Thanks to Kantara Initiative’s Japan WG and their leadership, the Kantara Initiative Symposium 2010 in Japan is being held September 1, 2010, 13:00-18:00.

The workshop covers identity trust inclinations, identity control bases applied to numerous global governments, etc. Kantara Initiative’s President, Matthew Gardiner will report on the latest industry activity and identity case studies.

Due to a high level of interest this event has just reached capacity. Agenda details and content:
http://kantarainitiative.org/confluence/display/WGJ/Kantara+Initiative+Symposium+2010. We will share details of the event after September 1.

We invite you to join us for the third Kantara Initiative Meeting, Tuesday-Thursday, October 19-21. This event is kindly hosted by Orange-FT at their Issy les Moulineaux campus in Southern Paris.

Registration is now open – the early-bird registration price is $195USD until September 17, then $250USD thereafter until October 21.

Event information is available at our conference page. You can review the agenda, nearby hotel details, maps and travel details at this page.

Stay tuned for details and location for our open-for-all dinner Wednesday, October 20, 6:00-8:00pm.

We hope you will join us later this year in Paris.

Registration is open for pii2010.   Taking place August 17-19 in Seattle during Seattle Geek Week, pii2010 will explore the future of digital privacy, identity and innovation, and how to strike a balance between protecting sensitive information and enabling new technologies and business models.

It’s an all-hands-on-deck conference where industry executives, technologists, consumer advocates, policy experts and other stakeholders will come together as a group to examine critical issues llike:

• How emerging technologies & business models are impacting the way data is created, shared and aggregated
• Effective approaches for building online trust with users
• Ways in which user preferences and social norms are shifting
• Changes in the regulatory landscape, in the U.S. and internationally
• The role of anonymity and the future of reputation management on the Web
• The latest developments in user-centric identity management

In addition, pii2010 will serve as the official launch pad for pii Labs, an open forum for brainstorming and collaborating where you will have an opportunity to share your ideas and projects with other participants.

Contact Dervla O’Reilly, dervla[at]kantarainitiative[dot]org for the discount code (for Kantara Initiative’s members) to save 20% off of pii2010 registration.

Review the 3-day schedule online.

We are pleased to announce that registration is now open for the SAML 2.0 Full Matrix Test Event. The deadline for registration for this event is September 13, 2010.

Expanding on the highly successful Liberty Interoperable™ Program, the Kantara Initiative Interoperability Test Program is designed to certify interoperability of products and technologies across multiple identity-related protocols and standards, including SAML 2.0, InfoCard, OpenID, ID-WSF and elements of the WS-* stack (WS-Security, WS-Trust, WS-Federation).

The first Test Event scheduled to occur is the SAML 2.0 Full Matrix Test event. This event will reference the soon to come Kantara Initiative SAML 2.0 Test Plan, the eGovernment SAML Implementation Profile v2.0 and the eGovernment SAML Implementation Profile v1.5.

The test event will take place on-line starting September 20th and running through November 5th, 2010. The fee for this event is $16,000 USD. The Test Event will be operated by our partners the Drummond Group Incorporated.

Register for the event at our SAML 2.0 Test Event Registration page.

Details on the event and reference documents visit the SAML 2.0 Full Matrix Event Details page.

For answers to questions regarding the SAML 2.0 Full Matrix Test Event send us an inquiry via our Contact Us form.

By taking part in this event participants will be further assuring market trust in the interoperability of their implementations through the Kantara Initiative Interoperability Certification Program. We look forward to your inquiries and participation.

