June12007

Jump to: navigation, search

Liberty Alliance Project
Id Theft SIG
Meeting Notes
June 1, 2007
12:30-1:35 pm EDT
Author: Kurt Kolok

Attendance:

Credentica Steve Bramson
FSTC Bob Pinheiro
ISTPA Kevin O’Neil
Purdue University Abhilasha Bhargav-Spantzel Abhilasha
STS (Strategic Tech Solutions) Eric Wilson
Sun Robin Wilton

Liberty Staff Britta Glade
Liberty Staff Kurt Kolok

Agenda:
1. Wrap up from last conversation
2. AOB
ACTION: participants to update the wiki with questions they think ID-Theft SIG should be asking (whether or not we know the answers...). If you know the question and all or part of the answers, so much the better... still put it on the wiki.

ACTION: Robin will send out the OECD workshop URL to the public list. CLOSED

ACTION: Kurt will take down the wiki on the member-protected site. Move the tech docs to the public wiki. ONGOING

1. Wrap up from last conversation:

There was some discussion around the reasons we are meeting. The sooner we define our deliverable that asks a question, defines a problem, or gives an answer the better. One area would be the relationship between role-based access control and roles as we understand them currently. Once we have a mature idea of role-based access control we can define generic rules. In most enterprises there is a fair degree of mismatch. PPEL is less mature than role-based access control. The concept of personas is relatively new. There is a significant overlap of the different areas. Is the overlap relevant to questions of identity theft and identity theft prevention? Does this group want to look at this more closely?

Is privacy policy related to roles? They overlap. If you have the definition of roles within the enterprise and a set of access controls to go with that you might want to take that into account. Example, logged in—they know my role, they know I am an employee, they know I pay into a 401k account, and they cross the enterprise boundary to check my information at Fidelity. That is the kind of data to which I would want to apply privacy policy. If I work in Sun in the travel department and I go to American Express travel services and take with me a package of data, the PPEL might say “this data should remain private between the client and the airline”. The travel consultant might not need to know the data.

Eric: HR and IT do not talk. What is the overall goal for the group?

People, processes (define who has access to data and if they do not have it make sure they do not get access.) Policy should comprise all of the various elements. We should be looking at roles, personas and PPELs.

FSTC says all companies must take reasonable steps, but they don’t explain what that means. The important thing is to define the data.

What is the purpose of the group? We have dealt with policy conversations, business considerations and technology conversations. Abhilasha has been driving a technical document on the wiki—pointing to the various technical solutions people are looking to.

What kind of privacy controls or information security controls are valuable? Do the existing Liberty specifications define those things? Do we have to define new solutions or does Liberty already have something? What are the privacy controls that are important?

Eric: Sell data—if you buy that information from a company and use it under their privacy policy you’re fine, but if you buy it to use it for other purposes you can be sued under a number of federal laws.

Protection law tends to be framed in that kind of way--purpose of collection and purpose of use. Policy tends to depend on making a semantic match between the two. When you do that online it is more difficult. It is difficult to codify.

This ID Governance MRD will be voted on by the BMEG team within the next couple of weeks. We may want to look at this and provide feedback.

Re: “Identity Governance”—there are links to some resources and a presentation from IIW. Once it is public we should look through and scan it from an identity theft perspective. It helps application developers build applications—it is on the technology side and enables enterprises to identify enterprise level policies.

This relates to the roles, but if the user only has to prove his role or persona related to that particular service there is less information to handle. Making sure the sharing is done in a controlled fashion.

ACTION: Britta will try to get Phil on next week’s call. CLOSED

Re: identity theft with respect to roles and personas: do we want to explore the different areas separately or in parallel? We are looking at the same problem on different levels: how to generate attribute assertions and make sure the correct policy flows with them.

Policies from the SP require filling in/providing a specific amount of information. Either you fill in this form or you do not access the service. For the first time, the user can go to the first party and issue an assertion without having to tell your password. Shibboleth does that. You can go to your institution and get an assertion for the next institution, but it does this within a predefined group of institutions (education institutions for example). Whoever is coming to you, came to the open identity IDP side first, making it a very weak assertion.

Will current ecommerce sites buy into this? The SPs may not go for this. They still need a lot more information for their own accountability. If I want an open ID type assertion—they will have to decide if they are ready to gather and assert that information. CardSpace does this. Open ID is based on the premise that there will not be a very strong assertion level.

How does Liberty differ from others (Open ID and CardSpace)?

Robin: the answer to the three party model is a way for the user to store the credential that will be used on their behalf. CardSpace does not seem to add to that in a significant way. Microsoft will say that if your credential is stored in a CardSpace wallet, then you can hook the CardSpace wallet in such a way that is hard to spoof. If a pop up appears on your desktop and says it is CardSpace then it really is. When you interact with the wallet and credential issuer there are protocols going on there.

The identity landscape for identity and domain parameters is located at www.openliberty.org in the Identity Landscape>Related Projects folder. We should look at where there are existing standards/protocols addressing the issues.

We need to identity and confirm our face-to-face meeting/workshop.

Meeting Adjourned

Retrieved from "http://wiki.projectliberty.org/index.php/June12007"
Personal tools