencies, primarily in the context of online and distributed learning. In this specification, the word competency is used in a very general sense that includes skills, knowledge, tasks, and learning outcomes. This specification gives a way to formally represent the key characteristics of a competency, independent of its use in any particular context. It enables interoperability among learning systems that deal with competency information by providing a means for them to refer to common definitions with common meanings. The core information in a RDCEO is an unstructured textual definition of the competency that can be referenced through a globally unique identifier. The RDCEO specification provides a means to create common understandings of competencies that appear as part of a learning or career plan, as learning prerequisites, or as learning outcomes. The RDCEO that conform to this specification are intended for interchange by machines, but the information they contain is currently intended for human interpretation.

This IMS specifications was adopted by the IEEE and published as: 1484.20.1-2007 - IEEE Standard for Learning Technology-Data Model for Reusable Competency Definitions [IEEE1484-20-1].
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. There are no security concerns regarding the exchange of this metadata.
Recommendations None

C.5 Comprehensive Learner Record (CLR)

Title Comprehensive Learner Record
Version 2.0
Release Date Oct 2021 - New Specification Activity
Description The IMS Comprehensive Learner Record (CLR) specification has been designed to create, transmit, and render an individual's set of achievements, as issued by multiple learning providers, in a machine-readable format that can be curated into verifiable digital records of achievement. The CLR specification supports interoperability in that CLR publishers and consumers can consistently send, receive, and verify records among conformant systems. The CLR specification describes an information model, service definition, and implementation guide to allow institutions, suppliers, and others to 'extend' the traditional transcript with records and types of information that are typically not found in a traditional transcript, such as competency attainment, co-curricular activities, Open Badges, and to define and facilitate an institution's learner achievements record store for collection of CLRs. CLR data can be consumed by other schools, institutions, employers, and any other entities that are conformant as CLR consumers. In this machine-readable format, CLR data enables granular and expansive discoverability of learning achievements and competencies that was not previously possible.
Security The CLR specification defines the usage of both OAuth 2.0 Client Credentials and OAuth 2.0 Authorization Code Grant approaches depending on the actual usage. The specification is aligned with the IMS Security Framework 1.1 specification.
Recommendations Before Final Release, this specification MUST be formally reviewed by the Security Committee.
Title Comprehensive Learner Record
Version 1.0
Release Date Jan 2021 - Final Release [CLR-10]
Description The IMS Comprehensive Learner Record (CLR) specification has been designed to create, transmit, and render an individual's set of achievements, as issued by multiple learning providers, in a machine-readable format that can be curated into verifiable digital records of achievement. The CLR specification supports interoperability in that CLR publishers and consumers can consistently send, receive, and verify records among conformant systems. The CLR specification describes an information model, service definition, and implementation guide to allow institutions, suppliers, and others to 'extend' the traditional transcript with records and types of information that are typically not found in a traditional transcript, such as competency attainment, co-curricular activities, Open Badges, and to define and facilitate an institution's learner achievements record store for collection of CLRs. CLR data can be consumed by other schools, institutions, employers, and any other entities that are conformant as CLR consumers. In this machine-readable format, CLR data enables granular and expansive discoverability of learning achievements and competencies that was not previously possible.
Security The CLR specification defines the usage of both OAuth 2.0 Client Credentials and OAuth 2.0 Authorization Code Grant approaches depending on the actual usage. The specification is aligned with the IMS Security Framework 1.1 specification but cites version 1.0.
Recommendations The CLR 1.0 documentation needs to be revised to cite IMS Security Framework 1.1 specification. This is a documentation revision only and NOT a new version of the specification.

C.6 Computer Adaptive Testing

Title Computer Adaptive Testing
Version 1.0
Release Date November 2020 - Public Candidate Final [CAT-10]
Description The Computer Adaptive Testing (CAT) specification defines how to implement adaptive testing based upon assessments defined using the IMS Question and Test Interoperability (QTI) specification. This specification defines the data that is exchanged, and how the data is exchanged, between an Assessment delivery system and a CAT engine. The CAT engine is responsible for identifying and supplying the set of Items (the encoded questions) to be delivered in an assessment. This approach allows the use of protected algorithms (black box) with different sets of data such as psychometric data, constraints, stopping criteria, etc.
Security The CAT specification makes use of OAuth 2.0 Client Credentials as defined in the IMS Security Framework 1.1. The specification includes definition of the associated set of ‘scopes’. There are NO extensions/changes with respect to the IMS Security Framework 1.1.
Recommendations A formal review by the Security Committee of the security aspects should be undertaken before publication as a Final Release. This recommendation is now set for completion in 2022.

C.7 Content Packaging

Title Content Packaging
Version 1.2
Release Date March 2007 - Public Draft 2.0 [CP-12]
Description IMS Content Packaging describes data structures that can be used to exchange data between systems that wish to import, export, aggregate, and disaggregate packages of content. The specification enables exporting content from one LMS or digital repository and importing it into another while retaining information that describes the media in the IMS content package and how it is structured, such as a table of contents or which HTML page to show first.

The IMS Content Packaging Specification focuses on the packaging and transport of resources, but doesn’t determine the nature of those resources. The specification allows adopters to gather, structure, and aggregate content in an unlimited variety of formats. The central part of a content package is the manifest. A manifest describes the logical package and the relationships among all of its components. The manifest is both an XML document, and, more abstractly, the structural information in that document. Within the manifest, the resources section functions as a bill of materials. It lists all files that are contained in the interchange package and all references to resources that reside elsewhere. In certain cases, it may also contain specialized structural content in the resources section of the manifest document itself. Finally, the organization section of the manifest structures all of the content package’s components into a piece of educational content.

In 2009 the IMS Content Packaging was standardized by ISO/IEC and is available as ISO/IEC 12785-1:2009 [ISO12785-1], ISO/IEC 12785-2:2011 [ISO12785-2] and ISO/IEC TR 12785-3:2012 [ISO12785-3].
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. There are no security concerns regarding the exchange of this metadata.
Recommendations None.

C.8 Course Planning & Scheduling

Title Course Planning & Scheduling
Version 1.0
Release Date December 2013 - Candidate Final [CPS-10]
Description The Course Planning & Scheduling (CPS) specification is an application profile of Learning Information Services (LIS). CPS is the definition of how systems manage the exchange of information used for the planning and scheduling of courses, the optimal use of facilities within an institution and the corresponding timetables for people within the institution. As resources and space are at a premium in educational institutions it is important that classrooms and equipment are used optimally. The Planning and Allocation System (PAS) specializes in optimizing the use of rooms and resources. The PAS contains information about the size of rooms, the best use of rooms (e.g. not putting a lecture into a laboratory), and the locations of rooms. A PAS system is typically used by an institution to ensure that rooms are allocated to classes sensibly.
Security There is no security requirement defined in the LIS specification. The web services are described using WSDL. There is no security requirement defined in the LIS specification. The web services are described using WSDL.
Recommendations No products are certified with respect to this specification. Therefore, it is recommended that no changes be made to this specification.

C.9 ePortfolio

Title ePortfolio
Version 1.0
Release Date June 2005 - Final Release [EP-10]
Description Originally, ePortfolios previously took the form of static Web pages and the growth over the last few years has been fueled by the growing availability of commercial and open source ePortfolio tools in the form of database-driven, Web applications. The IMS ePortfolio specification defines a portable ePortfolio to ensure the educational continuity between programs within an educational institution that use ePortfolios, the integration of evidence about learning over time, and the smooth transfer of verifiable information about learning and evaluation between institutions, levels of education, and employers. From an individual perspective, information about and artifacts of a person's performance and achievement, as recorded in an ePortfolio, need to operate across institutions and countries throughout their lifetime
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. The data contained within an ePortfolio instance may be considered sensitive.
Recommendations No products are certified with respect to this specification. This specification is superseded by the new IMS Comprehensive Learner Record (CLR) specification. Therefore, it is recommended that no changes be made to this specification.

C.10 Interactive Whiteboard (IWB)/Common File Format (CFF)

Title Interactive Whiteboard (IEWB)/Common File Format (CFF)
Version 1.0
Release Date February 2012 - Final Release [IWB-10]
Description The IMS Interactive WhiteBoard/Common File Format (IWB/CFF) specification defines a file format to hold content primarily designed to be viewed on a large display. Much of this content is designed to be interactive, so objects can move around the page. The primary goal of this format is to establish a way to organize files that can be opened, edited, saved and used across many whiteboard applications so that teaching content can be exchanged between establishments. To this goal the format must be simple but extendible in a restricted way to ensure compatibility.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. There are no security concerns regarding the exchange of this metadata.
Recommendations No products are certified with respect to this specification. Therefore, it is recommended that no changes be made to this specification.

C.11 Learning Design

Title Learning Design
Version 1.0
Release Date February 2003 - Final Release [LD-10]
Description The IMS Learning Design specification represents an integration of the Educational Modeling Language (EML) work, submitted to the Learning Design Project Group by the Open University of the Netherlands, and existing IMS Specifications, notably Content Packaging that this specification extends and builds on, but also Metadata and Simple Sequencing. The designs which can be described by this meta-language might involve a single user or multiple users; the learning and instructional designers and providers might take a behaviorist, cognitivist, constructivist, or some other approach; they might require learners to work separately or collaboratively, but the OUNL studies found these could all be captured in terms of a Method containing Roles, Activity-structures, and Environments and a number of other concepts elaborated around these.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. There are no security concerns regarding the exchange of this metadata.
Recommendations None.

