[WG-Consumer-Identity] CIWG Interim Report and Next Conference Call, Tuesday September 21
Bob Pinheiro
9AM PT / 10 AM MT / 11 AM CT / 12 Noon ET / 5 PM UK / 1600 UTC
Skype: ++9900827044630912
US/Canada Dial-In: +1-201-793-9022 | Room Code: 4630912
UK +44 (0) 8454018081
I've made two additions to the Consumer Identity WG website. The first is a draft Interim Report that captures what I think are many of the important issues in high assurance consumer identity, together with a compilation of the material that was already on the CIWG site (ie, consumer identity "needs", use cases, and definitions). I also attended the recent Internet Identity Workshop (IIW) East 2010 "unconference" in Washington DC, and held a session on high assurance consumer identity. I've added the presentation from that session to the CIWG site, but these slides are just a subset of those contained in the Interim Report.
The Interim Report is in draft form, and needs to be approved by the voting participants of the WG. So I'd like to schedule a call to quickly review the highlights of the Interim Report, get feedback, and decide whether changes need to be made to the Interim Report before a vote is taken. There won't be enough time on the call to review the report in detail, so I hope you will take a look before the call and bring any comments you may have. If you can't attend the call but have comments anyway, please feel free to email me or post your comments to the CIWG mailing list.
The second agenda item is to discuss the path forward. As you'll see from the Interim Report (and which you may have previously noticed in the old CIWG Project Plan, which is now obsolete and has been removed), there are many questions, but few answers so far. That reflects two things: lack of involvement in CIWG by those who could potentially help to answer these questions, and lack of funding for pursuing this work. For instance, the Interim Report states that the areas where high assurance consumer identity are likely to be most important are: financial services and electronic payments, healthcare and electronic patient records, high value transactions with government agencies and credit bureaus, and the emerging area of personal data stores and permissioned access. So one topic for discussion is, can progress be made towards formulating recommendations and guidelines for an identity infrastructure that supports high assurance consumer identity in these areas, without heavy involvement from key industry players? If not, how do we generate more interest and involvement?
Thanks
Bob
--------------------------- Bob Pinheiro Chair, Consumer Identity WG 908-654-1939 consu...@bobpinheiro.com www.bobpinheiro.com
j stollman
In advance of the CIwg call tomorrow, I offer the following comments on the Draft Interim Report:
- There
report assumes an inherent bias towards having service providers take
responsibility for protecting consumer identity information, absolving
consumers from much of the responsibility.
- At this point in time, I am not sure that either party (service providers or consumers) have the expertise necessary to take on this responsibility. A strategy that both supports high-value transactions and protects personal information is not obvious -- even to us as experts. While elements of such a strategy exist (e.g., PKI certificates or HSPD-12 ID tokens), these elements alone are insufficient to cover the full end-to-end process of registering a user, verifying that he is who he says he is, issuing him a token, providing an audit trail of the issuance, protecting the information used to issue the token, etc.
- There seems to be a failure by many to acknowledge that there is inherent tension the collection of personal information necessary to initially register an applicant versus the need to minimize the exposure of personal information to the public. The stronger is the initial verification of an individual's identity, the more detailed are the requirements for collecting unique personally identifying information. The more personally identifying information that is collected, the more the protection of the individual's privacy is at risk.
- As technologists, we tend to view risk in a "best case" mode. For example, we imagine that information collectors who issue tokens (e.g., governments such as the US or UK, or banks) are either beneficent or sufficiently constrained by regulation to continually seek to protect the privacy of their citizens/clients. We overlook the outliers such as Nazi Germany which used such information to propagate genocide. There are also plenty of less extreme examples of abuse such as Northern Ireland where an address was sufficient grounds to designate an "enemy." Or, numerous countries in Africa where a last name was sufficient to associate you with an enemy tribe to be targeted for extinction.
- For the above reasons, I believe that the focus of CIwg needs to be to define a comprehensive, end-to-end technical ecosystem that can be demonstrated to be practically implemented at a reasonable cost to all parties. "Cost" must include not only the direct expense of implementing the system, but also the "intangible" costs (e.g., an estimation of the risks to the various parties of a failure in any part of the system).
- Included in this ecosystem is a way to address the inherent conflict between the maintenance of an auditable "track record" around the issuance of a credential and the protection of the information used to substantiate this issuance.
Jeff
_______________________________________________
WG-Consumer-Identity mailing list
WG-Consume...@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-consumer-identity
--
Jeff Stollman
stoll...@gmail.com
1 202.683.8699
Bob Pinheiro
Thanks for your comments. As far as protection of a consumer's identity information by a service provider, I believe this is an issue that will need to be addressed as the legal issues regarding trust frameworks and identity ecosystems are hammered out. As you know, the America Bar Association has a task force devoted to drafting a legal framework for federated identity management systems. Also, I believe that K&L Gates has done work for the Open Identity Exchange (OIX) on the legal issues surrounding trust frameworks. So I'm assuming that at some point (at least in the US), the legal requirements for protection of personal information by service providers will be worked out.
