Should an organization build its own identity system, versus relying
on a trusted identity ecosystem? The concept of an identity
provider is built into NSTIC and the identity ecosystem idea, as
well as the Kantara Trust Framework. But I think there are
situations, such as those involving routine, ongoing authentication
to protected resources, where involvement of a third party IdP
should not be needed.
Identity federation between business partners is not new, and many
businesses employ federation so that employees of one organization,
once logged into their in-house systems, do not need to
re-authenticate themselves to access the systems of their business
partners. This is the classic single sign-on use case. I suppose a
case can be made that these organizations could rely on external
IdPs for authenticating their own employees, and for federation with
business partners.
But in my opinion, the truly interesting federation problem involves
public-facing, high-value services for individuals / consumers in
which there is significant risk of harm when mis-identification
occurs. When someone unknown to the service provider seeks to
enroll in such a service, there is considerable advantage to being
able to rely on an assertion from a trusted third party to establish
that new relationship. But once enrolled, why should these service
providers continue to depend on assertions from third party identity
providers for routine, ongoing customer access to these services?
There is a cost and availability issue to consider: these SPs may
need to pay something to the IdP for these authentications, and
there is always the possibility that the IdP will be unavailable,
thereby preventing customers from accessing their services. And
then there is the privacy issue - these IdPs will know which
services users are accessing, and when they are doing so.
There certainly are use cases where involvement of an IdP may be
needed each time someone uses a service. For instance, NSTIC might
support the notion of tokenized credit card payments. Instead of
providing a credit card number to an online merchant, a virtual
credit card number is generated by a bank acting as an IdP. This
virtual cc number may only be valid for a specific merchant for a
short period of time, or only for a single transaction. And a
trusted IdP can assert someone's identity to a RP for the purpose of
establishing a new high-value relationship, or when critical
attribute values change and must be known to the service provider.
But in many other cases, I think it is worth exploring ways in which
RPs could authenticate their customers for ongoing access to their
services without needing to involve an IdP every time.
SSL / TLS was designed to provide a secure channel between service
providers and their users for conducting online transactions, as
well as for providing mutual authentication of service providers and
users. But while it has succeeded in achieving the first goal, it
has largely failed in the second, especially as regards the use of
client-side certificates for authentication of users to service
providers. As
Francisco
Corella of Pomcor has suggested, client-side certificates
could be issued by RPs directly to their users via TLS by means of
new issuance protocols. These "login certificates" could then be
used for strong authentication of the user to the service provider,
without requiring the involvement of a third party identity
provider.
Alternatively (and perhaps more in synch with Kantara's mission),
trust frameworks could be defined to allow users to "bring your own
credential" to the service provider. An NSTIC-compliant identity
ecosystem might therefore enable multiple SPs / RPs to trust a PKI
certificate that a user already possesses, so that it may be bound
to these services for ongoing authentication.
I'm not sure what it means for Kantara to interface with NSTIC,
other than to have a place on the NSTIC Steering Group. Should
Kantara adopt, and advocate for, certain positions or policies as a
member of the Steering Group? For instance, would Kantara, through
this DG, agree with some of the positions stated above? If not,
would / should the DG advocate for other positions?
---------------------------
Bob Pinheiro
Chair, Consumer Identity WG
908-654-1939
kan...@bobpinheiro.com
www.bobpinheiro.com