C.12 Learner Information Package (LIP)

Title Learner Information Package
Version 1.0.1
Release Date January 2005 - Final Release [LIP-10]
Description Learner Information is a collection of information about a Learner (individual or group learners) or a Producer of learning content (creators, providers or vendors). The IMS Learner Information Package (LIP) specification addresses the interoperability of internet-based Learner Information systems with other systems that support the Internet learning environment. The intent of the specification is to define a set of packages that can be used to import data into and extract data from an IMS compliant Learner Information server. A Learner Information server may exchange data with Learner Delivery systems or with other Learner Information servers. It is the responsibility of the Learner Information server to allow the owner of the learner information to define what part of the learner information can be shared with other systems. The core structures of the IMS LIP are based upon: accessibilities; activities; affiliations; competencies; goals; identifications; interests; qualifications, certifications and licenses; relationship; security keys; and transcripts.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. The data contained within a Learner Information Profile instance may be considered sensitive.
Recommendations No products are certified with respect to this specification. This specification is superseded by the new IMS Comprehensive Learner Record (CLR) specification. Therefore, it is recommended that no changes be made to this specification.

C.13 Learning Information Service (LIS)

Title Learning Information Services
Version 2.0.1
Release Date September 2013 - Final Release [LIS-20]
Description The Learning Information Services (LIS) specification is the definition of how systems manage the exchange of information that describes people, groups, memberships, courses and outcomes within the context of learning. The LIS v2.x specification supersedes the IMS Enterprise Services v1.0 specification. The LIS specification is based on the aggregation of the Person Management, Group Management, Membership Management, Course Management, Outcomes Management and the Bulk Data Exchange Management Services specifications. The LIS v2.0 can be implemented using both a Web Services infrastructure (based upon a SOAP/HTTP transport mechanism) and the Lightweight Directory Access Protocol (LDAP). An implementation is not required to support each and every service. Neither is an implementation required to support each and every operation. Interoperability is best defined through the use of a Domain Profile. This specification includes such a profile for Higher Education. Interoperability is supported between systems that implement the same profile.
Security There is no security requirement defined in the LIS specification. The web services are described using WSDL. Instead, certification for a product employs the security mechanisms used by the implementation under test. The security approaches supported at certification are: none, basic HTTP authentication, Basic OAuth, WS-Security and HTTPS/SSL3.
Recommendations Very few products are certified with respect to this specification. For K-12/Schools this specification is superseded by IMS OneRoster. In the longer term the new IMS EDU-API specification will supersede the LIS specification. Therefore, it is recommended that no changes be made to this specification.

C.14 Learning Tool Interoperability (LTI)

Title LTI Advantage Core
Version 1.3
Release Date April 2013 - Final Release [LTI-13]
Description The IMS Learning Tools Interoperability (LTI) specification allows Learning Management Systems or platforms to integrate remote tools and content in a standard way. LTI v1.3 builds on LTI v1.1 by incorporating a new model for security for message and service authentication.
Security The security features in this specification are aligned to the OpenID Connect parts of the IMS Security Framework 1.0 document.
Recommendations At the next revision of the specification and/or documentation, alignment with IMS Security Framework 1.1 MUST be established. This recommendation is now set for completion in 2022.
Title LTI Advantage Deep Linking
Version 2.0
Release Date April 2019 - Final Release [LTI-DL-20]
Description The IMS Learning Tools Interoperability (LTI) Deep Linking specification allows a Platform to more easily integrate content gathered from an external Tool. Using the Deep Linking message defined in this specification, Platform users can launch to a URI specified by an external Tool, then select specific content appropriate for their use, and receive a URI that other platform users can use at a later time for launches directly to that specific content.
Security The security features in this specification are aligned to the LTI Advantage Core specification which cites IMS Security Framework 1.0 document.
Recommendations At the next revision of the specification and/or documentation, alignment with IMS Security Framework 1.1 MUST be established. This recommendation is now set for completion in 2022.
Title LTI Advantage Assignment & Grade Service
Version 2.0
Release Date April 2019 - Final Release [LTI-AGS-20]
Description The IMS Learning Tools Interoperability (LTI) Assignment and Grade Services specification, as described in this document, replaces the Basic Outcomes service and updates the Result service included in LTI v2.0. This specification also allows tools more control over the number of gradebook columns per resource link and the maximum points possible for each column.
Security The security features in this specification are aligned to the LTI Advantage Core specification. Service requests MUST use OAuth 2 Bearer (Client Credentials) which cites IMS Security Framework 1.0 document.
Recommendations At the next revision of the specification and/or documentation, alignment with IMS Security Framework 1.1 MUST be established. This recommendation is now set for completion in 2022.
Title LTI Advantage Names & Role Provisioning Service
Version 2.0
Release Date April 2019 - Final Release [LTI-NRPS-20]
Description The Learning Tools Interoperability (LTI) Names and Role Provisioning Services is an LTI specification for providing access to a list of users and their roles within the context of a course, program or other grouping. The LTI specification enables instructors to automate the provision of student lists via LTI to an external tool. LTI does not pass user information in its default configuration. Using the LTI Names and Role Provisioning Services, user information can be passed in a safe and secure manner. The Names and Role Provisioning Services also allows instructors to be provided a display showing the activity of all of their students, whether or not they have accessed the tools.
Security The security features in this specification are aligned to the LTI Advantage Core specification. Service requests MUST use OAuth 2 Bearer (Client Credentials) which cites IMS Security Framework 1.0 document. The security features in this specification are aligned to the LTI Advantage Core specification. Service requests MUST use OAuth 2 Bearer (Client Credentials) which cites IMS Security Framework 1.0 document.
Recommendations At the next revision of the specification and/or documentation, alignment with IMS Security Framework 1.1 MUST be established. This recommendation is now set for completion in 2022.
Title LTI
Version 1.1.2
Release Date July 2019 - Final Release [LTI-112]
Description The Learning Tools Interoperability (LTI) specification enables remote tools and content to be integrated into a Learning Management System (LMS).
Security This version of LTI uses the OAuth 1.0a protocol to secure its message interactions between the Tool Consumer and Tool Provider. OAuth signing requires a key and shared secret to sign messages. The key is transmitted with each message, as well as an OAuth-generated signature based on the key. This version provides a security update to address cross-site request forgery threats applicable to versions of LTI released prior to v1.3. The security updates described here apply specifically to LTI v1.0 and v1.1.1.
Recommendations This specification is deprecated from 31st December 2020 and there will be no further certifications from 1st July 2021. Therefore, no further action is required.
Title LTI
Version 1.1.1
Release Date June 2012 - Final Release [LTI-11]
Description The Learning Tools Interoperability (LTI) specification enables remote tools and content to be integrated into a Learning Management System (LMS).
Security This version of LTI uses the OAuth 1.0a protocol to secure its message interactions between the Tool Consumer and Tool Provider. OAuth signing requires a key and shared secret to sign messages. The key is transmitted with each message, as well as an OAuth-generated signature based on the key.
Recommendations This specification is deprecated from 31st December 2020 and there will be no further certifications from 1st July 2021. Therefore, no further action is required.
Title LTI Deep linking
Version 1.0.1
Release Date July 2019 - Final Release [LTI-DL-10]
Description Deep Linking is an LTI standard for exchanging content between applications and tools. A broad range of content types can be shared such as static links, embedded images or other media types and files, extending the LTI toolbox and streamlining the process of setting up an LTI tool link. Deep Linking enables external (LTI) tools to appear in the same way that internal tools do. Using Deep Linking will eliminate a common need for custom integrations. This version provides a security update to address cross-site request forgery threats applicable to versions of LTI released prior to v1.3. The security updates described here apply to LTI Deep Linking v1.0.
Security This version of LTI uses the OAuth 1.0a protocol to secure its message interactions between the Tool Consumer and Tool Provider. OAuth signing requires a key and shared secret to sign messages. The key is transmitted with each message, as well as an OAuth-generated signature based on the key.
Recommendations This specification is deprecated from 31st December 2020 and there will be no further certifications from 1st July 2021. Therefore, no further action is required.
Title LTI Deep Linking
Version 1.0
Release Date May 2016 - Final Release [LTI-DL-10]
Description Deep Linking is an LTI standard for exchanging content between applications and tools. A broad range of content types can be shared such as static links, embedded images or other media types and files, extending the LTI toolbox and streamlining the process of setting up an LTI tool link. Deep Linking enables external (LTI) tools to appear in the same way that internal tools do. Using Deep Linking will eliminate a common need for custom integrations.
Security This version of LTI uses the OAuth 1.0a protocol to secure its message interactions between the Tool Consumer and Tool Provider. OAuth signing requires a key and shared secret to sign messages. The key is transmitted with each message, as well as an OAuth-generated signature based on the key.
Recommendations This specification is deprecated from 31st December 2020 and there will be no further certifications from 1st July 2021. Therefore, no further action is required.
Title LTI Basic Outcomes
Version 1.1
Release Date May 2019 - Final Release [LTI-BO-11]
Description This document provides an update to the original LTI Outcomes Management v1.0 specification. Now called LTI Basic Outcome v1.1, this updated document adds a section that defines a way to migrate from the LTI v1.1 Outcomes Management service to the latest LTI v1.3 and Assignment and Grade Services 2.0. This document provides an update to the original LTI Outcomes Management v1.0 specification. Now called LTI Basic Outcome v1.1, this updated document adds a section that defines a way to migrate from the LTI v1.1 Outcomes Management service to the latest LTI v1.3 and Assignment and Grade Services 2.0.
Security This version of LTI uses the OAuth 1.0a protocol to secure its message interactions between the Tool Consumer and Tool Provider. OAuth signing requires a key and shared secret to sign messages. The key is transmitted with each message, as well as an OAuth-generated signature based on the key.
Recommendations This specification is deprecated from 31st December 2020 and there will be no further certifications from 1st July 2021. Therefore, no further action is required.
Title LTI Names & Role Provisioning Service
Version 1.0.1
Release Date July 2019 - Final Release [LTI-NRPS-10]
Description Names and Role Provisioning Services is an LTI specification for providing access to a list of users and their roles within the context of a course, program or other grouping. The LTI specification enables instructors to automate the provision of student lists via LTI to an external tool. LTI does not pass user information in its default configuration. Using the LTI Names and Role Provisioning Services user information can be passed in a safe and secure manner. The Names and Role Provisioning Services also allows instructors to be provided a display showing the activity of all of their students, whether or not they have accessed the tools. This version provides a security update to address cross-site request forgery threats applicable to versions of LTI released prior to v1.3. The security updates described here apply to LTI Names & Role Provisioning Service v1.0.
Security This version of LTI uses the OAuth 1.0a protocol to secure its message interactions between the Tool Consumer and Tool Provider. OAuth signing requires a key and shared secret to sign messages. The key is transmitted with each message, as well as an OAuth-generated signature based on the key. This version of LTI uses the OAuth 1.0a protocol to secure its message interactions between the Tool Consumer and Tool Provider. OAuth signing requires a key and shared secret to sign messages. The key is transmitted with each message, as well as an OAuth-generated signature based on the key.
Recommendations This specification is deprecated from 31st December 2020 and there will be no further certifications from 1st July 2021. Therefore, no further action is required.
Title LTI Names & Role Provisioning Service
Version 1.0
Release Date May 2016 - Final Release [LTI-NRPS-10]
Description Names and Role Provisioning Services is an LTI specification for providing access to a list of users and their roles within the context of a course, program or other grouping. The LTI specification enables instructors to automate the provision of student lists via LTI to an external tool. LTI does not pass user information in its default configuration. Using the LTI Names and Role Provisioning Services user information can be passed in a safe and secure manner. The Names and Role Provisioning Services also allows instructors to be provided a display showing the activity of all of their students, whether or not they have accessed the tools.
Security This version of LTI uses the OAuth 1.0a protocol to secure its message interactions between the Tool Consumer and Tool Provider. OAuth signing requires a key and shared secret to sign messages. The key is transmitted with each message, as well as an OAuth-generated signature based on the key.
Recommendations This specification is deprecated from 31st December 2020 and there will be no further certifications from 1st July 2021. Therefore, no further action is required.
Title Learning Tools Interoperability (LTI) Resource Search
Version 1.0
Release Date September 2018 - Final Release [RS-10]
Description The Learning Tools Interoperability (LTI) Resource Search specification defines how to search digital repositories for a set of resources via a web services API. The standard addresses searching learning object repositories (LORs), and other catalogs of learning resources. The specification supports executing these searches from learning tools using various attributes of resources and returning full metadata about the resources to the learning tools. Results can be launched either as URLs or LTI links. The goal of the LTI Resource Search standard is a standard way for students and teachers to be able to search resource providers, such as learning object repositories, from single sources or aggregated from multiple sources, within a learning object consumer such as a learning management system or other educational platform.
Security LTI Resource Search is a service-based specification that is released as a set of REST/JSON endpoints. The specification has no security requirements for certification. The implementation guide recommends the usage of OAuth 2.0 but does not provide any further detailed guidance.
Recommendations The Implementation Guide document MUST be edited to provide details on the use of OAuth 2.0 as defined in the IMS Security Framework 1.1. This does NOT require revision of the specification version. The Implementation Guide document MUST be edited to provide details on the use of OAuth 2.0 as defined in the IMS Security Framework 1.1. This does NOT require revision of the specification version. This recommendation is 'In-progress' and set for completion in 2022.