As for the expertise to deploy the technologies necessary to provide the required levels of protection, would not the service providers either have this expertise, or be able to obtain it? But maybe I've misunderstood your point. I agree that the whole process of registering users, proofing their identities or other relevant claims, issuing credentials, etc, needs to be defined. But I think some of this may need to done within specific "trust communities" such as financial services, healthcare, personal data stores, etc., whereas other parts may be common across all communities. For instance, service providers / relying parties in different trust communities may possibly have different criteria for defining a person's identity or claim necessary for providing a service. But why couldn't the same personal X.509 certificate (for instance) be bound to each relationship or account, regardless of the service provider? These are just some of the issues to be addressed in defining an identity ecosystem, and I do agree that CIWG should have some role in making sure that such an ecosystem can effectively support the need to help prevent consumer identity fraud in high value transactions.
Even though identity providers may need to collect and verify personal information about consumers in order to proof their identities, it seems to me that data breaches will still occur, and the consumer's privacy will be at risk, unless strong measures are taken by identity providers to protect this information. It's not clear to me why data breaches would be less likely in the case of identity providers than what we currently witness today, unless the laws and regulations defining requirements for data protection by identity providers are stronger.
I tried to make the point in the Interim Report that I don't think that an identity assertion from an identity provider to a relying party will be needed in all cases. Where it definitely is needed is during the initial establishment of a new high value relationship or account with a service provider. During this process, the service provider needs to have high assurance of some identity-related claim in order to establish the service. The trusted identity assertion provides that. But once the relationship is established and a protected resource is defined, the service provider just needs to know it's the same person coming back each time. So some type of challenge/response interaction between service provider and consumer (possibly based on personal certificates and their corresponding private keys) could be used, without involving an identity provider. This is just another issue to be addressed in defining what an identity ecosystem might look like.
Bob
Sal Khan
Classification: UNCLASSIFIED
Bob/Jeff
I am following the threads below with interest. Unfortunately, in the past with the Kantara Healthcare group, whenever I have interjected with a it collided with the groups knowledge of legacy authentication systems. These legacy authentication systems have led to an ever increasing level of fraud and identity theft. It is because legacy authentication systems authenticate the password, X509 certificate, smart card, or OTP token etc. These authentication devices and systems DO NOT COMMIT FRAUD. It is the human that commits fraud and the human is NOT authenticated by legacy systems. What is needed are products that meet six strategic imperatives described in the attached document. To note legacy systems can only accommodate two of the strategic imperatives described in the attachment.
To further make my point regarding Cyber Security – Users worldwide that use the Internet are concerned about losing their identity and their privacy.
The answer from service providers (online banks, online gaming sites, online Govt. services, eHealth etc) is to claim to make their sites more secure, yet the identity of the consumer is lost when the consumer logs on to the service providers site (phishing, pharming, hacking, keystroke malware).
The Norton report from Symantec available at the link below makes my point – If consumers knew that a solution to protect their identity was available they would use it – just like Swiss consumers are doing at the BEKB bank deployment (see USE CASE below)
Norton
(the file size was too big to send as an attachment)
News release provides comment to the above report
http://www.thenewnewinternet.com/2010/09/10/report-cyber-crime-victims-often-blame-themselves/
News release re Canadians
USE CASE
The largest commercial deployment of FlickerCard to date is in Switzerland, where FlickerCard is being used for online access to bank accounts at the BEKB Bank as described below. (It is also being used by NATO in a trial). Above also attached are bank billboards advertizing FlickerCard (called the Internet Passport in Europe). To note that the FlickerCard issued by the BEKB bank is now being accepted by 3 government agencies to login to online govt services, including an eHealth portal (see below and press release from Axionics, MM Meilenstein 4710, attached above).
Use case summary - FlickerCard’s initial large-scale deployment is at the BKEB bank in Switzerland for online banking. After an 18 month evaluation and trial period, FlickerCard (called the Internet Passport in Europe) was commercially deployed commencing May 2010. The first order of 10,000 FlickerCards were purchased by bank customer’s very quickly leading to a second order of 10,000 FlickerCards with a third pre-order of 10,000 FlickerCards. Three state (called Cantons in Switzerland) government agencies are now accepting FlickerCard as a credential for eGovernment Services including taxation and eHealth. This deployment was carried out by aTrust’s partner.
Link to the BEKB bank site http://www.bekb.ch/en/index.htm - you will note the home page is advertizing FlickerCard –
Of course I have a conflict since my company is an exclusive reseller of FlickerCard and we have developed a privacy compliant identity service that uses FlickerCard to verify the identity of consumers for the usual high value transactions.
I look forward receiving your thoughts.
Best regards
Sal
Bob Pinheiro
http://kantarainitiative.org/confluence/display/WGCI/2010/09/15/CIWG+Interim+Report
The only difference between this and the earlier version (1.0) is that at the bottom of page 12, I've included a slide image (#27) that enumerates the 6 strategic initiatives for secure cyber-access that Sal has presented. Although the applicability of these initiatives would extend beyond consumer identity, I've included them anyway as a placeholder for future work. The one initiative that I think is most applicable to consumer identity is #3, which refers to electronic human authentication and biometrics. Whether biometrics is, or should be required for consumer authentication at the various assurance levels is a topic for debate. Clearly it would be most applicable at Assurance Level 4, although NIST 800-63 does not strictly require biometrics for human authentication. I think it will be up to different trust communities that may choose to develop their own trust frameworks to determine whether biometrics is needed to satisfy the needs of service providers in those communities that will be relying on high assurance consumer authentication.
Bob