[KI-LC] Action Item 6b - United Identities (UI) paper - are we interested? - LC call 4th August
kantara at bobpinheiro.com
Thu Aug 19 17:37:47 EDT 2010
In principal, the idea of an initiative focused on providing strong
authentication to help prevent identity fraud is good. However, if this
initiative is going to truly help cut costs related to identity fraud, I
think it's going to have to involve stakeholders from businesses in
which identity fraud causes the most severe losses. For instance,
financial services. There is plenty of financial fraud going on as a
result of weak authentication, including "account hijackings" in which
fraudsters break into online bank accounts and drain the money, identity
theft resulting from stolen personal information in which new credit
accounts are established, as well as bogus credit card charges resulting
from stolen cc numbers. Stronger authentication could help prevent
these, and possibly the UI initiative could help.
However, I don't see anyone from the financial industry listed in the UI
working group. The UI working group is made up of technologists, some
of whom represent universities, which is not really where the high value
identity theft is. I think it's critical to get some stakeholders from
financial institutions involved, and probably also healthcare
organizations such as health information exchanges (since medical
identity theft is growing). There are plenty of alternatives already
available for doing strong authentication, but they haven't really
caught on, at least at the consumer and small-business level. So I
think UI needs to get the right stakeholders on board at the beginning.
Another point is that I don't think the initiative should be focused
solely on Yubikey, or on one-time passwords. I'm not sure that does,
but I'd like to see other strong auth technologies included, such as PKI
(that is, use of a personal certificate coupled with a private key,
residing on a portable device that would be easy for consumers to use).
This wouldn't necessarily have to involve SSL and client-side
certificates, but maybe could involve a SAML assertion from an IdP once
the user has authenticated to the IdP using public/private key crypto
I'm not sure what you mean by Kantara "taking this forward." Does that
mean Kantara would contribute financially to this? If the NASPO
experience is any indicator, that might be difficult. Although I have
to say, under the right circumstances I can see this initiative as
helping the Consumer Identity WG achieve its goals. So if I can
contribute to the ongoing discussions as a member of the UI working
group, count me in.
On 8/18/2010 12:19 AM, Colin Wallis wrote:
> Greetings all
> Armed with the Minutes of the last meeting, I am now working through
> some actions.
> Many of you are aware of this work to a greater or lesser extent, and
> you'll see some familiar names:-)
> Kantara is mentioned specifically.
> So this email is to ask you to review the proposal outlined in this
> paper, and respond to the list with your view on whether Kantara is
> interested to take this forward (should UI approach Kantara of course).
> Thanks in advance for your input.
> CAUTION: This email message and any attachments contain information
> that may be confidential and may be LEGALLY PRIVILEGED. If you are not
> the intended recipient, any use, disclosure or copying of this message
> or attachments is strictly prohibited. If you have received this email
> message in error please notify us immediately and erase all copies of
> the message and attachments. Thank you.
> LC mailing list
> LC at kantarainitiative.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the LC