C.16 Metadata

Title Metadata
Version 1.3.2
Release Date May 2012 - Final Release [MD-13]
Description The IMS Learning Resource Meta-data v1.3 specification is a narrative description of the use of the IEEE P1484.12.3 [IEEE1484-12-1] Standard for Extensible Markup Language (XML) Schema Definition Language Binding for Learning Object Metadata (LOM) along with guidelines on its use, including the creation of application profiles. This metadata specification aims to make the process of finding and using a learning resource more efficient by providing a structure of defined elements that describe, or catalog, the learning resource and requirements about how the elements are to be used and represented.
Security This is a data model based specification and does not include information on how a metadata instance file is exchanged. In the IMS Ecosystem, IMS Metadata information is always exchanged in the context of the content package/common cartridge used for collecting together the resources for a content-based specification. Therefore, any security considerations are addressed in the context of the parent specification.
Recommendations None.

C.17 OneRoster

Title OneRoster: Rostering Service
Version 1.2
Release Date November 2019 - Candidate Final [OR-ROS-SM-12]]]
Description The IMS OneRoster (OR) standard addresses the exchange of student data (primarily about people, courses, enrollments and grades) between different educational systems for the specific needs of K-12. In OR 1.2, the service has been split into three core services: (1) Rostering Service; (2) Gradebook Service; and (3) Resources Service. The Rostering Service provides the ability to manage the exchange of information about people, classes, courses, organizations and enrollments.
Security The Rostering Service uses OAuth 2.0 Client Credentials as defined in the IMS Security Framework 1.1. The specification includes definition of the associated set of ‘scopes’. There are NO extensions/changes with respect to the IMS Security Framework 1.1.
Recommendations Before Final Release, the Security Committee should review this specification to confirm its correct alignment with the IMS Security Framework 1.1. This recommendation is now set for completion in 2022.
Title OneRoster: Resources Service
Version 1.2
Release Date November 2019 - Candidate Final [OR-RES-SM-12]
Description The IMS OneRoster (OR) standard addresses the exchange of student data (primarily about people, courses, enrollments and grades) between different educational systems for the specific needs of K-12. In OR 1.2, the service has been split into three core services: (1) Rostering Service; (2) Gradebook Service; and (3) Resources Service. This OR 1.2 Resources Service provides the ability to manage the allocation of resources to classes, courses and users. It does NOT enable access to the resources themselves. The resource data provides the information that describes the resource and its relationships to classes and/or courses and/or users.
Security The Resources Service uses OAuth 2.0 Client Credentials as defined in the IMS Security Framework 1.1. The specification includes definition of the associated set of ‘scopes’. There are NO extensions/changes with respect to the IMS Security Framework 1.1.
Recommendations Before Final Release, the Security Committee should review this specification to confirm its correct alignment with the IMS Security Framework 1.1 This recommendation is now set for completion in 2022.
Title OneRoster: Gradebook Service
Version 1.2
Release Date November 2019 - Candidate Final [OR-GBK-SM-12]
Description The IMS OneRoster (OR) standard addresses the exchange of student data (primarily about people, courses, enrollments and grades) between different educational systems for the specific needs of K-12. In OR 1.2, the service has been split into three core services: (1) Rostering Service; (2) Gradebook Service; and (3) Resources Service. This OR 1.2 Gradebook Service provides the ability to manage the exchange of information about gradebooks in the form of results, lineItems, collections of lineItems (categories) and score-scales. It is also possible to exchange information about assessment activities in the form of assessment lineItems and assessment results.
Security The Gradebook Service uses OAuth 2.0 Client Credentials as defined in the IMS Security Framework 1.1. The specification includes definition of the associated set of ‘scopes’. There are NO extensions/changes with respect to the IMS Security Framework 1.1.
Recommendations Before Final Release, the Security Committee should review this specification to confirm its correct alignment with the IMS Security Framework 1.1. This recommendation is now set for completion in 2022.
Title OneRoster: Assessment Results Profile of the Gradebook Service
Version 1.0
Release Date May 2020 - Candidate Final [ARP-10]
Description The 'Assessment Results Profile for Gradebook Service' (ARP-GS) is a formal subset of the IMS OneRoster (OR) 1.2 Gradebook Service. The OneRoster standard addresses the exchange of student data (primarily about people, courses, enrollments and grades) between different educational systems for the specific needs of K-12. The OR 1.2 Gradebook Service, one service within the full OR 1.2 specification, provides the ability to manage the exchange of information about gradebooks in the form of results, lineItems, collections of lineItems (categories) and score-scales. It is also possible to exchange information about assessment activities in the form of assessment lineItems and assessment results. ARP-GS is designed to enable the exchange of detailed results that are assigned as part of some form of assessment activity i.e. the assessment lineItems and assessment results parts of the OR 1.2 Gradebook Service.
Security The Assessment Results Profile of the Gradebook Service uses OAuth 2.0 Client Credentials as defined in the IMS Security Framework 1.1. The specification includes definition of the associated set of ‘scopes’. There are NO extensions/changes with respect to the IMS Security Framework 1.1.
Recommendations Before Final Release, the Security Committee should review this specification to confirm its correct alignment with the IMS Security Framework 1.1. This recommendation is now set for completion in 2022.
Title OneRoster: CSV Binding
Version 1.2
Release Date May 2020 - Candidate Final [OR-CSV-12]
Description The IMS OneRoster standard addresses the exchange of student data (primarily about people, courses, enrollments and grades) between different educational systems for the specific needs of K-12. The CSV binding describes the data formatting as a set of CSV files exchanged as a single zip file.
Security This is a data-model only binding. The manner in which the data is exchanged is beyond the scope of this specification. There are security issues to be addressed when exchanging a OneRoster zip file.
Recommendations
  • Update the Implementation Guide to include recommendations for the secure exchange of the OneRoster zip file
  • Before Final Release, the Security Committee should review this specification to confirm its correct alignment with the IMS Security Framework 1.1. This recommendation is now set for completion in 2022.
Title OneRoster Service (REST API)
Version 1.1
Release Date April 2017 - Final Release [OR-11]
Description The IMS OneRoster (OR) standard addresses the exchange of student data (primarily about people, courses, enrollments and grades) between different educational systems for the specific needs of K-12. The REST API defines an extensive set of endpoints for the management of information about rostering, access to resources and gradebooks.
Security The initial release of OneRoster 1.1 REST API required support of OAuth 1.0a/SHA. Support for OAuth 1.0a/SHA256 and OAuth 2.0 Bearer Token/Client Credentials was optional. Since that release support for OAuth 1.0a has been deprecated such that by 31st December 2020 use of OAuth 2.0, only, will be required. The associated set of scopes have been defined and this usage of OAuth 2.0 Bearer Token/Client Credentials is aligned with IMS Security Framework 1.1.
Recommendations None.
Title OneRoster CSV Binding
Version 1.1
Release Date April 2017 - Final Release [OR-CSV-11]
Description The IMS OneRoster (OR) standard addresses the exchange of student data (primarily about people, courses, enrollments and grades) between different educational systems for the specific needs of K-12. The CSV binding describes the data formatting as a set of CSV files exchanged as a single zip file.
Security This is a data-model only binding. The manner in which the data is exchanged is beyond the scope of this specification. Best practices for the secure exchange of these files is described.
Recommendations None.

