[Wg-p3] Wg-p3 Digest, Vol 2, Issue 16

Patrick Curry patrick.curry at clarionidentity.com
Mon Aug 17 04:52:56 PDT 2009


Hi Robin

 

Level 3.  In the eyes of the USA, easy. FIPS 201 and SP800 spells out the
identity proofing and technical requirements. Key points: 

.         ID proofing.  US national - documents defined.  Non-US national -
must hold a NATO security clearance.  (This is for PIV-Interoperability, not
for PIV-Compliance)

.         Technology.  FIPS 140/2 crypto.  Crypto coprocessor on the card
for encryption, signing etc.  Private keys generated on the card and never
leave. Legal requirement for non-repudiation is that the private keys are
never exposed.

 

Level 0.  Maybe I am missing the point.  Anonymity = no authentication.  The
internet is anonymous, there is no authentication (not talking about IP
tracking, traffic monitoring etc).  If there is authentication, then there
is no anonymity (although there may be pseudo-anonymity in Level 1).  If
there is anonymity, then there is no authentication. This is the home of the
Great Unwashed.  

 

So, is PayPal Level 0 or Level 1?  Answer depends on which judge you ask for
a search warrant or whether you are UBS.  Mmmm.

 

 

yours sincerely

 

Patrick

 

Patrick Curry

Director

Clarion Identity Ltd

M:   +44 786 024 9074

T:   +44 1980 620606

patrick.curry at clarionidentity.com 

Disclaimer

Internet communications are not secure and therefore Clarion Identity
Limited, Rock House, SP3 4JY does not accept legal responsibility for the
contents of this message. Any views or opinions presented are solely those
of the author and do not necessarily represent those of Clarion Identity
Limited unless otherwise specifically stated. If this message is received by
anyone other than the addressee, please notify the sender and then delete
the message and any attachments from your computer.

 

 

 

-----Original Message-----
From: Robin Wilton [mailto:futureidentity at fastmail.fm] 
Sent: 17 August 2009 11:50
To: Patrick Curry; Kantara P3WG
Subject: RE: Wg-p3 Digest, Vol 2, Issue 16

 

Hi Patrick - 

 

Thanks for this. I'm not going to try and get into a substantive

argument/conclusions at this point - just going to agree that it is a

complex area and that we should, as a WG, at least aim to come up with a

clear and simple analysis of the issues associated with the various

LOAs.

 

For instance:

 

- LOA3 and non-repudiation; what are the actual requirements? What does

'non-repudation' mean in when one or both of the parties is a

government? Are banks actually evolving towards the use of digital

non-repudiation technologies, or are they still predominantly relying on

signed paper contracts when it comes to managing the risk of repudiated

transactions?

 

- LOA2 - again, I think your point raises very valid questions... what

is the right approach to credentials management when they are used to

access public services with a financial component?

 

- LOA1 - as I mentioned in other emails, is the case for any kind of

pseudonymous authentication compelling if the pay-off is a customised

web interface which persists from visit to visit...?

 

- LOA0 - These days, I don't think that 'no authentication' equates to

'anonymous access'... is that important, and if so, what do we think

needs to be done about it?

 

 

So, as I say, plenty of issues there, and a set of clear problem

statements would, I think, be a veru valuable survey/position paper for

this group to produce.

 

Any thoughts?

 

 

Yrs.,

Robin

 

On Mon, 17 Aug 2009 10:33 +0100, "Patrick Curry"

<patrick.curry at clarionidentity.com> wrote:

> David and Susan

> 

> I suggest we need to look at each perspective on its merits.  Lots of

> people

> may disagree with what I am about to say but here goes...

> 

> Re: Level 3.  Level 3 dominates, due to its focus on legally robust

> non-repudiation, for most international secure collaboration in regulated

> industry supply chains and, increasingly, banking.  It is also starting

> to

> be recognised for gov-gov interactions.  Cross-certification is being

> discussed by the governments of CA, UK, AUS, NZ, FR, NL and Germany at a

> minimum, with potential for much more. I emphasise that this is for

> regulated industries and governments, and their employees.  This isn't

> about

> citizen interactions (yet).  With the publication of PIV-I in May 09 and

> now

> the up-gunning of the Defense Industrial Base Cyber Security activities

> in

> several USG departments, so Level 3 and its implementations are becoming

> increasingly important for those that want to interoperate.  My personal

> view is that this should form a major plank in the P3WG activities

> because

> (a) it is relevant to so much public policy, and (2) it raises privacy

> issues that are very different from the citizen space due to national

> security caveats (the authorities can ask more) and because of the

> vetting

> requirements, which dig deeper.  Personally, I am looking for help in

> this

> area and am tasked to get US and UK government people involved.  I have

> asked Judy Spencer to help here for US.

