Bob Pinheiro Chair, Consumer Identity WG 908-654-1939 consu...@bobpinheiro.com www.bobpinheiro.com ----------CIWG Interim Report v 1.2 Executive Summary------------------
Online
services for consumers that involve “high value” financial
transactions or payments, including the establishment of new
high value relationships and accounts, are prime targets for
various types of identity fraud. With
the advent of electronic patient records and personal data
stores, the opportunities for harm to consumers as a result of
fraudulent access to sensitive information becomes even greater. While consumers may not necessarily
articulate a “need” to carry around hard tokens or other forms
of high assurance identity credentials to deal with these
problems, they would almost certainly state a need to prevent
others from “stealing their identities” by breaking into their
bank accounts, obtaining new credit cards in their name,
accessing their sensitive personal and medical information, or
otherwise impersonating them in situations where the outcome can
be harmful to the consumer. These needs
can only be met when strong authentication methods and “open
identity” technologies can be combined to create high assurance
consumer identity solutions in a way that is easy for consumers
to use and understand, and that protects consumer’s privacy as
well. One aspect of the privacy issue
is that high assurance identity-related claims should only be
necessary in high value transactions.
Although the focus of CIWG is
consumer identity, it is not only consumers that benefit if
identity theft can be prevented. To the
extent that consumers can avoid these kinds of identity fraud,
service providers also benefit as a result of reduced financial
loss, as well as limiting potential liability and damage to
their reputations.
Strong authentication technologies already
exist, of course, but have not seen widespread deployment and use
in consumer applications. This
is due to factors including usability, convenience, education and
awareness, cost, and weak motivation for better fraud prevention. However, as criminals find new ways to steal
personal information and use it to enable identity-related crimes
against consumers, it’s clear that identity fraud prevention
requires more than attempting to keep personal information secure. What’s needed are better ways for service
providers to authenticate identity-related claims, as well as
stronger motivations for their use in high value transactions.
This Interim Report describes the identity theft/fraud problem, and advocates that the solution is to enable (and motivate) service providers to rely on high assurance, identity-related claims during the establishment of new high value services or relationships, and as a condition for granting access to previously-established high value services or protected resources. This Interim Report also enumerates various issues that need to be addressed in order to do this. Such issues include:
The ultimate goal of the Consumer Identity WG is to provide specific recommendations to help ensure that emerging identity infrastructures can enable high assurance claims of identity or authorization needed to prevent identity theft and other types of identity-related fraud affecting consumers and service providers. CIWG also seeks to understand the feasibility issues pertaining to large-scale deployments of these capabilities. In order to better approach this goal, CIWG seeks to initially create a report that describes the current state of high assurance / strong authentication applications for consumers, and that expands on the challenges and roadblocks that need to be overcome.
The ability of CIWG to produce these results is highly dependent on whether funding is available to retain necessary personnel and resources, as well as the interest and availability of volunteer WG participants.
_______________________________________________
WG-Consumer-Identity mailing list
WG-Consume...@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-consumer-identity
Bob,
On Page 5, Slide 2 (Purpose), should the service providers' concern be "Authentication" rather than "Authorization"?
On Page 8, Slide 2 (Some Examples),
- I think that "Access to credit report" is sufficient without the words "free online"
By "authorized permissions" I mean "permissioned access" as this term is used by User Managed Access.� That is, the consumer authenticates to an Authorization Manager in order to setup or modify permissions for third parties to access personal data.� In other words, the consumer grants permission, or authorizes, third party requesters to access certain personal data.� Is there a better way to state this?
- I am not sure what is meant by "Authorized permissions for data access."� Without further explanation, I am not sure that this is a good example.�
On Page 9, Slide 1 (Can Better Secured ...), it might be wiser to state "High assurance can improve fraud prevention" rather than using the arrow which suggests the word "implies."�What I was trying to convey here is that high assurance implies a need to prevent fraud.� If that didn't come through, I'll change the slide.� So in other words, If you didn't care about fraud prevention, then you wouldn't need high assurance assertions or credentials....low assurance ones should be fine.� I was trying to convey the idea that the only reason to be concerned about "high assurance" is fraud prevention, otherwise just use "low assurance."� If there's another reason to be concerned with "high assurance" that doesn't involve fraud prevention, what would it be?
Jeff
On Wed, Sep 29, 2010 at 12:04 PM, Bob Pinheiro <consu...@bobpinheiro.com> wrote:
Tuesday, October 12, 2010
9AM PT / 10 AM MT / 11 AM CT / 12 Noon ET / 5 PM UK / 1600 UTC
UK� +44 (0) 8454018081
An updated version of the draft Consumer Identity WG Interim Report is available, partially based on comments and feedback received as a result of the last CIWG call.� The draft Interim Report v1.2 also describes possible follow-on work, provided adequate resources can be secured.