C.18 Open Badges

Title Open Badges
Version 3.0
Release Date October 2021 - New Specification Activity
Description Open Badges are visual symbols of accomplishments packed with verifiable metadata according to the Open Badges specification. The Open Badges specification defines the properties necessary to define an achievement and award it to a recipient, as well as procedures for verifying badge authenticity and “baking” badge information into portable image files. It includes term definitions for representations of data in Open Badges. Open Badges 2.1 is a specification that adds the Badge Connect API to Open Badges that allows badge recipients to easily move their Assertions between platforms to streamline the experience of earning and using Open Badges. The initial scope for this specification will cover Assertions and Profiles, with potential additions in future versions of other types of data held by applications in the various Open Badges ecosystem roles of Issuer, Displayer, and Host.
Security This specification requires the use of OAuth 2.0 Authorization Code Grant with Token Refresh and Token Revocation capabilities as defined in the IMS Security Framework 1.1. Dynamic Client Registration and Service Discovery is also used.
Recommendations Before Final Release, this specification MUST be formally reviewed by the Security Committee.
Title Open Badges
Version 2.1
Release Date January 2020 - Candidate Final [OB-21]
Description Open Badges are visual symbols of accomplishments packed with verifiable metadata according to the Open Badges specification. The Open Badges specification defines the properties necessary to define an achievement and award it to a recipient, as well as procedures for verifying badge authenticity and “baking” badge information into portable image files. It includes term definitions for representations of data in Open Badges. Open Badges 2.1 is a specification that adds the Badge Connect API to Open Badges that allows badge recipients to easily move their Assertions between platforms to streamline the experience of earning and using Open Badges. The initial scope for this specification will cover Assertions and Profiles, with potential additions in future versions of other types of data held by applications in the various Open Badges ecosystem roles of Issuer, Displayer, and Host.
Security This specification requires the use of OAuth 2.0 Authorization Code Grant with Token Refresh and Token Revocation capabilities as defined in the IMS Security Framework 1.1. Service Discovery is also used but this is NOT aligned with the Security Framework.
Recommendations Before publication as Final Release this specification needs to be reviewed by the IMS Security Committee for alignment with the IMS Security Framework 1.1. This recommendation is 'In-progress' and set for completion in 2022.
Title Open Badges
Version 2.0
Release Date April 2018 - Final Release [OB-20]
Description The Open Badge specification describes a method for packaging information about accomplishments, embedding it into portable image files as digital badges, and establishing resources for its validation. It includes term definitions for representations of data in Open Badges. The specification defines how a badge may be signed using a JSON Web Signature.
Security This is a data-model only specification with a JSON-LD binding. The manner in which the data is exchanged is beyond the scope of this specification. The use of secure digital signing and badge verification acts as best practices when exchanging badges.
Recommendations None.

C.19 OpenVideo Metadata

Title OpenVideo Metadata
Version 1.0
Release Date September 2020 - Candidate Final 2.0 [OV-10]
Description The OpenVideo Metadata Standard defines a format for creating rich media content that describes captured rich media in a standardized way such that management solutions that support the standard can exchange the media. The goal of the OpenVideo Metadata Standard is to make it simple and easy for educational institutions to manage all of their captured content, in a way that is agnostic to the software and hardware they used to capture it. The standard aims to remove siloed data and long integration projects by creating one simple, standardized format that describes captured rich media, as well as a process by which this media can be transferred into a media management solution that supports the format.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. There are no security concerns regarding the exchange of this metadata.
Recommendations Before publication as Final Release this specification needs to be reviewed by the IMS Security Committee to confirm that the Security Framework does not apply. This recommendation is now set for completion in 2022.

C.20 Proctoring

Title Proctoring Service
Version 1.0
Release Date July 2019 - Public Candidate Final [PS-10]
Description The IMS Proctoring Services specification is based on the Learning Tools Interoperability Core v1.3 specification and LTI Advantage services. LTI works on the concept of a browser-based launch from a platform into an external tool or application. For proctoring, a test delivery or assessment management system would be the platform and the proctoring service the tool. Using the Proctoring Specification, a candidate can launch out from their assessment platform to the proctoring tool, initiate a proctored session with that tool, and be returned securely back to the assessment platform to take the assessment while being proctored by the proctoring tool. The Proctoring Specification also provides a method for proctoring tools to send messages to the assessment platform during the assessment to control a candidate's progression including, if necessary, a facility to terminate the assessment.
Security As a profile of, and extension to, the LTI Advantage Core specification, the Proctoring Service makes use of the corresponding OpenID Connect and OAuth 2.0 requirements. The LTI Advantage specifications make extensive use of the IMS Security Framework.
Recommendations Before Final Release, the Proctoring Service MUST be reviewed by the Security Committee to ensure the service is correctly aligned with the IMS Security Framework 1.1. This recommendation is now set for completion in 2022.

C.21 Question & Test Interoperability (QTI)