> 

> Re: Level 2.  Anything of value in the citizen space, where visible

> authentication occurs and a financial liability model is appropriate,

> seems

> to sit at Level 2.  For USG, I have asked Dave Temoshok to help here.  

> 

> Re: Level 1.  M-0404 is not clear to me at this level.  I see this as

> being

> relevant for pseudo-anonymity, i.e. there is an authentication mechanism

> but

> the relying party doesn't know anything about that person except that

> they

> have been authenticated at some point - very relevant to various kinds of

> citizen internet activity.  I see this as very different to anonymity,

> which

> is Level 0. 

> 

> So, those of us concerned with organisational compliance and protecting

> organisational information will be focused on Level 3.  Those of us

> focused

> on privacy will probably focus more on Levels 1 and 2 (and Level 0??). 

> It

> would be helpful to know who is interested (and expert) on what area,

> rather

> than all trying to do everything.  

> 

> Lastly, some of the other Kantara groups are active in the above,

> particularly Level 03.  So we need to coordinate with them.

> 

> Comments?

> 

> Mr Chairman, over to you....

> 

> 

> yours sincerely

> 

> Patrick

> 

> Patrick Curry

> Director

> Clarion Identity Ltd

> M:   +44 786 024 9074

> T:   +44 1980 620606

> patrick.curry at clarionidentity.com 

> Disclaimer

> Internet communications are not secure and therefore Clarion

> Identity Limited, Rock House, SP3 4JY does not accept legal

> responsibility

> for the contents of this message. Any views or opinions presented are

> solely

> those of the author and do not necessarily represent those of Clarion

> Identity Limited unless otherwise specifically stated. If this message is

> received by anyone other than the addressee, please notify the sender and

> then delete the message and any attachments from your computer.

> 

> 

> 

> -----Original Message-----

> From: wg-p3-bounces at kantarainitiative.org

> [mailto:wg-p3-bounces at kantarainitiative.org] On Behalf Of

> wg-p3-request at kantarainitiative.org

> Sent: 14 August 2009 22:34

> To: wg-p3 at kantarainitiative.org

> Subject: Wg-p3 Digest, Vol 2, Issue 16

> 

> Send Wg-p3 mailing list submissions to

>     wg-p3 at kantarainitiative.org

> 

> To subscribe or unsubscribe via the World Wide Web, visit

>     

> http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org

> 

> or, via email, send a message with subject or body 'help' to

>     wg-p3-request at kantarainitiative.org

> 

> You can reach the person managing the list at

>     wg-p3-owner at kantarainitiative.org

> 

> When replying, please edit your Subject line so it is more specific

> than "Re: Contents of Wg-p3 digest..."

> 

> 

> Today's Topics:

> 

>    1. Re: M04-04 levels (Weitzel, David S)

> 

> 

> ----------------------------------------------------------------------

> 

> Message: 1

> Date: Fri, 14 Aug 2009 17:33:48 -0400

> From: "Weitzel, David S" <dweitzel at mitre.org>

> Subject: Re: [Wg-p3] M04-04 levels

> To: "wg-p3 at kantarainitiative.org" <wg-p3 at kantarainitiative.org>

> Message-ID:

>     <F5830D8920D7BA4DB8BCFE1DC57164AC0347270C8C at IMCMBX2.MITRE.ORG>

> Content-Type: text/plain; charset="us-ascii"

> 

> Susan:

> 

> I meant to say that level 3 is the 'broken part' and is what needs the

> attention of the community.  Paying too much attention to levels 1 & 2 is

> not necessarily a 'step backwards' but rather lower value application of

> the

> collective energy of the group.

> 

> __

> David Weitzel, MS, JD, CIPP/G

> MITRE CIIS

> O-703.983.2639

> C-703.969.9740

> dweitzel at mitre.org

> 

> -----Original Message-----

> From: wg-p3-bounces at kantarainitiative.org

> [mailto:wg-p3-bounces at kantarainitiative.org] On Behalf Of

> wg-p3-request at kantarainitiative.org

> Sent: Tuesday, August 11, 2009 11:25 AM

> To: wg-p3 at kantarainitiative.org

> Subject: Wg-p3 Digest, Vol 2, Issue 13

> 

> Send Wg-p3 mailing list submissions to

>         wg-p3 at kantarainitiative.org

> 

> To subscribe or unsubscribe via the World Wide Web, visit

>  

> http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org

> 

> or, via email, send a message with subject or body 'help' to

>         wg-p3-request at kantarainitiative.org

> 

> You can reach the person managing the list at

>         wg-p3-owner at kantarainitiative.org

> 

> When replying, please edit your Subject line so it is more specific

> than "Re: Contents of Wg-p3 digest..."

