[KI-LC] Action Item 6b - United Identities (UI) paper - are we interested? - LC call 4th August

Colin Wallis Colin.Wallis at dia.govt.nz
Thu Aug 19 18:01:12 EDT 2010


All good points Bob.

In NZ Gov we are not fans of PKI with personal certificates in consumer-land, but that doesn't take away anything from the thrust of your point about strong auth alternatives, which I agree with.

<<I'm not sure what you mean by Kantara "taking this forward."  Does that mean Kantara would contribute financially to this?  If the NASPO experience is any indicator, that might be difficult.  Although I have to say, under the right circumstances I can see this initiative as helping the Consumer Identity WG achieve its goals.  So if I can contribute to the ongoing discussions as a member of the UI working group, count me in.>>

Indeed that is the question, and KI's involvement could be somewhere on a continuum of depth/commitment.

At the lower end of that continuum might be support for establishing a KI work group to take it forward.  I guess that was my feeling about where we might be open to an approach (should UI wish to approach KI with that proposal) because, as you rightly point out, it would appear to dove-tail quite nicely into projects we are already working on.

Cheers
Colin

From: lc-bounces at kantarainitiative.org [mailto:lc-bounces at kantarainitiative.org] On Behalf Of Bob Pinheiro
Sent: Friday, 20 August 2010 9:38 a.m.
To: lc at kantarainitiative.org
Subject: Re: [KI-LC] Action Item 6b - United Identities (UI) paper - are we interested? - LC call 4th August

Colin,

In principal, the idea of an initiative focused on providing strong authentication to help prevent identity fraud is good.  However, if this initiative is going to truly help I think it's going to have to involve stakeholders from businesses in which identity fraud causes the most severe losses.  For instance, financial services.  There is plenty of financial fraud going on as a result of weak authentication, including "account hijackings" in which fraudsters break into online bank accounts and drain the money, identity theft resulting from stolen personal information in which new credit accounts are established, as well as bogus credit card charges resulting from stolen cc numbers.  Stronger authentication could help prevent these, and possibly the UI initiative could help.

However, I don't see anyone from the financial industry listed in the UI working group.  The UI working group is made up of technologists, some of whom represent universities, which is not really where the high value identity theft is.  I think it's critical to get some stakeholders from financial institutions involved, and probably also healthcare organizations such as health information exchanges (since medical identity theft is growing).   There are plenty of alternatives already available for doing strong authentication, but they haven't really caught on, at least at the consumer and small-business level.  So I think UI needs to get the right stakeholders on board at the beginning.

Another point is that I don't think the initiative should be focused solely on Yubikey, or on one-time passwords.  I'm not sure that does, but I'd like to see other strong auth technologies included, such as PKI (that is, use of a personal certificate coupled with a private key, residing on a portable device that would be easy for consumers to use).  This wouldn't necessarily have to involve SSL and client-side certificates, but maybe could involve a SAML assertion from an IdP once the user has authenticated to the IdP using public/private key crypto interactions.

I'm not sure what you mean by Kantara "taking this forward."  Does that mean Kantara would contribute financially to this?  If the NASPO experience is any indicator, that might be difficult.  Although I have to say, under the right circumstances I can see this initiative as helping the Consumer Identity WG achieve its goals.  So if I can contribute to the ongoing discussions as a member of the UI working group, count me in.

Bob

On 8/18/2010 12:19 AM, Colin Wallis wrote:
Greetings all

Armed with the Minutes of the last meeting, I am now working through some actions.

Many of you are aware of this work to a greater or lesser extent, and you'll see some familiar names:-)

Kantara is mentioned specifically.

So this email is to ask you to review the proposal outlined in this paper, and respond to the list with your view on whether Kantara is interested to take this forward (should UI approach Kantara of course).

Thanks in advance for your input.

Cheers
Colin



====
CAUTION:  This email message and any attachments contain information that may be confidential and may be LEGALLY PRIVILEGED. If you are not the intended recipient, any use, disclosure or copying of this message or attachments is strictly prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. Thank you.
====



_______________________________________________

LC mailing list

LC at kantarainitiative.org<mailto:LC at kantarainitiative.org>

http://kantarainitiative.org/mailman/listinfo/lc



====
CAUTION:  This email message and any attachments contain information that may be confidential and may be LEGALLY PRIVILEGED. If you are not the intended recipient, any use, disclosure or copying of this message or attachments is strictly prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. Thank you.
====
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/lc/attachments/20100820/5f0c080f/attachment-0001.html 


More information about the LC mailing list