Catch the round up of recent updates from Kantara Initiative:

• Authorization Standards Workshop at Burton Catalyst San Diego, July 27, 12:30-2:30pm
• Merger of Kantara’s IdP Selection WG into ULX WG
• Kantara Initiative Meeting, Oct. 19-21, Paris, France hosted by Orange-FT
• Kantara Initiative announces the formation of the Federation Interoperability Work Group (FIWG)
• Kantara Initiative Announces Identity Assurance Framework 2.0
• Announcing Yasuhisa Sakamoto & Toshihiro Suzuki as Kantara Initiative’s Japan WG co-chairs
• Kantara Initiative Engages Drummond Group to Manage Global Interoperability Program
• Comparing OAuth and UMA – by Eve Maler
• Kantara speakers featured at Burton Catalyst Prague, June 21-24, 2010
• Kantara Initiative Webcast via BrightTALK: Identity Assurance Frameworks within Federated IAM Systems, May 6 - listen and view the audio of this Webcast
• Catch up on recent activities at industry events: UMA at EIC 2010, IIW X round-up
• What exactly is “open” in Open Identity?
• Industry events – contact Dervla O’Reilly regarding discounted conference rates: pii2010, August 17-19, Seattle, Hacker Halted October 9-15 Miami, WHIT 6.0 Nov. 8-10 Washington D.C., Gartner Identity & Access Management Summit November 15-16 San Diego

The Leadership Council has approved the merger IdP Selection Work Group into the Universal Login Experience (ULX) Work Group. Effective immediately the IdP Selection Work Group has shut down, therefore the workspace has been archived and the list serve is closed.

Philippe Clemement, Chair of the IdP Selection Work Group will continue to work with the ULX WG as co-chair alongside Michael Graves, Bob Morgan & Paul Trevithick.

We encourage you to join the ULX WG by simply completing the Group Participation Agreement here: http://signup.kantarainitiative.org/?selectedGroup=17. Please note the common charter reflects minor updates as noted here: http://kantarainitiative.org/confluence/display/ulx/Charter.

Thanks to those who participated directly or indirectly to this great work around the IdP Selection concept, we look forward to continued participation in the ULX WG.

Piscataway, NJ 17 May 2010 – Kantara Initiative, a global identity consortium promoting technical interoperability and harmonization to grow trust in Identity and Identity Access Management standards, products, and service deployments, today announced approval of its Identity Assurance Framework (IAF) 2.0 as a formal Kantara Initiative Recommendation.

Building upon previous identity assurance efforts within the Electronic Authentication Partnership, Liberty Alliance Project, and now Kantara Initiative, the IAF 2.0 Recommendation is the prime work deliverable of Kantara Initiative’s Identity Assurance Working Group.
IAF 2.0 offers a standardized approach to define policies and practices for Credential Service Providers (CSPs), relying parties, and operators of federated identity networks to trust each other’s users and information transactions at known, commonly agreed upon levels of assurance. Built upon the 4 commonly accepted levels of assurance scaling from low (Assurance Level 1) to high (Assurance Level 4) risk contexts, IAF 2.0 offers a common set of rules that enables interoperability across programs.

Designed to be technology agnostic, no specific requirements for technology protocol use are defined by IAF 2.0 and, as such, this framework has the potential to catalyze a whole new marketplace in the identity management market.

“IAF 2.0 establishes the criteria for a harmonized, industry-recognized identity assurance standard,” said Frank Villavicencio, executive vice president, Identropy Inc., and Kantara Initiative Identity Assurance Work Group chair. “It is a Framework that provides clear definitions of identity assurance levels across various aspects of the identity lifecycle, which allows organizations to more easily federate.”

IAF 2.0 is available for adoption and may be profiled to provide additional requirements for specific industry verticals, regardless of their current technology deployment. IAF 2.0 Recommendation is publicly available from:
http://kantarainitiative.org/confluence/display/GI/Identity+Assurance+Framework+v2.0

“Kantara Initiative encourages governments, healthcare, financial services, and other vertical communities to adopt the identity Assurance Framework 2.0 in an effort to build harmonization and trust across all major technology protocols and jurisdictional policy requirements worldwide,” offered Rich Furr, head, global regulatory affairs compliance, SAFE-BioPharma Association and Kantara Initiative Identity Assurance Working Group vice chair. “This approval of the Kantara Recommendation adds even more momentum to the growing adoption of IAF as the de facto common standard for establishing that trust.”