Title Question & Test Interoperability (QTI): Assessment, Section & Item (ASI)
Version 3.0
Release Date September 2020 - Public Candidate Final Release [QTI-INFO-30]
Description The Question & Test Interoperability (QTI) specification includes the ability to capture not only the assessment content that is intended for presentation to candidates, but the data associated with the assessment content, correct and incorrect answers, scoring and response processing information, and other metadata used in sophisticated assessment contexts. QTI can describe simple to complex test structures, with any number of test parts and sections, including the regulation of access or timing to any of the portions of an assessment.
Security This is a data-model only specification. QTI instances are exchanged as a zip file composed as per the QTI-profile of the IMS Content Packaging specification. The manner in which the data is exchanged is beyond the scope of this specification. There are no security concerns regarding the exchange of QTI instances.
Recommendations Before publication as Final Release this specification needs to be reviewed by the IMS Security Committee to confirm that the Security Framework does not apply. This recommendation is now set for completion in 2022.
Title Question & Test Interoperability (QTI): Metadata
Version 3.0
Release Date September 2020 - Public Candidate Final Release [QTI-MD-BIND-30]
Description The QTI-specific metadata is aligned with the IEEE Learning Object Metadata (LOM) in accordance with the IMS Metadata Best Practice and Implementation Guide. The IEEE LOM standard defines a set of metadata elements that can be used to describe learning resources, but does not describe assessment resources in sufficient detail. The application profile provided in this document therefore extends the IEEE LOM to meet the specific needs of QTI developers wishing to associate metadata with items (as defined by the accompanying Item Information Model). QTI 3.0 further extends this to enable the description of tests, pools and object banks.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. There are no security concerns regarding the exchange of this metadata.
Recommendations Before publication as Final Release this specification needs to be reviewed by the IMS Security Committee to confirm that the Security Framework does not apply. This recommendation is now set for completion in 2022.
Title Question & Test Interoperability (QTI): Results Reporting
Version 3.0
Release Date December 2020 - Public Candidate Final Release [QTI-RR-30]
Description The QTI Result Reporting specification is used for reporting the results of an assessment and provides detailed information about the model and specifies the associated requirements on delivery engines. While the expectation is that the original definition of the corresponding Test and Items is based upon the use of the QTI 3.0 Assessment, Section and Item specification, this is not a prerequisite for the use of this result reporting representation.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. The data contained within a Result Reporting instance may be considered sensitive. Recommendations for securing the exchange of such instances MUST be addressed in the Implementation Guide.
Recommendations
  • Update the Implementation Guide to include recommendations for secure exchange of a QTI Results Report XML instance. This recommendation is now set for completion in 2022;
  • Before publication as Final Release this specification needs to be reviewed by the IMS Security Committee. This recommendation is now set for completion in 2022.
Title Question & Test Interoperability (QTI): Usage Data & Item Statistics
Version 3.0
Release Date December 2020 - Public Candidate Final Release [QTI-UD-30]
Description This specification introduces QTI Usage Data for reporting statistical information about the usage of a set of items. While the expectation is that the original definition of the corresponding Items is based upon the use of the QTI 3.0 Assessment, Section and Item specification, this is not a prerequisite for the use of this usage data representation.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. The data contained within a Usage Data & Item Statistics instance may be considered sensitive. Recommendations for securing the exchange of such instances MUST be addressed in the Implementation Guide. This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. The data contained within a Usage Data & Item Statistics instance may be considered sensitive. Recommendations for securing the exchange of such instances MUST be addressed in the Implementation Guide.
Recommendations
  • Update the Implementation Guide to include recommendations for secure exchange of a QTI Usage Data & Item Statistics XML instance. This recommendation is now set for completion in 2022;
  • Before publication as Final Release this specification needs to be reviewed by the IMS Security Committee. This recommendation is now set for completion in 2022.
Title Question & Test Interoperability (QTI): Assessment, Section & Item (ASI)
Version 2.2
Release Date September 2015 - Final Release [QTI-INFO-22]
Description The Question & Test Interoperability (QTI) specification includes the ability to capture not only the assessment content that is intended for presentation to candidates, but the data associated with the assessment content, correct and incorrect answers, scoring and response processing information, and other metadata used in sophisticated assessment contexts. QTI can describe simple to complex test structures, with any number of test parts and sections, including the regulation of access or timing to any of the portions of an assessment.
Security This is a data-model only specification with an XML/XSD binding. QTI instances are exchanged as a zip file composed as per the QTI-profile of the IMS Content Packaging specification. The manner in which the data is exchanged is beyond the scope of this specification. There are no security concerns regarding the exchange of QTI instances.
Recommendations None.
Title Question & Test Interoperability (QTI): Metadata
Version 2.2
Release Date September 2015 - Final Release [QTI-MD-22]
Description The QTI-specific metadata is aligned with the IEEE Learning Object Metadata (LOM) in accordance with the IMS Metadata Best Practice and Implementation Guide. The IEEE LOM standard defines a set of metadata elements that can be used to describe learning resources, but does not describe assessment resources in sufficient detail. The application profile provided in this document therefore extends the IEEE LOM to meet the specific needs of QTI developers wishing to associate metadata with items (as defined by the accompanying Item Information Model). QTI 2.2 further extends this to enable the description of tests, pools and object banks.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. There are no security concerns regarding the exchange of this metadata.
Recommendations None.
Title Question & Test Interoperability (QTI): Results Reporting
Version 2.2
Release Date September 2015 - Final Release [QTI-RR-22]
Description The QTI Result Reporting specification is used for reporting the results of an assessment and provides detailed information about the model and specifies the associated requirements on delivery engines. While the expectation is that the original definition of the corresponding Test and Items is based upon the use of the QTI 2.2 Assessment, Section and Item specification, this is not a prerequisite for the use of this result reporting representation.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. The data contained within a Result Reporting instance may be considered sensitive. Recommendations for securing the exchange of such instances are discussed in the Implementation Guide.
Recommendations None.
Title Question & Test Interoperability (QTI): Usage Data & Item Statistics
Version 2.2
Release Date September 2015 - Final Release [QTI-UD-22]
Description This specification introduces QTI Usage Data for reporting statistical information about the usage of a set of items. While the expectation is that the original definition of the corresponding Items is based upon the use of the QTI 2.2 Assessment, Section and Item specification, this is not a prerequisite for the use of this usage data representation.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. The data contained within a Usage Data & Item Statistics instance may be considered sensitive. Recommendations for securing the exchange of such instances are discussed in the Implementation Guide.
Recommendations None.
Title Question & Test Interoperability (QTI): Assessment, Section & Item (ASI)
Version 2.1
Release Date August 2012 - Final Release [QTI-ASI-21]
Description The Question & Test Interoperability (QTI) specification includes the ability to capture not only the assessment content that is intended for presentation to candidates, but the data associated with the assessment content, correct and incorrect answers, scoring and response processing information, and other metadata used in sophisticated assessment contexts. QTI can describe simple to complex test structures, with any number of test parts and sections, including the regulation of access or timing to any of the portions of an assessment. This version builds upon QTI 2.0 by adding support for the exchange of QTI Tests and Sections.

While certification for this version is still available, this version is superseded by QTI 2.2 and 3.0 versions.
Security This is a data-model only specification with an XML/XSD binding. QTI instances are exchanged as a zip file composed as per the QTI-profile of the IMS Content Packaging specification. The manner in which the data is exchanged is beyond the scope of this specification. There are no security concerns regarding the exchange of QTI instances.
Recommendations None.
Title Question & Test Interoperability (QTI): Results Reporting
Version 2.1
Release Date August 2012 - Final Release [QTI-RR-21]
Description The QTI Result Reporting specification is used for reporting the results of an assessment and provides detailed information about the model and specifies the associated requirements on delivery engines. While the expectation is that the original definition of the corresponding Test and Items is based upon the use of the QTI 2.1 Assessment, Section and Item specification, this is not a prerequisite for the use of this result reporting representation.

While certification for this version is still available, this version is superseded by QTI 2.2 and 3.0 versions.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification.
Recommendations None.
Title Question & Test Interoperability (QTI): Metadata & Usage Data
Version 2.1
Release Date August 2012 - Final Release [QTI-UD-21]
Description This specification combines the definition of the exchange of QTI Metadata and QTI Usage Data for reporting statistical information about the usage of a set of items. The QTI-specific metadata is aligned with the IEEE Learning Object Metadata (LOM) in accordance with the IMS Metadata Best Practice and Implementation Guide.

While certification for this version is still available, this version is superseded by QTI 2.2 and 3.0 versions.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. There are no security concerns regarding the exchange of this metadata.
Recommendations None.
Title Question & Test Interoperability (QTI): Item
Version 2.0
Release Date August 2005 - Final Release [QTI-20]
Description The Question & Test Interoperability (QTI) 2.0 specification is a non-compatible redesign of the exchange of QTI Items. It includes the ability to capture not only the Item content that is intended for presentation to candidates, but the data associated with the assessment content, correct and incorrect answers, scoring and response processing information.

While certification for this version is still available, this version is superseded by QTI 2.1, 2.2 and 3.0 versions.
Security This is a data-model only specification with an XML/XSD binding. QTI instances are exchanged as a zip file composed as per the QTI-profile of the IMS Content Packaging specification. The manner in which the data is exchanged is beyond the scope of this specification. There are no security concerns regarding the exchange of QTI instances.
Recommendations None.
Title Question & Test Interoperability (QTI): Metadata & Usage Data
Version 2.0
Release Date January 2005 - Final Release [QTI-MD-20]
Description This specification combines the definition of the exchange of QTI Metadata and QTI Usage Data for reporting statistical information about the usage of a set of items. The QTI-specific metadata is aligned with the IEEE Learning Object Metadata (LOM) in accordance with the IMS Metadata Best Practice and Implementation Guide.

While certification for this version is still available, this version is superseded by QTI 2.1, 2.2 and 3.0 versions.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. There are no security concerns regarding the exchange of this metadata.
Recommendations None.
Title Question & Test Interoperability
Version 1.2.1
Release Date March 2003 - Final Release [QTI-12]
Description The Question & Test Interoperability (QTI) Specification describes a basic structure for the representation of question (item) and test (assessment) data. Therefore, the specification enables the exchange of this test, assessment and results data between Learning Management Systems, as well as content authors and, content libraries and collections. The QTI Specification is defined in XML to promote the widest possible adoption. XML is a powerful, flexible, industry standard markup language used to encode data models for Internet-enabled and distributed applications. The QTI Specification is extensible and customizable to permit immediate adoption, even in specialized or proprietary systems. It is this version of QTI that can be used for describing tests and quizzes in Common Cartridges.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification.
Recommendations None.
Title Accessible Portable Item Protocol (APIP)
Version 1.0
Release Date May 2014 - Final Release [APIP-10]
Description The APIP Standard provides assessment programs and question item developers with a data model for standardizing the interchange file format for digital test items. When applied properly, the APIP standard accomplishes two important goals. First, the standard allows digital Tests and Items to be ported across APIP compliant test and item banks. Second, it provides a test delivery interface with all the information and resources required to make a Test and Item accessible for students with a variety of disabilities and special needs.

