[WG-Consumer-Identity] Updated CIWG Interim Report and Next CIWG Call, October 12

Bob Pinheiro

unread,

Sep 29, 2010, 12:04:03 PM9/29/10

to wg-consume...@kantarainitiative.org

Tuesday, October 12, 2010
9AM PT / 10 AM MT / 11 AM CT / 12 Noon ET / 5 PM UK / 1600 UTC
Skype: ++9900827044630912
US/Canada Dial-In: +1-201-793-9022 | Room Code: 4630912
UK +44 (0) 8454018081

An updated version of the draft Consumer Identity WG Interim Report is available, partially based on comments and feedback received as a result of the last CIWG call. The draft Interim Report v1.2 also describes possible follow-on work, provided adequate resources can be secured.

I'd like to use the next CIWG call for additional discussion of any comments regarding the Interim Report. Since the report is somewhat lengthy, there isn't enough time to walk through the whole thing and still have time to discuss comments. So if you are interested in having a voice regarding the content of this Interim Report, please review it before the call and come prepared with specific comments or questions, or email them to me (or post to the list) before the call. To entice you to look at the report (and hopefully not discourage you), I've copied the Executive Summary below.

After a final review of comments received, and additional revisions of the Interim Report (if needed), I'd like to schedule a vote to formally approve the Interim Report. Also, there are some changes to the CIWG Charter that need to be approved, so that the Charter reflects the WG's deliverables as defined in the Interim Report. The proposed changes to the Charter are here, with the changed text in red.

Thanks

Bob

---------------------------

Bob Pinheiro
Chair, Consumer Identity WG
908-654-1939
consu...@bobpinheiro.com
www.bobpinheiro.com



----------CIWG Interim Report v 1.2 Executive Summary------------------

Online services for consumers that involve “high value” financial transactions or payments, including the establishment of new high value relationships and accounts, are prime targets for various types of identity fraud. With the advent of electronic patient records and personal data stores, the opportunities for harm to consumers as a result of fraudulent access to sensitive information becomes even greater. While consumers may not necessarily articulate a “need” to carry around hard tokens or other forms of high assurance identity credentials to deal with these problems, they would almost certainly state a need to prevent others from “stealing their identities” by breaking into their bank accounts, obtaining new credit cards in their name, accessing their sensitive personal and medical information, or otherwise impersonating them in situations where the outcome can be harmful to the consumer. These needs can only be met when strong authentication methods and “open identity” technologies can be combined to create high assurance consumer identity solutions in a way that is easy for consumers to use and understand, and that protects consumer’s privacy as well. One aspect of the privacy issue is that high assurance identity-related claims should only be necessary in high value transactions.

Although the focus of CIWG is consumer identity, it is not only consumers that benefit if identity theft can be prevented. To the extent that consumers can avoid these kinds of identity fraud, service providers also benefit as a result of reduced financial loss, as well as limiting potential liability and damage to their reputations.

Strong authentication technologies already exist, of course, but have not seen widespread deployment and use in consumer applications. This is due to factors including usability, convenience, education and awareness, cost, and weak motivation for better fraud prevention. However, as criminals find new ways to steal personal information and use it to enable identity-related crimes against consumers, it’s clear that identity fraud prevention requires more than attempting to keep personal information secure. What’s needed are better ways for service providers to authenticate identity-related claims, as well as stronger motivations for their use in high value transactions.

This Interim Report describes the identity theft/fraud problem, and advocates that the solution is to enable (and motivate) service providers to rely on high assurance, identity-related claims during the establishment of new high value services or relationships, and as a condition for granting access to previously-established high value services or protected resources. This Interim Report also enumerates various issues that need to be addressed in order to do this. Such issues include:

Will different “trust communities” such as financial services, healthcare, etc., seek to define their own trust frameworks, with differing criteria for what constitutes a high assurance assertion, identity proofing, or acceptable authentication technologies for high assurance claims?
Will consumers be able to use the same credentials or authentication tokens for authentication to service providers / relying parties in different trust communities?
Will consumers be able to access all their credentials and/or authentication tokens from the same digital “wallet” or active client?
How will consumers obtain and deploy the necessary credentials / tokens / active clients?
How should the definition of “high assurance” change to account for consumer-related claims other than claims of identity; for instance, claims of authority to access protected online resources, or claims of authority to make an online payment from a payment account, or to move money out of an online financial account?
Can high assurance credentials and tokens issued to consumers for authentication of identity claims by an identity provider also be used for non-assertion based authentication of consumers to service providers / relying parties for frequent, ongoing access to protected resources; that is, without relying on assertions from an identity provider?

The ultimate goal of the Consumer Identity WG is to provide specific recommendations to help ensure that emerging identity infrastructures can enable high assurance claims of identity or authorization needed to prevent identity theft and other types of identity-related fraud affecting consumers and service providers. CIWG also seeks to understand the feasibility issues pertaining to large-scale deployments of these capabilities. In order to better approach this goal, CIWG seeks to initially create a report that describes the current state of high assurance / strong authentication applications for consumers, and that expands on the challenges and roadblocks that need to be overcome.

