May212008
Liberty Alliance Project
ID Theft SIG
Conference Call
Meeting Minutes
Wednesday, May 21, 2008
12 Noon -1:00pm ET
Author: Kurt Kolok
CONFIDENTIAL
Attendance:
Bob Pinheiro, Individual Contributor
Kevin O’Neil, CYVA
Steve Bramson, Credentica
Eric Nelson, ?
Ali (?) Lyons Johnson & Johnson
Joni Brennan, Liberty Staff
Kurt Kolok, Liberty Staff
Agenda:
Discuss the Liberty strategy/position on prevention of identity theft
--is it necessary to understand the market issues in more detail before Liberty adopts a position?
--Do we take the approach that "if we build it, they will come" and put aside the market issues?
If LAP is going to do anything with ID Theft they need to do high assurance/trust service for consumers. This could be leveraged to prevent new account identity theft (there would be a discovery service to key on the identity service). One possibility would be writing some white papers and possibly folding the work into IAEG. The view of the IAEG chairs is that we should worry about B2B first.
• Need relying parties/issuing parties to cooperate
• Need to get leverage in order to get overall agreement for a big picture (network where relying parties are trusting Liberty credentialed IdPs).
• Need to get LAP members to get behind something as LAP did with OPEN ID. How do the IdPs propose making money doing this?
• Need to put some resources behind driving strategy. (Do we need to worry about business issues and do an analysis of the business issues or do we just focus on the technical aspects?)
IAEG co-chairs: Frank Villavicencio (Citigroup) and Alex Popowycz (Fidelity), IA-SIG. The IA SIG did create a template for use cases and had a very well attended first call this past winter. Frank’s thoughts were that ID Theft revolves around B2B. PayPal and AOL may be interested in the consumer side.
Liberty has not funded research before. It has been the will of the groups/members and up to them to determine how to support those deliverables/goals. LAP Members are not required to provide any specific level of support.
FT, AOL, Sun, Oracle, Intel, ATT, Fidelity may all be interested in the ID Theft activities.
Action: Joni will send the list of active participants in the IAEG to the ID Theft mail list.
Consumer perspective: they need to have security components in place for compliance.
Consumer online banking: would they be willing to act as identity providers? Nov 1 compliance date, penalty would go back to the date when they found they were not compliant. It is up to the institutions for determining the method of confirmation of identity. There is a need for financial institutions to verify someone’s identity. They may use knowledge-based authentication (Choicepoint for example).
Action: Joni will speak with Britta re: a list of consumer-based members of Liberty who may be interested in the ID Theft group activity (mainly for the purpose of providing resources/support to the deliverables). CLOSED
Most banks do a decent job of verifying identity. The challenge is that they have not stepped up to begin issuing identity tokens. Liability is an issue re: sharing identity information and using tokens outside of the bank environment.
On the last IAEG call they discussed whether or not they were going to use existing audit framework; not certain of any resolution.
Should LAP get into the business of providing a ‘seal of approval’, realizing that is not Liberty’s mission?
The Federal government has created assurance levels, but they have not necessarily been accepted by the marketplace. Combining NRE is a significant cost savings. Some businesses will have to pay attention to the red flag rules. There may be identity assurance that focuses on age for example.
Brett McDowell has been pushing to get HITSP (www.hitsp.org) to adopt the Identity Assurance Framework (to make sure doctors are accessing only the right data).
• We will work to identify those members in Liberty that have some type of consumer orientation.
Meeting Adjourned