The APIP standard builds on the IMS Question and Test Interoperability (QTI) v2.2 specification; this in turn makes use of the IMS Content Packaging (CP) v1.2 specification. The APIP Standard expands the QTI model into a comprehensive framework that encompasses the requirements for creating accessible tests. The IMS Access For All Personal Needs & Preferences (AfA PNP) v2.0 specification is also adopted as the basis for supplying the user preferences when using an APIP-enabled system. It is these accessibility preferences that are used by an assessment system to tailor, in real-time, the presentation of the question items to fit the accessibility needs of the user.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. Some of the data contained within an APIP instance may be considered sensitive e.g. the personal needs and preference settings. Recommendations for securing the exchange of such instances MUST be addressed in the Implementation Guide.
Recommendations Update the Implementation Guide to include recommendations for secure exchange of APIP data instances. Completion of this recommendation is 'Outstanding'.
Title Portable Custom Interaction (PCI)
Version 1.0
Release Date October 2017 - Candidate Final [PCI-10]
Description The IMS Global Question and Test Interoperability (QTI) specification describes an interoperable format for assessment content and results. The focus of the standard is to provide interoperability between components in an assessment system. The standard supports a myriad of item interaction types. Technology Enhanced Items (TEI) that extend beyond the defined interaction types can still be supported by the QTI specification and in the related Accessible Portable Item Protocol (APIP) specification by making use of the custom interactions feature. Interoperability between different components and platforms rendering TEIs provides a unique challenge, because the shape and functionality of these custom interactions are unknown outside of the system that originated it. This best practice outlines a method that allows an author to define an almost unlimited variety of custom interaction types, while still keeping the item portable between different systems. This is achieved by making use of common web technologies combined with an agreement about how to communicate the results of a learner's interaction to a QTI/APIP delivery engine. By following the best practice documented here, most TEIs and assessment components can increase their value by supporting interoperability.
Security The PCI specification defines a runtime API that turns the TEI into a tightly-coupled black-box function. Therefore, there are no security considerations over-and-above those normally encountered when creating secure functions/procedures/classes with the selected implementation programming base.
Recommendations Before Final Release this specification MUST undergo formal review by the IMS Security Committee. This recommendation is now set for completion in 2022.

C.22 Resource List Interoperability (RLI)

Title Resource List Interoperability
Version 1.0
Release Date July 2004 - Final Release [RLI-10]
Description The Resource List Interoperability (RLI) specification details how structured meta-data can be exchanged between systems that store and expose resources for the purpose of creating resource lists and those that gather and organize those Resource Lists for educational or training purposes. A typical example of such a resource list is a reading list. The data model is then bound or expressed in XML, combining elements that map to subsets of key standards, including the IEEE-LOM (Learning Object Metadata), ISO 690-2 for bibliographic citations, and NISO's OpenURL to describe the resource items and aggregated resource list. The abstract service interface is bound to web services expressed as WSDL. The IMS Content Packaging specification wraps the resource list to enable transfer between systems.
Security There is no security requirement defined in the RLI specification. The web services are described using WSDL. Instead, certification for a product employs the security mechanisms used by the implementation under test. There is no security requirement defined in the LIS specification. The web services are described using WSDL. Instead, certification for a product employs the security mechanisms used by the implementation under test.
Recommendations This is an old, unused specification. There are no certified products. Therefore, it is recommended that no changes be made to this specification.

C.23 Shareable State Persistence (SSP)

Title Shareable State Persistence
Version 1.0
Release Date July 2004 - Final Release [SSP-10]
Description The Shareable State Persistence specification describes an extension to e-learning runtime systems (e.g. SCORM) that enables the storage of, and shared access to, state information between content objects. There is currently no prescribed method for a content object to store (arbitrarily complex) state information in the runtime system that can later be retrieved by itself or by another content object. This capability is crucial to the persistence of the, sometimes, complex state information that is generated by a variety of interactive content (e.g. simulations) and that is currently stored and retrieved in proprietary formats and through proprietary methods. This specification is used as a part of the SCORM 3rd Edition and later releases.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. There are no security concerns regarding the exchange of this metadata.
Recommendations None

C.24 Simple Sequencing

Title Simple Sequencing
Version 1.0
Release Date March 2003 - Final Release [SS-10]
Description The IMS Simple Sequencing Specification defines a method for representing the intended behavior of an authored learning experience such that any learning technology system (LTS) can sequence discrete learning activities in a consistent way. A learning designer or content developer declares the relative order in which elements of content are to be presented to the learner and the conditions under which a piece of content is selected, delivered, or skipped during presentation. This specification defines the required behaviors and functionality that conforming systems must implement. It incorporates rules that describe the branching or flow of learning activities through content according to the outcomes of a learner's interactions with content. This representation of intended instructional flow may be created manually or with authoring systems that produce output that conforms to this specification. While learning content developers need to know how to create and describe content sequences, authoring systems may hide the details of the models presented in this specification. The representation of sequencing may be interchanged between systems designed to deliver instructional activities to learners. The components of an LTS used to execute the specified rules and behaviors, when content is delivered to a learner, are referred to in this specification as a 'sequencing engine'.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. There are no security concerns regarding the exchange of this metadata.
Recommendations None

C.25 Vocabulary Definition Exchange (VDEX)

Title Vocabulary Definition Exchange
Version 1.0
Release Date February 2004 - Final Release [VDEX-10]
Description The IMS Vocabulary Definition Exchange (VDEX) specification defines a grammar for the exchange of value lists of various classes: collections often denoted "vocabulary". ISO prefers the terms "value domain" and "permitted value" for the data VDEX principally relates to (instead of the term "vocabulary"). Within IMS these have generally been called "vocabularies" and split into "source" and "value" pairs, although the vocabulary data types used in IMS specifications are only one class of vocabulary that can be exchanged by VDEX. The vocabulary data types used in most IMS specifications are simple tokenized terms. Whereas some specifications provide a preferred list of permitted terms, i.e. a preferred value domain, it is common practice to permit alternative value domains to be defined by the users of IMS specifications. VDEX aims to assist in the processes around the exchange and utilization of such domain-specific or community-specific value domains. It is worth noting that although the terms presented for value domains may be lexically identical to natural language terms, the terms are nevertheless formally tokens.
Security This is a data-model only specification with an XML/XSD binding. The manner in which the data is exchanged is beyond the scope of this specification. There are no security concerns regarding the exchange of this metadata.
Recommendations None

D. Revision History

This section is non-normative.

D.1 Version History

Publication history and revision details for this specification.
Version No. Release Date Comments
Final Release v1.0 7th December, 2021 This is the first IMS Security Audit 2021 publication. It covers the period until the end of 2021.

