| FSTC | Bob Pinheiro |
| Poneman Institute | Virginia Mouch |
| ISTPA | Kevin O’Neil |
| NIST | Rick Kuhn |
| STS (Strategic Tech Solutions) | Eric Wilson |
| Sun | Robin Wilton |
Introductions
Rick is working on new role based access control standard.
Virginia—RIMM council director focused on privacy and security related projects (work with putting together key issues re: enterprises putting in privacy industry response mechanisms. Worked in systems related field and completed a degree in the field.
Eric is involved with privacy and compliance (the people and process part of risk assessment).
Agenda:
1. Robin Wilton’s feedback to last week’s notes
2. Discussion of personas/privacy policy expression languages/role-based access control
3. AOB
1. Robin Wilton_s feedback to last week's notes May 18)
Bob asked a question about different kinds of standards for initially
establishing someone’s identity and how LAP would be involved in that. The
position in the UK is to define 3 or 4 levels of identity assurance, based
on how much effort goes into the registration and enrollment process. Level 1 might be that the user registers, level 2 might be production of some document to prove who they are, etc… NIST has four assurance levels, which sound similar.
Electronic authentication partnership (EAP) was going to be a body that issues
certifications. The question was to clarify the relationship between
Liberty and EAP. What would be useful (either in specifications or implementation guidelines) if you are a reliant party and an IDP says "I certify my identities at level 2"? Can/should Liberty offer any practical guidance as to how that translates into specific levels of reliability for an RP?
Re: the Relationship between commercial entities: you cannot sue the government if they are the IDP, but you can sue if the IDP is not a government entity. Social networking cases (where the whole point is that no 'reliable third party' is involved/required); what can we do other than say “buyer beware”?
Bob: in CardSpace you can have self-managed cards and one with an IDP
that is trusted.
Robin: Managed card is issued by a commercial or private sector entity. In terms of Liberty’s work, in addition to doing specifications, if you have a certain kind of assurance level and you are contemplating setting yourself up as a reliant party or setting up someone else as the reliant party would it be beneficial to document that in some 'codified' way? . Could that be codified and documented? Here is a field in the authentication format that says ‘we believe this is level 2’. We could come out with a white paper identifying the implications for you as the reliant party.
Bob: If you are issuing credentials at level 2, this is what you would have
to do. Is that the kind of thing Liberty wants to do or should be doing?
Robin: It sounds like we need to find out more about the relationship with EAP. What is proposed between EAP & Liberty, and do they already have answers to this?
What does PPEG do? Do you make suggestions for public policy elements that Liberty should support? PPEG’s role is to deal with the fact that much of what Liberty does has significant implications at the policy level. All the complementary, non-technical identity factors such as privacy best practices, legislative compliance and self-regulation. Another of its goals is to understand policy maker implications from a technical perspective as well as from a policy perspective and to understand what policy makers are pre-occupied with and what concepts they use when talking about identity privacy. We try to make sure that Liberty architectures take that into account and establish some common 'language' between policy and technical folks.
What is the objective of this ID Theft SIG? We did come up with some use cases for stronger authentication. Id Theft is when someone steals your information to open a new account. If that is the case, someone gets your information and goes to a bank or credit card company and requests a new account using stolen identity information. Ways to address this issue may either be keeping information secret and/or making it less useful if it is stolen (authentication: verifying that the person is who they claim to be). If a trusted third party has issued credentials of some sort it is a matter of the SP to identify how the IDP verified the identity. The SP would know whether or not someone’s information was stolen. This involves identity assertions, SAML assertions, etc…
SAEG=Strong Authentication Expert Group
BMEG=Business Marketing Expert Group
MRD=Marketing Requirements Document
Eric Nelson: Reading through the Liberty charter it seems that it is a combination of technology and people/processes. Is that true?
Robin: Liberty goes beyond the technical specifications with best
practices, support documents, etc… and to ensure that there is an
ecosystem of interoperable products, etc…
Kevin: A lot of identity infrastructure must be consciously aware of the
security privacy issues out there. Build use cases to help make sure other
organizations are addressing the technology in a responsible way.
Minimize opportunity for identity theft by keeping information more private, or
preventing id theft by tightening the controls of instant credit approval (commercial lenders will no longer approve credit online-they will introduce out of band confirmation to verify the person’s identity).