> 

> 

> Today's Topics:

> 

>    1. Re: Preparation for USG Privacy Workshop (Aug 10th) (Susan Landau)

>    2. Re: Preparation for USG Privacy Workshop (Aug 10th)

>       (J. Trent Adams)

>    3. Re: Preparation for USG Privacy Workshop (Aug 10th) (j stollman)

> 

> 

> ----------------------------------------------------------------------

> 

> Message: 1

> Date: Tue, 11 Aug 2009 08:19:35 -0400

> From: Susan Landau <Susan.Landau at sun.com>

> Subject: Re: [Wg-p3] Preparation for USG Privacy Workshop (Aug 10th)

> To: Kantara P3WG <wg-p3 at kantarainitiative.org>

> Message-ID: <4A8161D7.8010806 at Sun.COM>

> Content-Type: text/plain; charset=ISO-8859-1; format=flowed

> 

> On 08/11/09 07:48, Georgia Marsh wrote:

> > How was the meeting?

> >

> Divisive.  Here's my trip report.  Thanks for the info on US government

> SAML uses; that came up indirectly during the meeting but things were

> sufficiently heated that I dropped that in favor of asking some other,

> somewhat pointed, questions.  But thanks much for your help.  It was

> good to have that information in my back pocket if needed.

> 

> Best,

> 

> Susan

> 

> Judy Spencer, who is the co-chair of the Identity Management and Access

> Management SC (special committee? signon committee?), ran the meeting.

> She sought to focus only on Level of Assurance 1, a decision that was

> objected to by many in the audience.

> 

> Most of the attendees appeared to be members of the federal government

> and contractors.  There were very few privacy advocates in the room: one

> from EPIC, a junior person from CDT, no one from EFF.  I suspect this

> was due to too short notice (and in EFF's case, too expensive a plane

> flight from west coast).

> 

> The morning was taken up with presentations by the various folks.  First

> Chris Louden of Protiviti, a federal contractor working on this

> initiative gave an overview, and made the point that for efficiency's

> sake, the government wanted to leverage work in the private sector.

> There had already been SAML profiles.  But OpenID had lots of traction

> and so the government was going to leverage that for Level of Assurance

> 1, where the government wanted to be able to identify the same user each

> time the same user turned up but without any need to tie identity to a

> particular person (so as to enable to return customized webpages, send

> updates to the user if an email had been supplied, etc.). Chris went

> through the privacy requirements for level 1, which included

> unlinkability of the user between different sites (something satisfied

> by OpenID 2.0 but not OpenID 1.0).

> 

> This was followed by a panel: Bob Morgan on InCommon, Don Thibeau and

> Drummond Reed doing a tag team on OpenID and InfoCard Foundations and

> Brett on Kantara.  The meeting was originally supposed to be on OpenID,

> InfoCard, and privacy issues but had broadened.   Don and Drummond spoke

> about OpenID 2.0 fulfilling the pseudonymity needs prescribed by the

> federal profiles and that OpenID had billions of users. They did not

> mention that it was OpenID 1.0 that had the large installed user base.

> At this point, I asked some questions.  I asked about the number of

> OpenID 2.0 users; this was not answered.  I asked about liability and

> didn't get an answer. Nonetheless it was useful to plant these issues

> for later discussion.

> 

> The afternoon session was devoted to privacy and identity and that was

> the time for Q&A. Here I asked about extensibility, pointing out that in

> security you architect for the whole solution, then cut back as needed

> (and not the other way around) and that we will need identifiers for

> health care with much higher levels of assurance.  Chris Louden of

> Protiviti said that they understand the issue and they've got that

> covered.  At this point, various of the audience picked up the issue of

> extensibility strongly.

> 

> Someone from MITRE spoke about the progress with level of assurance 3

> and 4 and how this was a step backwards.

> 

> Don Schmidt of Microsoft said, "billions of burgers sold has nothing to

> do with reality."

> 

> Jeff Stollman said that usability needs say that other levels influence

> level 1.0.  "You can't talk about level 1.0 separately from higher

> levels when you talk about usability"; you are making a huge mistake by

> using OpenID for level 1.0 when you can't do OpenID for higher levels.

> The audience resonated with this.

> 

> Tony Nadlin (sp?) said "Why are you going the industry route?  Liability

> issues have not been addressed?  What is your emergency response

> initiative?  What is your liability initiative?"

> 

> Judy Spencer:  "For level 1, OpenID is absolutely appropriate.  We want

> to enable technologies for people to use and OpenID is perfectly

> acceptable at level 1.0."

> 

> Don Schmidt: Using OpenID is a really bad idea (this is a paraphrase).