IAF 2.0 is comprised of a set of six documents that includes an overview publication, the IAF Glossary, a summary document on Assurance Levels, and an Assurance Assessment Scheme, which encompasses the associated assessment and certification program. There are also several subordinate documents, such as the Service Assessment Criteria which establishes baseline criteria for general organizational conformity, identity proofing, credential strength, and credential management services against which all (CSPs) will be evaluated.
“Requiring Credential Service Providers to be certified through the Kantara Initiative Assurance Accreditation and Certification Program even further increases the level of trust in information transactions,” said Nigel Tedeschi, IdM and PKI solutions designer at British Telecommunications and Kantara Initiative Assurance Review Board chair.

About the Kantara Initiative Assurance Accreditation and Certification Program
The Kantara Initiative Identity Assurance Accreditation and Certification Program operationalizes the use of the IAF 2.0 so that organizations can adopt and certify end-user, CSP and Relying Party trust in services. It provides public and private sector organizations with a uniform means of relying on digital credentials issued by a variety of identity providers (credential service providers) in order to advance trusted identity and facilitate trusted public access to online services and information. Interoperability of e-authentication systems, mutual acceptance of rules, policies and supporting business processes is critical to the cost-effective operation of safe and secure systems that perform essential electronic transactions and tasks across industry lines.

Kantara Initiative anticipates accrediting assessors (or auditors) and certifying CSPs deployed across industry lines using a wide variety of open/standard identity technology. For more information on the program or how to apply visit:
http://kantarainitiative.org/confluence/display/certification/Identity+Assurance+Certification+Program

About Kantara Initiative
Kantara Initiative is a global, open, public-private, technology-agnostic forum comprised of identity ecosystem stakeholders. Co-founded by Liberty Alliance, Internet Society, and the Information Card Foundation, among others, its inspired mission is to promote technical interoperability and harmonization; to develop policy frameworks for operational interoperability and; to provide certification and assessment programs to grow trust in the standards, products, and service deployments. Kantara Initiative freely provides the governance and resources whereby diverse members of the ecosystem successfully collaborate on a diverse portfolio of common policy frameworks, technical specifications and deployment guidelines driven by the identity community, industry and governments from around the world. For more information about getting involved in Kantara Initiative, visit www.kantarainitiative.org.

###

Media Contact
Michelle Hunt
Kantara Initiative
Michelle.Hunt@ieee-isto.org
+1 732 981-3434

Further to my recent post questioning whether Open Identity is really “open”.

Every endeavour needs simplifying assumptions.  Physicists, mathematicians and economists can only develop workable models of  the world by making assumptions (and documenting them).  Risk managers and lawyers make assumptions when crafting arrangements, leading to terms & conditions for use.

Modern identity  movements seem riddled with complicating generalisations … about trust assurance levels, identity providers etc.  This is not the language of customary business.  These concepts might appeal in the blogosphere but they tend to confuse conventional business people who are seeking to leverage the Internet primarily to make their operations faster and more efficient.

Let’s aim at characterising 90% of routine e-business, where the ROI is all about cost reductions from going paperless, efficiencies from digital delivery, and increased market share from reaching more customers.  These benefits are achievable with only incremental changes to work flows and business processes.

Assumption: There aren’t many total strangers in business

The core concern with ‘stranger-to-stranger’ e-business implicit in so much of the new identity work is misplaced.  E-commerce is mostly about automating routine transactions between parties that already know each other, or who have existing arrangements in communities of interest that confer authority.

In formulating digital identities, it’s important to recognise existing authorisations, and the Ts&Cs that govern traditional transactions, and to ensure that those authorisations etc. are faithfully represented online.  A minimal, lowest risk approach is to preserve existing business processes and liability arrangements as far as possible.

It’s often said that ‘technology is not the major challenge’ in going digital.  This is true.  The biggest cost in going digital is usually the change in business processes and legal arrangements necessitated by joining new parties in novel transactional arrangements.  Experience shows that simplicity is best; mature proven arrangements should not be changed unless there is a very good reason.

