It's been several months since I last communicated with you as
participants in the Kantara Consumer Identity WG. In my last email,
I announced that an
Interim
Report has been produced. If you haven't already, I would
urge you to take a look at this Report, since it describes what CIWG
is trying to do, as well as some of the important issues involved.
I recently updated the
CIWG
website to include some proposed requirements for an identity
infrastructure / ecosystem that could make it better able to support
high assurance consumer claims, as well as a brief outline of
technologies that could support these requirements. I also provided
two diagrams that illustrate how U-Prove technology might be used to
support two potentially useful functions of an identity ecosystem:
- the ability to prevent identity providers and others from
tracking and correlating usage of a consumer’s high assurance
identity-related claims (for privacy purposes); and
- the ability to transmit claims to a relying party without
needing an identity provider to be online (to prevent the
identity provider from becoming a single point of failure that
could prevent the service provider's / relying party's customers
from being able to access their online resources).
So where do we go from here? The original goal of the WG was to
produce whitepapers or other reports that could help define the
capabilities of an identity infrastructure / ecosystem that would
enable consumers and relying parties to utilize high assurance
consumer claims in a way that consumers would find acceptable. The
Interim Report and the additional material on the CIWG site is my
initial attempt at this goal. However, two obstacles are impeding
further progress:
The first is that trying to specify or define capabilities of an
identity ecosystem to support high assurance consumer claims,
without involvement and guidance from relying parties that will make
use of such claims, may not yield the most useful results. These
relying parties are the ultimate "consumers" of online digital
identities, and are the entities most likely to work with consumers
(their customers) to introduce them to stronger forms of digital
identity. I don't believe there will be much of a push from
consumers themselves for stronger digital credentials. It will be
up to relying parties to make the case for the identity ecosystem,
and to work with consumers to educate them and foster their adoption
of stronger digital credentials. Currently (at least in the US),
the push for the creation of an identity ecosystem is coming from
the federal government, in the form of the
Open
Identity Solutions for Open Government initiative, as well as
the
National
Strategy for Trusted Identities in Cyberspace (NSTIC). I
believe that what's needed now is greater involvement and support
from relying party organizations such as banks and other financial
institutions, credit card and other payment services, healthcare
organizations that will create and maintain online patient records,
and other providers of high value services that could benefit from
reduced rates of identity-related fraud or errors.
For those of you not in the US, I apologize if the focus of this WG
has been very US-centric. Besides the fact that I myself am in the
US, another reason is that it appears that the US lags behind Europe
and Asia in terms of deploying high assurance digital identity
technologies that could be used by consumers. However, I would
welcome any comments you might have about this assertion, or other
suggestions you have to make the WG more relevant to an
international community.
The second impediment is lack of resources to accomplish the goals
of the WG. There is no funding being provided to this WG from
Kantara to help acheive its goals, and I have not been successful
(so far) in raising any other outside funding. WG teleconference
calls in the past have been very lightly attended ( 2 or 3
participants). Some of the other Kantara WGs have received funds to
support their work, either from Kantara itself or from outside
sources, so that they don't have to rely completely on volunteers to
accomplish their goals. The ability of this WG to obtain such
funding remains one of my goals as Chair.
Despite the lack of activity, there are a few things on the horizon
(again in the US) that may spur greater interest in high assurance
consumer identity. One of these is the aforementioned National
Strategy for Trusted Identities in Cyberspace, which is expected to
be issued in its final form shortly. This is supposed to be a
public-private "partnership", and will hopefully provide some
resources to the private sector to move forward with pilot projects
and other work to achieve the vision of an identity ecosystem /
infrastructure that will be accepted and used by relying parties as
well as consumers. A second activity is the expected release of a
new authentication "guidance" from the Federal Financial
Institutions Examination Council (FFIEC). The previous guidance (in
2005) directed US banks to implement stronger forms of
authentication for online banking. Due to increased levels of fraud
in connection with online banking (especially for small businesses),
a new guidance is expected shortly. This may also help set the
stage for defining the capabilities of an identity ecosystem to
support these needs. A third activity is that some states have
formed a
State
Digital Identity Working Group to investigate the possibility
of issuing digital IDs to their citizens (consumers) for various
purposes.
A few new participants have joined the WG recently. In the past,
teleconference calls were scheduled for Tuesdays at 12 Noon ET /
1600 UTC. Before attempting to schedule any future calls, I'd like
to get some feedback from the WG on this email, including any
comments or suggestions for moving forward, and for defining an
agenda (and time) for future calls. Please direct your responses to
the list, or to me directly.
Thanks
Bob
---------------------------
Bob Pinheiro
Chair, Consumer Identity WG
908-654-1939
consu...@bobpinheiro.com
www.bobpinheiro.com