> You're teaching people the wrong message about security. "If this is

> successful and if there's a disconnect between this and higher levels

> [because OpenID is not extensible for higher levels], in the end we

> haven't done a good thing."  I was surprised to see Microsoft speaking

> that way, but Schmidt was quite emphatic.

> 

> I would say that by the end of the meeting, there was a great deal of

> dubiousness in the room concerning using OpenID even at level of

> assurance 1.  The agencies will have to implement, of course.  But the

> people there were clearly aware --- if they hadn't been earlier ---  of

> the problems with OpenID.

> 

> ***********************************************************

> Susan Landau                     phone: 413-259-2018

> Distinguished Engineer           fax: 413-253-2156

> 

>         Sun Microsystems Laboratories

>         MS UBUR02-311

>         35 Network Drive

>         Burlington MA 01803-0902

>         http://research.sun.com/people/slandau

> 

>         susan.landau at sun.com

> ************************************************************

> 

> 

> 

> 

> 

> ------------------------------

> 

> Message: 2

> Date: Tue, 11 Aug 2009 09:43:13 -0400

> From: "J. Trent Adams" <jtrentadams at gmail.com>

> Subject: Re: [Wg-p3] Preparation for USG Privacy Workshop (Aug 10th)

> To: Susan.Landau at sun.com

> Cc: Kantara P3WG <wg-p3 at kantarainitiative.org>

> Message-ID: <4A817571.5050907 at gmail.com>

> Content-Type: text/plain; charset=ISO-8859-1

> 

> Susan -

> 

> Excellent summary.  And great questions yesterday.

> 

> All -

> 

> To provide additional flavor to Susan's comments about usability, it was

> brought up many times throughout the day.  I would classify some of the

> issues as what could be called a contract with the users (i.e. setting

> their expectations and how to meet them).  While Judy and Chris tried to

> reinforce the focus on LOA 1, many saw a disconnect between the

> usability requirements of this pilot and what might come next with a

> higher ROI.

> 

> Of note on this point, Judy made an interesting comment toward the end

> that I'm not sure is accurate (AFAIK).  She said that Don Thibeau had

> mentioned to her that while OpenID can't move beyond LOA 1 today, there

> are people in the OpenID community working on ways to address this soon.

> 

> Also, Don was asked how much usability testing has taken place on

> OpenID.  While he did say that he assumes Google and Yahoo have done

> extensive testing on their own, he decided not to mention the report

> that came out earlier this year illustrating how OpenID integration

> decreases conversion rates.  His response was primarily that the pilot

> should be rolled out and be adjusted according to reactions.

> 

> Significant questions were also raised about privacy relating to

> unintended self-exposure and masquerading.  Both issues were noted by

> Chris Louden as he said they were issues that hadn't been previously

> explored.

> 

> In the end, none of the topics raised appeared to indicate the GSA/ICAM

> would slow down the pilot program to address them.

> 

> It was also very interesting that in response to questions, Brett

> mentioned that Kantara has three groups working on or planning to work

> on the following issues that were brought up:

> 

>  1. Usability

>  2. Certification

>  3. Privacy Assurance

>  4. Legal & Litigation

> 

> It was clear to me that Kantara was the only represented group in the

> room positioned to deal across the board with the issues at the center

> of the discussion.  It might make sense to reach out to the attendees

> and invite them to participate in these activities.

> 

> Finally, it might not be known to the group, but Kantara submitted it's

> Trust Framework Process proposal to the GSA/ICAM on Friday.  So far,

> it's the only application they have received.

> 

> - Trent

> 

> 

> Susan Landau wrote:

> > On 08/11/09 07:48, Georgia Marsh wrote:

> >> How was the meeting?

> >>

> > Divisive.  Here's my trip report.  Thanks for the info on US

> > government SAML uses; that came up indirectly during the meeting but

> > things were sufficiently heated that I dropped that in favor of asking

> > some other, somewhat pointed, questions.  But thanks much for your

> > help.  It was good to have that information in my back pocket if needed.

> >

> > Best,

> >

> > Susan

> >

> > Judy Spencer, who is the co-chair of the Identity Management and

> > Access Management SC (special committee? signon committee?), ran the

> > meeting.  She sought to focus only on Level of Assurance 1, a decision

> > that was objected to by many in the audience.

> >

> > Most of the attendees appeared to be members of the federal government

> > and contractors.  There were very few privacy advocates in the room:

> > one from EPIC, a junior person from CDT, no one from EFF.  I suspect

> > this was due to too short notice (and in EFF's case, too expensive a

> > plane flight from west coast).

> >

> > The morning was taken up with presentations by the various folks.