The ability of CIWG to produce these results is highly dependent on whether funding is available to retain necessary personnel and resources, as well as the interest and availability of volunteer WG participants.

j stollman

unread,

Sep 29, 2010, 4:17:31 PM9/29/10

to Bob Pinheiro, wg-consume...@kantarainitiative.org

Bob,

On Page 5, Slide 2 (Purpose), should the service providers' concern be "Authentication" rather than "Authorization"?

On Page 8, Slide 2 (Some Examples),

I think that "Access to credit report" is sufficient without the words "free online"
I am not sure what is meant by "Authorized permissions for data access." Without further explanation, I am not sure that this is a good example.

On Page 9, Slide 1 (Can Better Secured ...), it might be wiser to state "High assurance can improve fraud prevention" rather than using the arrow which suggests the word "implies."

Jeff

_______________________________________________
WG-Consumer-Identity mailing list
WG-Consume...@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-consumer-identity

--
Jeff Stollman
stoll...@gmail.com
1 202.683.8699

Bob Pinheiro

unread,

Oct 7, 2010, 9:21:46 AM10/7/10

to wg-consume...@kantarainitiative.org

see inline comments
- bob

On 9/29/2010 4:17 PM, j stollman wrote:

Bob,

On Page 5, Slide 2 (Purpose), should the service providers' concern be "Authentication" rather than "Authorization"?

Because this slide summarizes the purpose of CIWG, it appears before several other slides (such as the first slide on page 10) that (I think) explain my rationale for this.ï¿½ï¿½ What a service provider needs during the enrollment process (when a new relationship or account is established) is high assurance of the consumer's identity.ï¿½ The way the service provider gets this assurance is by means of an identity assertion from a trusted identity provider that contains identity attributes sufficient to establish the consumer's identity.ï¿½ But after the relationship/account is established, I say that such an identity assertion is no longer needed for ongoing access to protected resources.ï¿½ What's needed instead is for the service provider to have high assurance that someone seekingï¿½ to access an existing high value account or resource is authorized to do so.ï¿½ That could be done if the consumer is able to prove control of an authentication token (password, private key, one-time password, etc) that the service provider previously associated with the relationship/account during its establishment.ï¿½

So during the enrollment process, the service provider needs authentication of an identity claim.ï¿½ For ongoing access, the service provider needs authentication of an authorization claim.ï¿½

On Page 8, Slide 2 (Some Examples),

I think that "Access to credit report" is sufficient without the words "free online"

I could drop "free online."ï¿½ I was sort of assuming here (but didn't explain) that a consumer might want to obtain a free annual credit report without actually establishing a relationship or account with a credit bureau.ï¿½ So by going to annualcreditreport.com, the consumer needs to establish his/her identity in some way, such as by means of an identity assertion from a trusted identity provider to annualcreditreport.com.ï¿½

I am not sure what is meant by "Authorized permissions for data access."ï¿½ Without further explanation, I am not sure that this is a good example.ï¿½

By "authorized permissions" I mean "permissioned access" as this term is used by User Managed Access.ï¿½ That is, the consumer authenticates to an Authorization Manager in order to setup or modify permissions for third parties to access personal data.ï¿½ In other words, the consumer grants permission, or authorizes, third party requesters to access certain personal data.ï¿½ Is there a better way to state this?

On Page 9, Slide 1 (Can Better Secured ...), it might be wiser to state "High assurance can improve fraud prevention" rather than using the arrow which suggests the word "implies."ï¿½

What I was trying to convey here is that high assurance implies a need to prevent fraud.ï¿½ If that didn't come through, I'll change the slide.ï¿½ So in other words, If you didn't care about fraud prevention, then you wouldn't need high assurance assertions or credentials....low assurance ones should be fine.ï¿½ I was trying to convey the idea that the only reason to be concerned about "high assurance" is fraud prevention, otherwise just use "low assurance."ï¿½ If there's another reason to be concerned with "high assurance" that doesn't involve fraud prevention, what would it be?

Jeff

On Wed, Sep 29, 2010 at 12:04 PM, Bob Pinheiro <consu...@bobpinheiro.com> wrote:

Tuesday, October 12, 2010
9AM PT / 10 AM MT / 11 AM CT / 12 Noon ET / 5 PM UK / 1600 UTC

Skype: ++9900827044630912
US/Canada Dial-In: +1-201-793-9022 | Room Code: 4630912

UKï¿½ +44 (0) 8454018081

An updated version of the draft Consumer Identity WG Interim Report is available, partially based on comments and feedback received as a result of the last CIWG call.ï¿½ The draft Interim Report v1.2 also describes possible follow-on work, provided adequate resources can be secured.

I'd like to use the next CIWG call for additional discussion of any comments regarding the Interim Report.ï¿½ï¿½ Since the report is somewhat lengthy, there isn't enough time to walk through the whole thing and still have time to discuss comments.ï¿½ So if you are interested in having a voice regarding the content of this Interim Report, please review it before the call and come prepared with specific comments or questions, or email them to me (or post to the list) before the call.ï¿½ï¿½ To entice you to look at the report (and hopefully not discourage you), I've copied the Executive Summary below.