I'd like to use the next CIWG call for additional discussion of any comments regarding the Interim Report.�� Since the report is somewhat lengthy, there isn't enough time to walk through the whole thing and still have time to discuss comments.� So if you are interested in having a voice regarding the content of this Interim Report, please review it before the call and come prepared with specific comments or questions, or email them to me (or post to the list) before the call.�� To entice you to look at the report (and hopefully not discourage you), I've copied the Executive Summary below.
After a final review of comments received, and additional revisions of the Interim Report (if needed), I'd like to schedule a vote to formally approve the Interim Report.� Also, there are some changes to the CIWG Charter that need to be approved, so that the Charter reflects the WG's deliverables as defined in the Interim Report.� The proposed changes to the Charter are here, with the changed text in red.
Thanks
Bob
---------------------------
Bob Pinheiro Chair, Consumer Identity WG 908-654-1939 consu...@bobpinheiro.com www.bobpinheiro.com ----------CIWG Interim Report v 1.2 Executive Summary------------------
Online services for consumers that involve �high value� financial transactions or payments, including the establishment of new high value relationships and accounts, are prime targets for various types of identity fraud.� With the advent of electronic patient records and personal data stores, the opportunities for harm to consumers as a result of fraudulent access to sensitive information becomes even greater.� While consumers may not necessarily articulate a �need� to carry around hard tokens or other forms of high assurance identity credentials to deal with these problems, they would almost certainly state a need to prevent others from �stealing their identities� by breaking into their bank accounts, obtaining new credit cards in their name, accessing their sensitive personal and medical information, or otherwise impersonating them in situations where the outcome can be harmful to the consumer.� These needs can only be met when strong authentication methods and �open identity� technologies can be combined to create high assurance consumer identity solutions in a way that is easy for consumers to use and understand, and that protects consumer�s privacy as well.�� One aspect of the privacy issue is that high assurance identity-related claims should only be necessary in high value transactions.
Although the focus of CIWG is consumer identity, it is not only consumers that benefit if identity theft can be prevented.� To the extent that consumers can avoid these kinds of identity fraud, service providers also benefit as a result of reduced financial loss, as well as limiting potential liability and damage to their reputations.
Strong authentication technologies already exist, of course, but have not seen widespread deployment and use in consumer applications.� �This is due to factors including usability, convenience, education and awareness, cost, and weak motivation for better fraud prevention.�� However, as criminals find new ways to steal personal information and use it to enable identity-related crimes against consumers, it�s clear that identity fraud prevention requires more than attempting to keep personal information secure.�� What�s needed are better ways for service providers to authenticate identity-related claims, as well as stronger motivations for their use in high value transactions.
This Interim Report describes the identity theft/fraud problem, and advocates that the solution is to enable (and motivate) service providers to rely on high assurance, identity-related claims during the establishment of new high value services or relationships, and as a condition for granting access to previously-established high value services or protected resources.� This Interim Report also enumerates various issues that need to be addressed in order to do this.� Such issues include:
- Will different �trust communities� such as financial services, healthcare, etc., seek to define their own trust frameworks, with differing criteria for what constitutes a high assurance assertion, identity proofing, or acceptable authentication technologies for high assurance claims?
- Will consumers be able to use the same credentials or authentication tokens for authentication to service providers / relying parties in different trust communities?
- Will consumers be able to access all their credentials and/or authentication tokens from the same digital �wallet� or active client?
- How will consumers obtain and deploy the necessary credentials / tokens / active clients?�
- How should the definition of �high assurance� change to account for consumer-related claims other than claims of identity; for instance, claims of authority to access protected online resources, or claims of authority to make an online payment from a payment account, or to move money out of an online financial account?
- Can high assurance credentials and tokens issued to consumers for authentication of identity claims by an identity provider also be used for non-assertion based authentication of consumers to service providers / relying parties for frequent, ongoing access to protected resources; that is, without relying on assertions from an identity provider?��
The ultimate goal of the Consumer Identity WG is to provide specific recommendations to help ensure that emerging identity infrastructures can enable high assurance claims of identity or authorization needed to prevent identity theft and other types of identity-related fraud affecting consumers and service providers.�� CIWG also seeks to understand the feasibility issues pertaining to large-scale deployments of these capabilities.� In order to better approach this goal, CIWG seeks to initially create a report that describes the current state of high assurance / strong authentication applications for consumers, and that expands on the challenges and roadblocks that need to be overcome.
�The ability of CIWG to produce these results is highly dependent on whether funding is available to retain necessary personnel and resources, as well as the interest and availability of volunteer WG participants.
_______________________________________________
WG-Consumer-Identity mailing list
WG-Consume...@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-consumer-identity
--
Jeff Stollman
stoll...@gmail.com
1 202.683.8699
_______________________________________________ WG-Consumer-Identity mailing list WG-Consume...@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-consumer-identity