E. References

E.1 Normative references

[AFA-DRD-20]
AccessForAll® Digital Resource Description Information Model v2.0. Richard Schwerdtfeger; Madeleine Rothberg; Colin Smythe. IMS Global Learning Consortium, Inc. October 2009. IMS Final Release. URL: https://www.imsglobal.org/accessibility/accdrdv2p0/html/ISO_ACCDRDv2p0_InfoModelv1.html
[AFA-DRD-30]
AccessForAll® Digital Resource Description Information Model v3.0. Richard Schwerdtfeger; Madeleine Rothberg; Colin Smythe. IMS Global Learning Consortium, Inc. September 2012. IMS Public Draft. URL: https://www.imsglobal.org/accessibility/afav3p0pd//AfA3p0_DRDinfoModel_v1p0pd.html
[AFA-PNP-20]
AccessForAll® Personal Needs and Preferences Information Model v2.0. Richard Schwerdtfeger; Madeleine Rothberg; Colin Smythe. IMS Global Learning Consortium, Inc. April 2010. IMS Final Release. URL: https://www.imsglobal.org/accessibility/accpnpv2p0/spec/ISO_ACCPNPinfoModelv2p0.html
[AFA-PNP-30]
AccessForAll® Personal Needs and Preferences Information Model v3.0. Richard Schwerdtfeger; Madeleine Rothberg; Colin Smythe. IMS Global Learning Consortium, Inc. September 2012. IMS Final Release. URL: https://www.imsglobal.org/accessibility/afav3p0pd/AfA3p0_PNPinfoModel_v1p0pd.html
[APIP-10]
Accessible Portable Item Protocol® (APIP®) v1.0. Colin Smythe; Mark McKell; Gary Driscoll; Thomas Hoffmann; Wayne Ostler. IMS Global Learning Consortium, Inc. May 2014. IMS Final Release. URL: https://www.imsglobal.org/apip/index.htmlhttps://www.imsglobal.org/apip/index.html
[ARP-10]
Assessment Results Profile for Gradebook Service v1.0. Colin Smythe; Joshua McGhee; Mathew Richards. IMS Global Learning Consortium, Inc. May 2020. IMS Candidate Final. URL: https://www.imsglobal.org/spec/results/v1p0/
[CALIPER-10]
Caliper Analytics™ Implementation Guide v1.0. Mary Millar; Chris Vento; Chris Millet. IMS Global Learning Consortium, Inc. October 2015. IMS Final Release. URL: https://www.imsglobal.org/caliper/caliperv1p0/ims-caliper-analytics-implementation-guide
[CALIPER-11]
Caliper® Analytics Specification 1.1. Whyte, Anthony; Haag, Viktor; Feng, Linda; Gylling, Markus; Ashbourne, Matt; LaMarche, Wes; Pelaprat, Etienne. IMS Global Learning Consortium. URL: https://www.imsglobal.org/sites/default/files/caliper/v1p1/caliper-spec-v1p1/caliper-spec-v1p1.html
[CALIPER-12]
Caliper Analytics® Specification v1.2. Bracken Mosbacker; Anthony White. IMS Global Learning Consortium, Inc. March 2020. IMS Final Release. URL: https://www.imsglobal.org/spec/caliper/v1p2
[CASE-10]
IMS Competencies and Academic Standards Exchange (CASE) Service Version 1.0. IMS Global Learning Consortium. July 7, 2017. IMS Final Release. URL: https://www.imsglobal.org/sites/default/files/CASE/casev1p0/information_model/caseservicev1p0_infomodelv1p0.html
[CAT-10]
IMS Global Computer Adaptive Testing v1. IMS Global Learning Consortium. August 2019. IMS Candidate Final Public. URL: https://www.imsglobal.org/spec/cat/v1p0/
[CC-12]
Common Cartridge v1.2. Jeff Khan. IMS Global Learning Consortium, Inc. October 2011. IMS Final Release. URL: http://www.imsglobal.org/cc/index.html
[CC-13]
IMS Global Common Cartridge v1.3. IMS Global Learning Consortium. July 2013. IMS Final Release. URL: http://www.imsglobal.org/cc/index.html
[CC-14]
Common Cartridge® Profile: Implementation Guide. Bracken Mosbacker; Kathryn Green. IMS Global Learning Consortium, Inc. April, 2020. IMS Candidate Final. URL: https://www.imsglobal.org/cc/CCv1p4/ims_CC_impl-v1p4.html
[CLR-10]
IMS Comprehensive Learner Record Standard Version 1.0. IMS Global Learning Consortium. January 14, 2021. IMS Final Release. URL: https://www.imsglobal.org/spec/clr/v1p0/
[CP-12]
Content Packaging v1.2. IMS Global Learning Consortium. March 2007. IMS Public Draft v2.0. URL: https://www.imsglobal.org/content/packaging/index.html
[CPS-10]
Course Planning and Scheduling (CPS/LIS) v1.0. Phil Nicholls; Geoffrey Forster. IMS Global Learning Consortium, Inc. December 2013. IMS Candidate Final. URL: https://www.imsglobal.org/cps/cpsv1p0cf/imsCPSv1p0cf.html
[EP-10]
ePortoflio Information Model v1.0. Colin Smythe; Darren Cambridge; Mark McKell. IMS Global Learning Consortium, Inc. June 2005. IMS Final Release. URL: https://www.imsglobal.org/ep/epv1p0/imsep_infov1p0.html
[IEEE1484-12-1]
IEEE Standard for Learning Object Metadata. Institute of Electrical and Electronics Engineers (IEEE). June 2002. Published Standard. URL: https://standards.ieee.org/standard/1484_12_1-2020.html
[IEEE1484-20-1]
Learning Technology—Data Model for Reusable Competency Definitions. Institute of Electrical and Electronics Engineers (IEEE). January 2008. Published Standard. URL: https://standards.ieee.org/standard/1484_20_1-2007.html#Standard
[ISO12785-1]
ISO/IEC 12785-1:2009: Information technology — Learning, education, and training — Content packaging — Part 1: Information model. ISO/IEC. December 2009. Published Standard. URL: https://www.iso.org/standard/51707.html
[ISO12785-2]
ISO/IEC 12785-2:2011 Information technology — Learning, education, and training — Content packaging — Part 2: XML binding. ISO/IEC. November 2011. Published Standard. URL: https://www.iso.org/standard/52421.html
[ISO12785-3]
ISO/IEC TR 12785-3:2012 Information technology — Learning, education, and training — Content packaging — Part 3: Best practice and implementation guide. ISO/IEC. May 2012. Published Standard. URL: https://www.iso.org/standard/52422.html
[ISO24751-2]
ISO/IEC 24751-2:2008 Information technology — Individualized adaptability and accessibility in e-learning, education and training — Part 2: Access for all personal needs and preferences for digital delivery. ISO/IEC. October 2008. Published Standard. URL: https://www.iso.org/standard/43603.html
[ISO24751-3]
ISO/IEC 24751-3:2008 Information technology — Individualized adaptability and accessibility in e-learning, education and training — Part 3: Access for all digital resource description. ISO/IEC. October 2008. Published Standard. URL: https://www.iso.org/standard/43604.html
[IWB-10]
Interactive Whiteboard / Common File Format (IWB/CFF) v1.0. Thor Anderson. IMS Global Learning Consortium, Inc. February 2012. IMS Final Release. URL: https://www.imsglobal.org/IWBCFF/iwbcffv1p0/imsIWBspecv1p0.html
[LD-10]
Learning Design Information Model v1.0. Rob Koper; Bill Olivier; Thor Anderson. IMS Global Learning Consortium, Inc. January 2003. IMS Final Release. URL: https://www.imsglobal.org/learningdesign/ldv1p0/imsld_infov1p0.html
[LIP-10]
Learner Information Packaging Information Model Specification v1.0. Colin Smythe; Frank Tansey; Robby Robson. IMS Global Learning Consortium, Inc. March 2001. IMS Final Release. URL: https://www.imsglobal.org/profiles/lipinfo01.html
[LIS-20]
IMS Global Learning Information Services v2.0. L. Feng; W. Lee; C. Smythe. IMS Global Learning Consortium. June 2011. URL: https://www.imsglobal.org/lis/
[LTI-11]
IMS Global Learning Tools Interoperability® Implementation Guide. G. McFall; M. McKell; L. Neumann; C. Severance. IMS Global Learning Consortium. March 13, 2012. URL: https://www.imsglobal.org/specs/ltiv1p1
[LTI-112]
Learning Tools Interoperability Security Update v1.0. IMS Global Learning Consortium, Inc. July 2019. IMS Final Release. URL: https://www.imsglobal.org/spec/lti/security-update/v1p0
[LTI-13]
IMS Global Learning Tools Interoperability® Core Specification v1.3. C. Vervoort; N. Mills. IMS Global Learning Consortium. April 2019. IMS Final Release. URL: https://www.imsglobal.org/spec/lti/v1p3/
[LTI-AGS-20]
IMS Global Learning Tools Interoperability® Assignment and Grade Services. C. Vervoort; E. Preston; M. McKell; J. Rissler. IMS Global Learning Consortium. April 2019. IMS Final Release. URL: https://www.imsglobal.org/spec/lti-ags/v2p0/
[LTI-BO-11]
IMS Global Learning Tools Interoperability® Basic Outcomes. C. Vervoort. IMS Global Learning Consortium. 7 May 2019. URL: https://www.imsglobal.org/spec/lti-bo/v1p1/
[LTI-DL-10]
IMS Global Learning Tools Interoperability® Deep Linking 1.0. S. Vickers. IMS Global Learning Consortium. May 2016. URL: https://www.imsglobal.org/specs/lticiv1p0/specification
[LTI-DL-20]
IMS Global Learning Tools Interoperability® Deep Linking 2.0. C. Vervoort; E. Preston. IMS Global Learning Consortium. April 2019. IMS Final Release. URL: https://www.imsglobal.org/spec/lti-dl/v2p0/
[LTI-NRPS-10]
IMS Global Learning Tools Interoperability® Names and Role Provisioning Services. S. Vickers. IMS Global Learning Consortium. 24 May 2016. IMS Final Release. URL: https://www.imsglobal.org/specs/ltimemv1p0
[LTI-NRPS-20]
IMS Global Learning Tools Interoperability® Names and Role Provisioning Services. C. Vervoort; E. Preston; J. Rissler. IMS Global Learning Consortium. April 2019. IMS Final Release. URL: https://www.imsglobal.org/spec/lti-nrps/v2p0/
[MD-13]
IMS Meta-data Best Practice Guide for IEEE 1484.12.1-2002 Standard for Learning Object Metadata v1.3. IMS Global Learning Consortium. August 2006. IMS Final Release. URL: http://www.imsglobal.org/metadata/index.html
[OB-20]