> > First Chris Louden of Protiviti, a federal contractor working on this

> > initiative gave an overview, and made the point that for efficiency's

> > sake, the government wanted to leverage work in the private sector.

> > There had already been SAML profiles.  But OpenID had lots of traction

> > and so the government was going to leverage that for Level of

> > Assurance 1, where the government wanted to be able to identify the

> > same user each time the same user turned up but without any need to

> > tie identity to a particular person (so as to enable to return

> > customized webpages, send updates to the user if an email had been

> > supplied, etc.). Chris went through the privacy requirements for level

> > 1, which included unlinkability of the user between different sites

> > (something satisfied by OpenID 2.0 but not OpenID 1.0).

> >

> > This was followed by a panel: Bob Morgan on InCommon, Don Thibeau and

> > Drummond Reed doing a tag team on OpenID and InfoCard Foundations and

> > Brett on Kantara.  The meeting was originally supposed to be on

> > OpenID, InfoCard, and privacy issues but had broadened.   Don and

> > Drummond spoke about OpenID 2.0 fulfilling the pseudonymity needs

> > prescribed by the federal profiles and that OpenID had billions of

> > users. They did not mention that it was OpenID 1.0 that had the large

> > installed user base.

> > At this point, I asked some questions.  I asked about the number of

> > OpenID 2.0 users; this was not answered.  I asked about liability and

> > didn't get an answer. Nonetheless it was useful to plant these issues

> > for later discussion.

> >

> > The afternoon session was devoted to privacy and identity and that was

> > the time for Q&A. Here I asked about extensibility, pointing out that

> > in security you architect for the whole solution, then cut back as

> > needed (and not the other way around) and that we will need

> > identifiers for health care with much higher levels of assurance.

> > Chris Louden of Protiviti said that they understand the issue and

> > they've got that covered.  At this point, various of the audience

> > picked up the issue of extensibility strongly.

> >

> > Someone from MITRE spoke about the progress with level of assurance 3

> > and 4 and how this was a step backwards.

> >

> > Don Schmidt of Microsoft said, "billions of burgers sold has nothing

> > to do with reality."

> >

> > Jeff Stollman said that usability needs say that other levels

> > influence level 1.0.  "You can't talk about level 1.0 separately from

> > higher levels when you talk about usability"; you are making a huge

> > mistake by using OpenID for level 1.0 when you can't do OpenID for

> > higher levels. The audience resonated with this.

> >

> > Tony Nadlin (sp?) said "Why are you going the industry route?

> > Liability issues have not been addressed?  What is your emergency

> > response initiative?  What is your liability initiative?"

> >

> > Judy Spencer:  "For level 1, OpenID is absolutely appropriate.  We

> > want to enable technologies for people to use and OpenID is perfectly

> > acceptable at level 1.0."

> >

> > Don Schmidt: Using OpenID is a really bad idea (this is a

> > paraphrase).  You're teaching people the wrong message about security.

> > "If this is successful and if there's a disconnect between this and

> > higher levels [because OpenID is not extensible for higher levels], in

> > the end we haven't done a good thing."  I was surprised to see

> > Microsoft speaking that way, but Schmidt was quite emphatic.

> >

> > I would say that by the end of the meeting, there was a great deal of

> > dubiousness in the room concerning using OpenID even at level of

> > assurance 1.  The agencies will have to implement, of course.  But the

> > people there were clearly aware --- if they hadn't been earlier ---

> > of the problems with OpenID.

> >

> > ***********************************************************

> > Susan Landau                     phone: 413-259-2018

> > Distinguished Engineer           fax: 413-253-2156

> >

> >        Sun Microsystems Laboratories

> >        MS UBUR02-311

> >        35 Network Drive

> >        Burlington MA 01803-0902

> >        http://research.sun.com/people/slandau

> >

> >        susan.landau at sun.com

> > ************************************************************

> >

> >

> >

> > _______________________________________________

> > Wg-p3 mailing list

> > Wg-p3 at kantarainitiative.org

> >
http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org

> 

> --

> J. Trent Adams

> =jtrentadams

> 

> Profile: http://www.mediaslate.org/jtrentadams/

> LinkedIN: http://www.linkedin.com/in/jtrentadams

> Twitter: http://twitter.com/jtrentadams

> 

> 

> 

> 

> ------------------------------

> 

> Message: 3

> Date: Tue, 11 Aug 2009 11:24:56 -0400

> From: j stollman <stollman.j at gmail.com>

> Subject: Re: [Wg-p3] Preparation for USG Privacy Workshop (Aug 10th)

> To: "J. Trent Adams" <jtrentadams at gmail.com>

> Cc: Susan.Landau at sun.com, Kantara P3WG <wg-p3 at kantarainitiative.org>

> Message-ID:

>         <c0f2bd590908110824g55de9626t6fe27313c07a1200 at mail.gmail.com>

> Content-Type: text/plain; charset="iso-8859-1"

> 

> All,

> 

> There was a critical item that drove the meeting that was never spoken.

