[Wg-p3] Wg-p3 Digest, Vol 2, Issue 16

Richard Baker-Donnelly richard at baker-donnelly.org
Mon Aug 17 05:52:19 PDT 2009


 
Robin,

I have not been tracking the background conversations that have been going
on, but this is my current thinking on the cross over between this group,
consumer identity and VPI.

We need to be clear here, are we attemping to define our own LOA or review
the existing proposed LOA eg NIST 800-63, UK Cabinet Office (UKCO) and the
existing work from Liberty and then start to look at the gaps eg the
authentication technologies, attribute assurance and then non repudiation?

We need to remember that NIST LOA start at 1 and UKCO LOA start at 0 so when
the US are talking about Level 1 they are talking about UKCO level 0.
Although this is something we are probably all aware of it gets lost in the
debate.

As for the discussion about appropriate technologies ie the use of OpenID.
There should be nothing wrong with using OpenID as one protocol for example
in a multi protocol hub, but users and SP have to realise that it should not
be used above LOA1 (on the scale below).  

It could be that the "identity" that is being authenticated was created to a
the standards of LOA3, it is just that the user in this context is using a
weaker technology, either because that is all that is required by the SP or
that is all the SP is willing to support.

There is also the use case where I log in to a resource with a credential at
LOA1 and get as different level of access/ security that if I logged in with
LOA3.  This might be because I am in a situation where I don't want to or
cannot use my LOA3 credential.

We need to be talking about identity usage as a set of LOA for each aspect
(building on the UKCO model of Registration, Authentication,
Status/Attribute.)

We are going to have to accept that an identity usage is going to be a
composite of LOA that will change through their lifecycle.

We need to differentiate between the strength of an identity when it is
created, when is used and when it is modified.

So for example I may:

Create and identity and 

* Register at LOA 3, ie it was a face to face process eg I showed a certain
number of official documents for my home address, activity in the community
etc
* Create credentials at LOA3 (eg SAML + Smartcard) and LOA1 (OpenId or SAML
+ UN/PW) 
* Registers a status or attributes for:
	Professional Accreditation  LOA2 
	Preference for Coffee over Tea LOA1

The implication of this is that:

1) For any SP that requires LOA3 registration of Professional Accrediation
the registered identity would not be sufficient for use for authorisation
purposes regardless of the credentials used.  (eg to update a patients
clinical records)
2) That if I authenticated as session using LOA1 credential I would not be
able to use my Professional Accrediation for authorisation purposes but
could if I authenticated with the LOA3 credential.
3) I would only be able to "upgrade" my LOA for Professional Acrediation if
I was authenticated at LOA3 when presenting the relavent documentary
evidence. 

Se we could start describing identity and attributes as triplets eg "332"
(ie Registration LOA3, Authentication LOA3, Attribute LOA2), but also SP
minimum requirements as "333", "332" or "110"

We need to get beyond current SAML vs OpenID debate!

As we move to VPI (Volunteered Personal Information) Systems the ability to
represent and and understand the rules by which a *granular* LOA can be used
and manipulated will become increasingly important. 

Richard




 



----------------------------------------------------------------------

Message: 1
Date: Mon, 17 Aug 2009 11:49:32 +0100
From: "Robin Wilton" <futureidentity at fastmail.fm>
Subject: Re: [Wg-p3] Wg-p3 Digest, Vol 2, Issue 16
To: "Patrick Curry" <patrick.curry at clarionidentity.com>, "Kantara
	P3WG"	<wg-p3 at kantarainitiative.org>
Message-ID: <1250506172.16732.1330192091 at webmail.messagingengine.com>
Content-Type: text/plain; charset="ISO-8859-1"

Hi Patrick - 

Thanks for this. I'm not going to try and get into a substantive
argument/conclusions at this point - just going to agree that it is a
complex area and that we should, as a WG, at least aim to come up with a
clear and simple analysis of the issues associated with the various LOAs.

For instance:

- LOA3 and non-repudiation; what are the actual requirements? What does
'non-repudation' mean in when one or both of the parties is a government?
Are banks actually evolving towards the use of digital non-repudiation
technologies, or are they still predominantly relying on signed paper
contracts when it comes to managing the risk of repudiated transactions?

- LOA2 - again, I think your point raises very valid questions... what is
the right approach to credentials management when they are used to access
public services with a financial component?

- LOA1 - as I mentioned in other emails, is the case for any kind of
pseudonymous authentication compelling if the pay-off is a customised web
interface which persists from visit to visit...?

- LOA0 - These days, I don't think that 'no authentication' equates to
'anonymous access'... is that important, and if so, what do we think needs
to be done about it?