Open Badges v2.0. Otto, Nate; Bohrer, Jeff; Cook, Timothy; Gylling, Markus; Hripak, Alexander; Pitcher, Justin. IMS Global Learning Consortium. April 2018. IMS Final Release. URL: https://www.imsglobal.org/spec/ob/v2p0/
[OB-21]
Open Badges Specification v2.1. Jeff Bohrer; Andy Miller. IMS Global Learning Consortium. October 7, 2020. IMS Candidate Final Public. URL: https://www.imsglobal.org/spec/ob/v2p1/
[OR-11]
OneRoster 1.1 REST API. Colin Smythe; Phil Nicholls. IMS Global Learning Consortium, Inc. March, 2020. IMS Final Release. URL: https://www.imsglobal.org/oneroster-v11-final-specification.html
[OR-CSV-11]
OneRoster 1.1 CSV Binding. Colin Smythe; Phil Nicholls. IMS Global Learning Consortium, Inc. March, 2020. IMS Final Release. URL: https://www.imsglobal.org/oneroster-v11-final-csv-tables.html
[OR-CSV-12]
OneRoster 1.2 CSV Binding. Colin Smythe; Matthew Richards; Joshua McGhee. IMS Global Learning Consortium, Inc. July, 2020. URL: https://www.imsglobal.org/sites/default/files/spec/oneroster/v1p2/ims-oneroster-v1p2-final-csvbindv1p0.html
[OR-GBK-SM-12]
OneRoster 1.2 Gradebook Service Information Model. Colin Smythe; Matthew Richards; Joshua McGhee. IMS Global Learning Consortium, Inc. July, 2020. URL: https://www.imsglobal.org/sites/default/files/spec/oneroster/v1p2/ims-oneroster-gradebook-v1p2-final-infomodelv1p0.html
[OR-RES-SM-12]
OneRoster 1.2 Resource Service Information Model. Colin, Smythe; Matthew, Richards; Joshua, McGhee. IMS Global Learning Consortium, Inc. July, 2020. URL: https://www.imsglobal.org/sites/default/files/spec/oneroster/v1p2/ims-oneroster-resource-v1p2-final-infomodelv1p0.html
[OR-ROS-SM-12]
OneRoster 1.2 Rostering Service Information Model. IMS Global Learning Consortium, Inc. July, 2020. URL: https://www.imsglobal.org/sites/default/files/spec/oneroster/v1p2/ims-oneroster-rostering-v1p2-final-infomodelv1p0.html
[OV-10]
OpenVideo Metadata 1.0 Information Model. Derek Sessions; Colin Smythe; Joshua McGhee. IMS Global Learning Consortium, Inc. August, 2020. IMS Candidate Final. URL: https://www.imsglobal.org/sites/default/files/spec/ov/v1p0/ims-openvideo-v10-final-infomodelv1p0.html
[PCI-10]
Portable Custom Interactions Specification v1.0. Pádraig O'hiceadha; Mark McKell; Colin Smyuthe. IMS Global Learning Consortium, Inc. October, 2017. IMS Candidate Final. URL: https://www.imsglobal.org/spec/pci/v1p0
[PS-10]
Proctoring Service. Steve Lay; Mark McKell. IMS Global Learning Consortium, Inc. July, 2019. IMS Public Candidate Final. URL: https://www.imsglobal.org/spec/proctoring/v1p0
[QTI-12]
QTI ASI Information Model v1.2. Colin Smythe; Eric Shepherd; Lane Brewer; Steve Lay. IMS Global Learning Consortium, Inc. February, 2002. IMS Final Release. URL: https://www.imsglobal.org/spec/qti/v1p2/info/
[QTI-20]
QTI Item Information Model v2.0. Steve Lay. IMS Global Learning Consortium, Inc. January, 2005. IMS Final Release. URL: https://www.imsglobal.org/spec/qti/v2p0/info/
[QTI-ASI-21]
QTI Assessment, Section and Item (ASI) Information Model v2.1. Wilbert Kraan; Steve Lay; Pierre Gorissen. IMS Global Learning Consortium, Inc. August, 2012. IMS Final Release. URL: https://www.imsglobal.org/spec/qti/v2p1/info/
[QTI-INFO-22]
QTI Assessment, Section and Item (ASI) Usage Data Information Model v2.2. Wilbert Kraan; Mark McKell; Colin Smythe. IMS Global Learning Consortium, Inc. August, 2016. IMS Final Release. URL: https://www.imsglobal.org/spec/qti/v2p2/info/
[QTI-INFO-30]
QTI Assessment Test, Section and Item Information Model v3. IMS Global Learning Consortium. April 2020. IMS Final Release. URL: https://www.imsglobal.org/spec/qti/v3p0/info/
[QTI-MD-20]
QTI Metadata and Usage Data Information Model and Binding v2.0. Steve Lay. IMS Global Learning Consortium, Inc. January, 2005. IMS Final Release. URL: https://www.imsglobal.org/spec/qti/v2p0/md-bind/
[QTI-MD-22]
QTI Metadata Information Model and Binding v2.2. Wilbert Kraan; Mark McKell; Colin Smythe. IMS Global Learning Consortium, Inc. August, 2016. IMS Final Release. URL: https://www.imsglobal.org/spec/qti/v2p2/md-bind/
[QTI-MD-BIND-30]
QTI Metadata Information Model and Binding v3. IMS Global Learning Consortium. April 2020. IMS Final Release. URL: https://www.imsglobal.org/spec/qti/v3p0/md-bind/
[QTI-RR-21]
QTI Results Reporting Information Model and Binding v2.1. Wilbert Kraan; Steve Lay; Pierre Gorissen. IMS Global Learning Consortium, Inc. August, 2012. IMS Final Release. URL: https://www.imsglobal.org/spec/qti/v2p1/rr-bind/
[QTI-RR-22]
QTI Results Reporting Information Model and Binding v2.2. Wilbert Kraan; Mark McKell; Colin Smythe. IMS Global Learning Consortium, Inc. August, 2016. IMS Final Release. URL: https://www.imsglobal.org/spec/qti/v2p2/rr-bind/
[QTI-RR-30]
QTI Results Reporting Information Model and Binding v3. IMS Global Learning Consortium. April 2020. IMS Final Release. URL: https://www.imsglobal.org/spec/qti/v3p0/rr-bind/
[QTI-UD-21]
QTI Metadata and Usage Data Information Model and Binding v2.1. Wilbert Kraan; Steve Lay; Pierre Gorissen. IMS Global Learning Consortium, Inc. August, 2012. IMS Final Release. URL: https://www.imsglobal.org/spec/qti/v2p1/md-bind/
[QTI-UD-22]
QTI Usage Data Information Model and Binding v2.2. Wilbert Kraan; Mark McKell; Colin Smythe. IMS Global Learning Consortium, Inc. August, 2016. IMS Final Release. URL: https://www.imsglobal.org/spec/qti/v2p1/ud-bind/
[QTI-UD-30]
QTI Usage Data Information Model and Binding v3. IMS Global Learning Consortium. April 2020. IMS Final Release. URL: https://www.imsglobal.org/spec/qti/v3p0/ud-bind/
[RDCEO-10]
IMS Reusable Definition of Competency or Educational Objective (RDCEO) Information Model. Adam Cooper; Claude Ostyn. IMS Global Learning Consortium, Inc. October, 2002. IMS Final Release. URL: https://www.imsglobal.org/competencies/rdceov1p0/imsrdceo_infov1p0.html
[RFC2119]
Key words for use in RFCs to Indicate Requirement Levels. S. Bradner. IETF. March 1997. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc2119
[RFC6750]
The OAuth 2.0 Authorization Framework: Bearer Token Usage. M. Jones; D. Hardt. IETF. October 2012. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc6750
[RLI-10]
Resource List Interoperability 1.0 Information and Behavior Model. Alex Jackl. IMS Global Learning Consortium, Inc. July, 2004. IMS Final Release. URL: https://www.imsglobal.org/rli/rliv1p0/imsrli_infov1p0.html
[RS-10]
LTI Resource Search Service. Colin Smythe; Jill Hobson. IMS Global Learning Consortium, Inc. September, 2018. IMS Final Release. URL: https://www.imsglobal.org/sites/default/files/spec/lti-rs/v1p0/information_model/rsservicev1p0_infomodelv1p0.html
[SS-10]
Simple Sequencing 1.0 Information and Behavior Model. Mark Norton; Angelo Panar. IMS Global Learning Consortium, Inc. March, 2003. IMS Final Release. URL: https://www.imsglobal.org/simplesequencing/ssv1p0/imsss_infov1p0.html
[SSP-10]
Shareable State Persistence 1.0 Information Model. Alex Jackl; Angelo Panar; Brendon Towle. IMS Global Learning Consortium, Inc. June, 2004. IMS Final Release. URL: https://www.imsglobal.org/ssp/sspv1p0/imsssp_infov1p0.html
[TCC-12]
Thin Common Cartridge® Profile: Implementation Guide . Lisa Mattson; Colin Smythe; Chris Chung. IMS Global Learning Consortium, Inc. May, 2015. IMS Final Release. URL: https://www.imsglobal.org/cc/CCv1p0thin/ims_thinCC_impl-v1p0.html
[TCC-13]
Thin Common Cartridge® Profile: Implementation Guide . Lisa Mattson; Colin Smythe; Chris Chung. IMS Global Learning Consortium, Inc. May, 2015. IMS Final Release. URL: https://www.imsglobal.org/cc/CCv1p0thin/ims_thinCC_impl-v1p0.html
[TCC-14]
Thin Common Cartridge® Profile: Implementation Guide . Bracken Mosbacker; Kathryn Green. IMS Global Learning Consortium, Inc. April, 2020. IMS Candidate Final. URL: https://www.imsglobal.org/cc/CCv1p0thin/ims_thinCC_impl-v1p4.html
[VDEX-10]
Vocabulary Definition Exchange 1.0 Information Model. Adam Cooper. IMS Global Learning Consortium, Inc. February, 2003. IMS Final Release. URL: https://www.imsglobal.org/vdex/vdexv1p0/imsvdex_infov1p0.html

F. List of Contributors

The following individuals contributed to the development of this document:

Name Organization Role
Eric GalisCengage
Karen HartmanBlackboard
Dereck HaskinsIMS Global
Kristian HorwoodD2L
Mark LeubaIMS Global
Burton PerkinsSavvas
Sriram SeshadriClever
Colin SmytheIMS Globaleditor
Uppili SrinivasanOracle

IMS Global Learning Consortium, Inc. ("IMS Global") is publishing the information contained in this document ("Specification") for purposes of scientific, experimental, and scholarly collaboration only.

IMS Global makes no warranty or representation regarding the accuracy or completeness of the Specification.

This material is provided on an "As Is" and "As Available" basis.

The Specification is at all times subject to change and revision without notice.

It is your sole responsibility to evaluate the usefulness, accuracy, and completeness of the Specification as it relates to you.

IMS Global would appreciate receiving your comments and suggestions.

Please contact IMS Global through our website at http://www.imsglobal.org.

Please refer to Document Name: IMS Security Audit: 2021 1.0

Date: December 1st, 2021