> Vivek Kundra, the new Federal CIO is adamant about the use of OpenID.  He

> brought it into consideration and he has forced it down the throats of

> the

> ICAM group.  As peons, they are marching to his drum.

> 

> On the spoken side, Susan's line of questions established the tone for

> the

> controversy.

> 

> Following the conference I sent a note to Mary Ruddy, a private sector

> identity advocate who is helping lead ICAM's integration with industry. 

> In

> my note, I summarized my concerns about the meeting.  My comments to her

> follow:

> 

>    1. I view the privacy issues of government access by the citizenry as

>    a

>    systems problem.  While I understand and agree with the need to "start

>    somewhere" and to start with the easy victories first, I don't think

>    that

>    pilots should begin until all of the system-wide issues have been

>    fully

>    considered.  I believe that the issues of usability have not been

> thoroughly

>    considered.

>    2. One of the biggest concerns I have with usability is the need for

>    the

>    government to act *in loco parentis* to help ensure that users of the

>    system don't expose themselves to privacy issues through their own

> actions.

>    While a site like Facebook may take a Buyer Beware attitude, the

> government

>    needs to go a step further to prevent harm to its subjects as a result

>    of

>    users' ignorance of the privacy and security exposure that they will

> face.

>    3. The Government has many well thought-out regulations regarding

>    security and privacy, but these apply to the government; they do not

> provide

>    guidance to the external users of Government systems.  Looking at

> security

>    and privacy from the user perspective, the Government will not only

>    need

> to

>    be able to provide instructions to users on how to use Government

>    sites

>    (many of which may be obvious), but it will also need to provide

>    policy

>    guidance to users.  For example, it would be my recommendation that

>    users

> be

>    told to create an anonymous ID for accessing government web sites at

> Level 1

>    and not use this ID for other purposes.  As per the profile,

>    correlation

> of

>    government sites will then be limited to information held only by the

>    Identity Provider and because the ID will not be used with other

>    non-Government sites, there will be no opportunity to correlate usage

> with

>    them.

>    4. After consideration of usability, it may turn out to be a small

>    issue.  It may be determined that we can live with the problem of

>    having

> to

>    retrain users.

>    5. This consideration should consists of at least two concerns:  (1)

>    user

>    training and retraining and (2) scope creep.

>    6. The user training and retraining concern is whether it will be

>    difficult for non-computer-savvy users to understand and implement the

>    end-user policy guidance for Level 1 and then learn and apply new

> guidance

>    for other levels.  This could be tested using life people.  Such

>    testing

> may

>    already have been done by some of the large commercial sites (Google,

>    Facebook, Yahoo, AOL, AARP, etc.) and may be available, without having

>    to

>    run new studies.

>    7. The scope creep concern is that agencies will begin adding

>    capabilities to their LoA 1 sites which start their migration to

>    higher

>    levels of assurance.  I believe it was Naomi Leftkovitz from the

>    Federal

>    Trade Commission who suggested that this is already a wide-spread

> practice

>    in Federal agencies.  This practice can be measured and needs to be

> measured

>    before LoA 1 can be isolated from the systems problem.

>    8. If either of these concerns turn out to be valid, then I would

>    recommend adding another vetting constraint to your technology screen

>    mechanism:  technologies must be readily extensible to higher levels

>    of

>    assurance.  Should this be the case, OpenID would not make the cut.

>    9. Another problem I had with the session in general yesterday is that

>    I

>    had the sense that the Level 1 acceptance of OpenID, SAML, and

> Information

>    Cards was a *fait accompli*.  In the session, itself, there did not

>    seem

>    to be any resistance to OpenID and SAML.  But there was a lot of

>    concern

>    about OpenID.

>    10. I also recognize that OpenID is being pushed from the very top. 

>    But

>    the reason it is being pushed is based on a fallacious argument:  that

> the

>    Government should use OpenID because it is already ubiquitous. But

>    OpenID

>    2.0 is not ubiquitous.  In fact, the director of the OpenID Foundation

>    admits to not having a clue how many OpenID 2.0 users there are.  What

>    is

>    ubiquitous is OpenID 1.0 which everyone agrees does not meet the

>    Government's standards.  I have no axes to grind against OpenID or Don

>    Thibeau (whose integrity and honesty I highly respect).  But in my

>    gut, I

> do

>    not believe that OpenID warrants consideration until the issues noted

>    in

> 6

>    and 7 above have been fully considered.

