[KI-LC] Action Item 6b - United Identities (UI) paper - are we interested? - LC call 4th August

Bob Pinheiro kantara at bobpinheiro.com
Thu Aug 19 17:37:47 EDT 2010


In principal, the idea of an initiative focused on providing strong 
authentication to help prevent identity fraud is good.  However, if this 
initiative is going to truly help cut costs related to identity fraud, I 
think it's going to have to involve stakeholders from businesses in 
which identity fraud causes the most severe losses.  For instance, 
financial services.  There is plenty of financial fraud going on as a 
result of weak authentication, including "account hijackings" in which 
fraudsters break into online bank accounts and drain the money, identity 
theft resulting from stolen personal information in which new credit 
accounts are established, as well as bogus credit card charges resulting 
from stolen cc numbers.  Stronger authentication could help prevent 
these, and possibly the UI initiative could help.

However, I don't see anyone from the financial industry listed in the UI 
working group.  The UI working group is made up of technologists, some 
of whom represent universities, which is not really where the high value 
identity theft is.  I think it's critical to get some stakeholders from 
financial institutions involved, and probably also healthcare 
organizations such as health information exchanges (since medical 
identity theft is growing).   There are plenty of alternatives already 
available for doing strong authentication, but they haven't really 
caught on, at least at the consumer and small-business level.  So I 
think UI needs to get the right stakeholders on board at the beginning.

Another point is that I don't think the initiative should be focused 
solely on Yubikey, or on one-time passwords.  I'm not sure that does, 
but I'd like to see other strong auth technologies included, such as PKI 
(that is, use of a personal certificate coupled with a private key, 
residing on a portable device that would be easy for consumers to use).  
This wouldn't necessarily have to involve SSL and client-side 
certificates, but maybe could involve a SAML assertion from an IdP once 
the user has authenticated to the IdP using public/private key crypto 

I'm not sure what you mean by Kantara "taking this forward."  Does that 
mean Kantara would contribute financially to this?  If the NASPO 
experience is any indicator, that might be difficult.  Although I have 
to say, under the right circumstances I can see this initiative as 
helping the Consumer Identity WG achieve its goals.  So if I can 
contribute to the ongoing discussions as a member of the UI working 
group, count me in.


On 8/18/2010 12:19 AM, Colin Wallis wrote:
> Greetings all
> Armed with the Minutes of the last meeting, I am now working through 
> some actions.
> Many of you are aware of this work to a greater or lesser extent, and 
> you'll see some familiar names:-)
> Kantara is mentioned specifically.
> So this email is to ask you to review the proposal outlined in this 
> paper, and respond to the list with your view on whether Kantara is 
> interested to take this forward (should UI approach Kantara of course).
> Thanks in advance for your input.
> Cheers
> Colin
> ====
> CAUTION:  This email message and any attachments contain information 
> that may be confidential and may be LEGALLY PRIVILEGED. If you are not 
> the intended recipient, any use, disclosure or copying of this message 
> or attachments is strictly prohibited. If you have received this email 
> message in error please notify us immediately and erase all copies of 
> the message and attachments. Thank you.
> ====
> _______________________________________________
> LC mailing list
> LC at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/lc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/lc/attachments/20100819/669fc0e6/attachment.html 

More information about the LC mailing list