February272008

Jump to: navigation, search

Liberty Alliance Project
ID Theft SIG
February 27, 2008
12Noon-1pm EST
Conference Call
Meeting Notes
Author: Kurt Kolok

Bob Pinheiro, Independent Contributor (Chair)
Dan Combs, Global Identity Solutions
Russ Cutler, Confiance Advisors

Kurt Kolok, Liberty Staff

Discuss whether the SIG may want to provide any suggestions or recommendations in support of the Liberty IAF.

How does the relying party identify the credential SP or IDP? In the certificate there is an identifier, if a one-time password authenticator were used would the relying party clarify who the IdP is? There needs to be a mechanism that identifies what IdP, if any, is associated with the claimed identity. Does this belong in the IAF or somewhere else within LAP?

Russ: What does the relying party want to know when they ask ‘who is your IdP’?

Bob: It would want to verify that you are the person you claim to be. There is a network of IdPs out there and the relying party wants to confirm that the identity credentials are associated with particular IdPs.

You need discovery to find out who your IdP is and whether or not it can be trusted.

Bob: In an identity framework, the relying party decides whether or not it will trust every LAP accredited IdP and at what assurance level.

Dan: According to the model every credential provider has certain processes and technology to create a trust framework. Everyone that offers a level 3 credential abides by certain rules/requirements.

Russ: We need to make the framework more acceptable/more mapped to the relying party’s internal policy. How can we help relying parties utilize internal policy? We have decided to create a best practices/guidance document to allow the relying parties to utilize the framework. Will that be enough/strong enough for the relying parties?

Bob: Is the credential SP providing the service for a fee? How does the credential SP make money, do they have an on-the-fly agreement with the relying party? Is the credential SP part of a federation and do the parties within the federation exchange money based on an agreement between them?

Dan: Micropayments, subscription fees, etc… Not sure that we need to deal with it unless it’s a topic of interest to the group. The wider range of relying organizations that can feed information back the better your discovery process of finding out whose identity is compromised, etc… is.

Bob: Credit monitoring services never admit to real-life scenarios. It seems that the Identity Assurance SIG is focused on federations of healthcare, education federation, etc… How accurately do colleges verify identity? Motor vehicle agencies are becoming more rigorous. Preventing ID Theft has a lot to do with authentication. Where might ID Theft impact other LAP work?

Dan: None of the companies doing this work want to share the information publicly. The things that are working are more in-depth and better controlled sharing of information (detecting patterns in usage, for example). People are paying more attention to what individuals are doing. Bringing individual users into the equation to assure that they get richer feedback re: their accounts/reports, etc… is one approach.

There needs to be a way of discovering who the IdP is. That recommendation or how it should work might come out of this group.

Discovery process for IdP: discover which credential SP is associated with the identity. This discussion would cross over with the Identity Assurance group. The Id Theft SIG could possibly be a part of the identity assurance activities (maybe identity theft as it pertains to authentication).

Action: We will discuss internally the best place for the ID Theft activity within Liberty.

Meeting adjourned

Retrieved from "http://wiki.projectliberty.org/index.php/February272008"
Personal tools