> 

> Jeff

> 

> 

> 

> On Tue, Aug 11, 2009 at 9:43 AM, J. Trent Adams

> <jtrentadams at gmail.com>wrote:

> 

> > Susan -

> >

> > Excellent summary.  And great questions yesterday.

> >

> > All -

> >

> > To provide additional flavor to Susan's comments about usability, it was

> > brought up many times throughout the day.  I would classify some of the

> > issues as what could be called a contract with the users (i.e. setting

> > their expectations and how to meet them).  While Judy and Chris tried to

> > reinforce the focus on LOA 1, many saw a disconnect between the

> > usability requirements of this pilot and what might come next with a

> > higher ROI.

> >

> > Of note on this point, Judy made an interesting comment toward the end

> > that I'm not sure is accurate (AFAIK).  She said that Don Thibeau had

> > mentioned to her that while OpenID can't move beyond LOA 1 today, there

> > are people in the OpenID community working on ways to address this soon.

> >

> > Also, Don was asked how much usability testing has taken place on

> > OpenID.  While he did say that he assumes Google and Yahoo have done

> > extensive testing on their own, he decided not to mention the report

> > that came out earlier this year illustrating how OpenID integration

> > decreases conversion rates.  His response was primarily that the pilot

> > should be rolled out and be adjusted according to reactions.

> >

> > Significant questions were also raised about privacy relating to

> > unintended self-exposure and masquerading.  Both issues were noted by

> > Chris Louden as he said they were issues that hadn't been previously

> > explored.

> >

> > In the end, none of the topics raised appeared to indicate the GSA/ICAM

> > would slow down the pilot program to address them.

> >

> > It was also very interesting that in response to questions, Brett

> > mentioned that Kantara has three groups working on or planning to work

> > on the following issues that were brought up:

> >

> >  1. Usability

> >  2. Certification

> >  3. Privacy Assurance

> >  4. Legal & Litigation

> >

> > It was clear to me that Kantara was the only represented group in the

> > room positioned to deal across the board with the issues at the center

> > of the discussion.  It might make sense to reach out to the attendees

> > and invite them to participate in these activities.

> >

> > Finally, it might not be known to the group, but Kantara submitted it's

> > Trust Framework Process proposal to the GSA/ICAM on Friday.  So far,

> > it's the only application they have received.

> >

> > - Trent

> >

> >

> > Susan Landau wrote:

> > > On 08/11/09 07:48, Georgia Marsh wrote:

> > >> How was the meeting?

> > >>

> > > Divisive.  Here's my trip report.  Thanks for the info on US

> > > government SAML uses; that came up indirectly during the meeting but

> > > things were sufficiently heated that I dropped that in favor of asking

> > > some other, somewhat pointed, questions.  But thanks much for your

> > > help.  It was good to have that information in my back pocket if
needed.

> > >

> > > Best,

> > >

> > > Susan

> > >

> > > Judy Spencer, who is the co-chair of the Identity Management and

> > > Access Management SC (special committee? signon committee?), ran the

> > > meeting.  She sought to focus only on Level of Assurance 1, a decision

> > > that was objected to by many in the audience.

> > >

> > > Most of the attendees appeared to be members of the federal government

> > > and contractors.  There were very few privacy advocates in the room:

> > > one from EPIC, a junior person from CDT, no one from EFF.  I suspect

> > > this was due to too short notice (and in EFF's case, too expensive a

> > > plane flight from west coast).

> > >

> > > The morning was taken up with presentations by the various folks.

> > > First Chris Louden of Protiviti, a federal contractor working on this

> > > initiative gave an overview, and made the point that for efficiency's

> > > sake, the government wanted to leverage work in the private sector.

> > > There had already been SAML profiles.  But OpenID had lots of traction

> > > and so the government was going to leverage that for Level of

> > > Assurance 1, where the government wanted to be able to identify the

> > > same user each time the same user turned up but without any need to

> > > tie identity to a particular person (so as to enable to return

> > > customized webpages, send updates to the user if an email had been

> > > supplied, etc.). Chris went through the privacy requirements for level

> > > 1, which included unlinkability of the user between different sites

> > > (something satisfied by OpenID 2.0 but not OpenID 1.0).

> > >

> > > This was followed by a panel: Bob Morgan on InCommon, Don Thibeau and

> > > Drummond Reed doing a tag team on OpenID and InfoCard Foundations and

> > > Brett on Kantara.  The meeting was originally supposed to be on

> > > OpenID, InfoCard, and privacy issues but had broadened.   Don and

> > > Drummond spoke about OpenID 2.0 fulfilling the pseudonymity needs

> > > prescribed by the federal profiles and that OpenID had billions of

> > > users. They did not mention that it was OpenID 1.0 that had the large

> > > installed user base.