Robin: as the understanding of id theft and identity matures there is a
relationship between id theft and privacy protection, etc… Are id theft and
privacy the flip sides of the same coin? Does privacy protection reduce id
theft for example?
2. Discussion of personas/privacy policy expression languages/role-based access control
Role based access controls are the most established (minimizing access to
data in the first place). Privacy policy and privacy policy expression language (what the user can do to express their preferences).
Personas (partial identities) are a subset of personal information. When I go
online to do my taxes I complete a transaction as my taxpayer persona, if I
purchase from a store I do it through my consumer persona.
There is already some existing technology. We could look into putting
together a privacy solution (privacy policy expression language and role
based access controls) - if we did, could we offer any guidance about
what level of each provides the best 'recipe'?
Virginia: internal corporate management systems, based on level of position would have access to certain levels of data.
Kevin: there are always nuances because someone has another attribute they want to add to the database. Debate is going on in the analyst community regarding the fact that you have a paradox: role-based administration and the fact that it is fundamentally broken (results in more administrative effort than is needed without Role Based Access Controls).
Suggestion:
Role based access control in one organization being filtered through a persona to
another organization--this is something Liberty can help with. (It might be a way of 'translating' a 'role' into something which is meaningful to the relying organization. Just because the reliant party sees the assertion level, does not mean that there is not an audit trail. You have gone to a retailer, chosen what you are going to buy, The transaction bounces to the bank, the bank issues an assertion to the retailer stating that you do not need to know who this is, but here is the money to cover the transaction.
Authentication without identification. With id theft we are talking about
(depending on how we want to define it) people needing to identify
themselves rather than purchasing a service based on one particular aspect
of your identity.
Robin: This is where we run into problems in the commercial aspect. To the
end user it does not look any different. Shibboleth has always permitted “this
person is a member of the institution”. There is still an audit trail at the
IDP. Conceptually it is hard for the average end user to get their head
around zero knowledge proofs. Hard line privacy advocacy is going to get
louder. Hardliners and Higgins are focusing on the use case where I have a
relationship with an IDP, I go online every time I need my identity verified
for an SP. There is the relationship with the IDP but they do not get to
find out every time you go to verify at the IDP. Offline authentication capability
would help preserve privacy and prevent id theft. This would need to be explained to the end user, but also to the SP. It is conceptually hard, the technology might exist but not necessarily in the mainstream.
Kevin: Credit record freezing: it would be powerful to have a mechanism which would allow the consumer to make a request for a credit freeze. Banks have been resisting this legislation, why?
Bob: a number of states have laws to place a security freeze on an
individuals identity information. It is cumbersome to use because you have to
request it in writing, it takes a couple of days, you have to pay a fee, and then when you want to take it off it takes time for them to remove the freeze, etc_ A lot of businesses in the credit industry want people to spend money so they do not
want pediments to easy/instant credit.
Robin: Banks do not like it. They can either put it in place and some of the
bad credit applications will get blocked, but so will some of the good credit applications. Banks would rather have good business with the potential for a percentage of bad business.
Kevin: do we know why the banking industry is reluctant?
Bob: some comments from credit bureaus show that the consumer would not be able to make spontaneous purchases.
Eric: The revenue source when accessing the account would be an administrative nightmare. Data is being sold. There are also medical and criminal identity theft examples that have not been mentioned.
Robin: one of the dis-incentives is that it introduces cumbersome issues of
another kind. It assumes that there is an out of band channel that is insecure.
The lender also has to have a secure channel for checking that the apparently
valid application is coming from the person it is coming from. If your
lender has a web page then that is the channel through which they are offering
the credit. For that to work properly, the consumer would need to be able to
lock the request unless it is going through a more secure channel.
Next week_s agenda:
We need to define a deliverable, however small, to give us an end point.
Slides that explain a problem, whitepaper, etc… What would be the topic we
would be addressing? We have a technical document.
Privacy rights expression language, better authentication and authorization, personas,
etc…
We also have the wiki.
ACTION: participants to update the wiki with questions they think ID-Theft SIG should be asking (whether or not we know the answers...). If you know the question and all or part of the answers, so much the better... still put it on the wiki.
ACTION: Robin will send out the OECD workshop URL to the public list. CLOSED—see below
UK Cabinet Office wins Liberty Alliance IDDY 2006 Award...
http://www.projectliberty.org/press/details.php?item_id=198 <http://www.projectliberty.org/activities/deployment_award.php>
Meeting Adjourned