Assumption: There are no shades of grey

A major preoccupation in online identity frameworks is “assurance levels”.  The received wisdom has become entrenched: transactions are to be rated according to risk level, and authentication solutions are to be rated at matching “trust levels”.  I hypothesise that this frame originated in defence, where they think in terms of Protected, Secret, Top-Secret etc.  But I don’t see that it corresponds to any normal business reality.

In my view, when you transact with an authorised party, they are either qualified to deal, or they are not.  There are no shades of grey.  A person either has the necessary authority required to sign a prescription, or a Schedule 9 narcotics prescription, or an audit report, or a credit card transaction, or a P.O. for a company, or a property deed, or they do not.  In the context of each business transaction, possession of the appropriate credential is binary.

Consider an ATM.  If you inserted your frequent flyer card by mistake, then in theory the machine could try to negotiate with you to transact at some reduced “trust level”, maybe restricting you to balance-only transactions, or cutting your withdrawal limit.  But no, in practice we apply the simplifying assumption that all legitimate ATM customers must have a bank card.

For every ‘serious’ e-business transaction, at design time we work out what the appropriate form of authorisation is, and when we transact, all we need to do is check that the sender has that authorisation.  The business rules are simple, reasonably static, and as such can readily be written into the software.

Assumption: Relying Party and “Identity Issuer” are often the same

This simplifying assumption is offered in contrast to the generalisation central to the Identity Metasystem that Identity Providers are independent from Service Providers or Relying Parties. I understand this separation intellectually but I don’t see that it gets us very far in practice.

There is a widespread intuition that government agencies that today “issue identities” could cut costs (and increase usability) by using identities issued to their customers by other entities.  This seems to be the core driver behind the US Trust Framework Program.  I’ve been involved with numerous similar federation proposals, including the Australian banking sector “Trust Centre”.

The practical problem that sunk the Trust Centre and others is that when you take an id outside of its original context, and try to make sense of it in other contexts, then you break the original Ts&Cs.  The id loses its meaning (a situation that is expressly acknowledged by Identity 2.0).  Worse, you undercut any risk analysis that was done on the issuance process.  If a bank doesn’t know how its customers are going to use their bank-issued ids, then how can the bank manage its risks?

This problem reminds me of one of the conundrums of early PKI: the lack of contractual “privity” between CAs and Relying Parties.  Many top legal minds struggled with this.  But in “closed PKI” the problem goes away, which is why closed PKI works and “open” doesn’t.

Open identity advocates might look to sophisticated assertion languages like XACML to provide the means for parties to negotiate risk and trust levels, but these real-time measures only work after designers, risk managers and lawyers have re-architected their systems and re-written their user agreements.  The sheer cost of re-engineering time-honoured risk management arrangements is a show stopper.

Assumption: There are no surprise credentials

This assumption is in contrast to the marketing claims made for one particular identity product that it allows you to “prove unanticipated properties of protected identity assertions”.  To solve this purported problem, novel zero knowledge proof algorithms have been developed.

The vast majority of identity assertions of interest in mainstream routine business are not in fact “unanticipated”.  When you go shopping, the merchant anticipates you will present a credit card number.  When you log onto the corporate network, the relevant identity assertion is anticipated to be your employee number.  When a doctor signs a prescription, the relevant assertion is their provider number.

In almost all cases, the transaction context pre-defines what identity assertion will be relevant, and you can arrange ahead of time for the parties to be equipped with the right credentials.  If you try to transact without the right credentials, then the software simply refuses you.  It’s exactly like a merchant saying “Sorry, we don’t accept American Express here”.  Yet a great deal of the open identity thinking caters for the idea that transacting parties have no prior arrangements, they haven’t anticipated what credentials are needed to support a transaction, and they will instead undertake some real time negotiation to establish sufficient “trust”.  It seems to be a huge (possibly unbounded) amount of effort, which is readily avoided by assuming ahead of time that only certain credentials and assertions are relevant to the transaction at hand.