> > > At this point, I asked some questions.  I asked about the number of

> > > OpenID 2.0 users; this was not answered.  I asked about liability and

> > > didn't get an answer. Nonetheless it was useful to plant these issues

> > > for later discussion.

> > >

> > > The afternoon session was devoted to privacy and identity and that was

> > > the time for Q&A. Here I asked about extensibility, pointing out that

> > > in security you architect for the whole solution, then cut back as

> > > needed (and not the other way around) and that we will need

> > > identifiers for health care with much higher levels of assurance.

> > > Chris Louden of Protiviti said that they understand the issue and

> > > they've got that covered.  At this point, various of the audience

> > > picked up the issue of extensibility strongly.

> > >

> > > Someone from MITRE spoke about the progress with level of assurance 3

> > > and 4 and how this was a step backwards.

> > >

> > > Don Schmidt of Microsoft said, "billions of burgers sold has nothing

> > > to do with reality."

> > >

> > > Jeff Stollman said that usability needs say that other levels

> > > influence level 1.0.  "You can't talk about level 1.0 separately from

> > > higher levels when you talk about usability"; you are making a huge

> > > mistake by using OpenID for level 1.0 when you can't do OpenID for

> > > higher levels. The audience resonated with this.

> > >

> > > Tony Nadlin (sp?) said "Why are you going the industry route?

> > > Liability issues have not been addressed?  What is your emergency

> > > response initiative?  What is your liability initiative?"

> > >

> > > Judy Spencer:  "For level 1, OpenID is absolutely appropriate.  We

> > > want to enable technologies for people to use and OpenID is perfectly

> > > acceptable at level 1.0."

> > >

> > > Don Schmidt: Using OpenID is a really bad idea (this is a

> > > paraphrase).  You're teaching people the wrong message about security.

> > > "If this is successful and if there's a disconnect between this and

> > > higher levels [because OpenID is not extensible for higher levels], in

> > > the end we haven't done a good thing."  I was surprised to see

> > > Microsoft speaking that way, but Schmidt was quite emphatic.

> > >

> > > I would say that by the end of the meeting, there was a great deal of

> > > dubiousness in the room concerning using OpenID even at level of

> > > assurance 1.  The agencies will have to implement, of course.  But the

> > > people there were clearly aware --- if they hadn't been earlier ---

> > > of the problems with OpenID.

> > >

> > > ***********************************************************

> > > Susan Landau                     phone: 413-259-2018

> > > Distinguished Engineer           fax: 413-253-2156

> > >

> > >        Sun Microsystems Laboratories

> > >        MS UBUR02-311

> > >        35 Network Drive

> > >        Burlington MA 01803-0902

> > >        http://research.sun.com/people/slandau

> > >

> > >        susan.landau at sun.com

> > > ************************************************************

> > >

> > >

> > >

> > > _______________________________________________

> > > Wg-p3 mailing list

> > > Wg-p3 at kantarainitiative.org

> > >

> >
http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org

> >

> > --

> > J. Trent Adams

> > =jtrentadams

> >

> > Profile: http://www.mediaslate.org/jtrentadams/

> > LinkedIN: http://www.linkedin.com/in/jtrentadams

> > Twitter: http://twitter.com/jtrentadams

> >

> >

> > _______________________________________________

> > Wg-p3 mailing list

> > Wg-p3 at kantarainitiative.org

> >
http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org

> >

> 

> 

> 

> --

> Jeff Stollman

> stollman.j at gmail.com

> 1 202.683.8699

> -------------- next part --------------

> An HTML attachment was scrubbed...

> URL:

>
<http://kantarainitiative.org/pipermail/wg-p3_kantarainitiative.org/attachme

> nts/20090811/1fae0bf7/attachment.html>

> 

> ------------------------------

> 

> _______________________________________________

> Wg-p3 mailing list

> Wg-p3 at kantarainitiative.org

> http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org

> 

> 

> End of Wg-p3 Digest, Vol 2, Issue 13

> ************************************

> 

> 

> 

> ------------------------------

> 

> _______________________________________________

> Wg-p3 mailing list

> Wg-p3 at kantarainitiative.org

> http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org

> 

> 

> End of Wg-p3 Digest, Vol 2, Issue 16

> ************************************

> 

> 

Robin Wilton

 

Director, Future Identity

Director of Privacy and Public Policy, Liberty Alliance

 

 

www.futureidentity.eu

+44 (0)705 005 2931

====================================================================

Structured consulting on digital identity, privacy and public policy

====================================================================

Future Identity is a limited company number 6777002, registered in England &
Wales

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-p3_kantarainitiative.org/attachments/20090817/7a8fa34e/attachment-0001.html>


More information about the Wg-p3 mailing list