After a final review of comments received, and additional revisions of the Interim Report (if needed), I'd like to schedule a vote to formally approve the Interim Report.ï¿½ Also, there are some changes to the CIWG Charter that need to be approved, so that the Charter reflects the WG's deliverables as defined in the Interim Report.ï¿½ The proposed changes to the Charter are here, with the changed text in red.

Thanks

Bob

---------------------------

Bob Pinheiro
Chair, Consumer Identity WG
908-654-1939
consu...@bobpinheiro.com
www.bobpinheiro.com



----------CIWG Interim Report v 1.2 Executive Summary------------------

Online services for consumers that involve ï¿½high valueï¿½ financial transactions or payments, including the establishment of new high value relationships and accounts, are prime targets for various types of identity fraud.ï¿½ With the advent of electronic patient records and personal data stores, the opportunities for harm to consumers as a result of fraudulent access to sensitive information becomes even greater.ï¿½ While consumers may not necessarily articulate a ï¿½needï¿½ to carry around hard tokens or other forms of high assurance identity credentials to deal with these problems, they would almost certainly state a need to prevent others from ï¿½stealing their identitiesï¿½ by breaking into their bank accounts, obtaining new credit cards in their name, accessing their sensitive personal and medical information, or otherwise impersonating them in situations where the outcome can be harmful to the consumer.ï¿½ These needs can only be met when strong authentication methods and ï¿½open identityï¿½ technologies can be combined to create high assurance consumer identity solutions in a way that is easy for consumers to use and understand, and that protects consumerï¿½s privacy as well.ï¿½ï¿½ One aspect of the privacy issue is that high assurance identity-related claims should only be necessary in high value transactions.

Although the focus of CIWG is consumer identity, it is not only consumers that benefit if identity theft can be prevented.ï¿½ To the extent that consumers can avoid these kinds of identity fraud, service providers also benefit as a result of reduced financial loss, as well as limiting potential liability and damage to their reputations.

Strong authentication technologies already exist, of course, but have not seen widespread deployment and use in consumer applications.ï¿½ ï¿½This is due to factors including usability, convenience, education and awareness, cost, and weak motivation for better fraud prevention.ï¿½ï¿½ However, as criminals find new ways to steal personal information and use it to enable identity-related crimes against consumers, itï¿½s clear that identity fraud prevention requires more than attempting to keep personal information secure.ï¿½ï¿½ Whatï¿½s needed are better ways for service providers to authenticate identity-related claims, as well as stronger motivations for their use in high value transactions.

This Interim Report describes the identity theft/fraud problem, and advocates that the solution is to enable (and motivate) service providers to rely on high assurance, identity-related claims during the establishment of new high value services or relationships, and as a condition for granting access to previously-established high value services or protected resources.ï¿½ This Interim Report also enumerates various issues that need to be addressed in order to do this.ï¿½ Such issues include:

Will different ï¿½trust communitiesï¿½ such as financial services, healthcare, etc., seek to define their own trust frameworks, with differing criteria for what constitutes a high assurance assertion, identity proofing, or acceptable authentication technologies for high assurance claims?

Will consumers be able to use the same credentials or authentication tokens for authentication to service providers / relying parties in different trust communities?

Will consumers be able to access all their credentials and/or authentication tokens from the same digital ï¿½walletï¿½ or active client?

How will consumers obtain and deploy the necessary credentials / tokens / active clients?ï¿½

How should the definition of ï¿½high assuranceï¿½ change to account for consumer-related claims other than claims of identity; for instance, claims of authority to access protected online resources, or claims of authority to make an online payment from a payment account, or to move money out of an online financial account?

Can high assurance credentials and tokens issued to consumers for authentication of identity claims by an identity provider also be used for non-assertion based authentication of consumers to service providers / relying parties for frequent, ongoing access to protected resources; that is, without relying on assertions from an identity provider?ï¿½ï¿½

The ultimate goal of the Consumer Identity WG is to provide specific recommendations to help ensure that emerging identity infrastructures can enable high assurance claims of identity or authorization needed to prevent identity theft and other types of identity-related fraud affecting consumers and service providers.ï¿½ï¿½ CIWG also seeks to understand the feasibility issues pertaining to large-scale deployments of these capabilities.ï¿½ In order to better approach this goal, CIWG seeks to initially create a report that describes the current state of high assurance / strong authentication applications for consumers, and that expands on the challenges and roadblocks that need to be overcome.

ï¿½The ability of CIWG to produce these results is highly dependent on whether funding is available to retain necessary personnel and resources, as well as the interest and availability of volunteer WG participants.

_______________________________________________
WG-Consumer-Identity mailing list
WG-Consume...@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-consumer-identity

--
Jeff Stollman
stoll...@gmail.com
1 202.683.8699

ï¿½

Bob Pinheiro

unread,

Oct 8, 2010, 2:27:12 PM10/8/10

to wg-consume...@kantarainitiative.org


_______________________________________________
WG-Consumer-Identity mailing list
WG-Consume...@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-consumer-identity

Reply all

Reply to author

Forward