So, as I say, plenty of issues there, and a set of clear problem statements
would, I think, be a veru valuable survey/position paper for this group to
produce.

Any thoughts?


Yrs.,
Robin

On Mon, 17 Aug 2009 10:33 +0100, "Patrick Curry"
<patrick.curry at clarionidentity.com> wrote:
> David and Susan
> 
> I suggest we need to look at each perspective on its merits.  Lots of 
> people may disagree with what I am about to say but here goes...
> 
> Re: Level 3.  Level 3 dominates, due to its focus on legally robust 
> non-repudiation, for most international secure collaboration in 
> regulated industry supply chains and, increasingly, banking.  It is 
> also starting to be recognised for gov-gov interactions.  
> Cross-certification is being discussed by the governments of CA, UK, 
> AUS, NZ, FR, NL and Germany at a minimum, with potential for much 
> more. I emphasise that this is for regulated industries and 
> governments, and their employees.  This isn't about citizen 
> interactions (yet).  With the publication of PIV-I in May 09 and now 
> the up-gunning of the Defense Industrial Base Cyber Security 
> activities in several USG departments, so Level 3 and its 
> implementations are becoming increasingly important for those that 
> want to interoperate.  My personal view is that this should form a 
> major plank in the P3WG activities because
> (a) it is relevant to so much public policy, and (2) it raises privacy 
> issues that are very different from the citizen space due to national 
> security caveats (the authorities can ask more) and because of the 
> vetting requirements, which dig deeper.  Personally, I am looking for 
> help in this area and am tasked to get US and UK government people 
> involved.  I have asked Judy Spencer to help here for US.
> 
> Re: Level 2.  Anything of value in the citizen space, where visible 
> authentication occurs and a financial liability model is appropriate, 
> seems to sit at Level 2.  For USG, I have asked Dave Temoshok to help 
> here.
> 
> Re: Level 1.  M-0404 is not clear to me at this level.  I see this as 
> being relevant for pseudo-anonymity, i.e. there is an authentication 
> mechanism but the relying party doesn't know anything about that 
> person except that they have been authenticated at some point - very 
> relevant to various kinds of citizen internet activity.  I see this as 
> very different to anonymity, which is Level 0.
> 
> So, those of us concerned with organisational compliance and 
> protecting organisational information will be focused on Level 3.  
> Those of us focused on privacy will probably focus more on Levels 1 
> and 2 (and Level 0??).
> It
> would be helpful to know who is interested (and expert) on what area, 
> rather than all trying to do everything.
> 
> Lastly, some of the other Kantara groups are active in the above, 
> particularly Level 03.  So we need to coordinate with them.
> 
> Comments?
> 
> Mr Chairman, over to you....
> 
> 
> yours sincerely
> 
> Patrick
> 
> Patrick Curry
> Director
> Clarion Identity Ltd
> M:?? +44 786 024 9074
> T:?? +44 1980 620606
> patrick.curry at clarionidentity.com
> Disclaimer
> Internet communications are not secure and therefore?Clarion 
> Identity?Limited, Rock House, SP3 4JY does not accept legal 
> responsibility for the contents of this message. Any views or opinions 
> presented are solely those of the author and do not necessarily 
> represent those of?Clarion Identity?Limited unless otherwise 
> specifically stated. If this message is received by anyone other than 
> the addressee, please notify the sender and then delete the message 
> and any attachments from your computer.
> 
> 
> 
> -----Original Message-----
> From: wg-p3-bounces at kantarainitiative.org
> [mailto:wg-p3-bounces at kantarainitiative.org] On Behalf Of 
> wg-p3-request at kantarainitiative.org
> Sent: 14 August 2009 22:34
> To: wg-p3 at kantarainitiative.org
> Subject: Wg-p3 Digest, Vol 2, Issue 16
> 
> Send Wg-p3 mailing list submissions to
> 	wg-p3 at kantarainitiative.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	
> http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.
> org
> 
> or, via email, send a message with subject or body 'help' to
> 	wg-p3-request at kantarainitiative.org
> 
> You can reach the person managing the list at
> 	wg-p3-owner at kantarainitiative.org
> 
> When replying, please edit your Subject line so it is more specific 
> than "Re: Contents of Wg-p3 digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: M04-04 levels (Weitzel, David S)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Fri, 14 Aug 2009 17:33:48 -0400
> From: "Weitzel, David S" <dweitzel at mitre.org>
> Subject: Re: [Wg-p3] M04-04 levels
> To: "wg-p3 at kantarainitiative.org" <wg-p3 at kantarainitiative.org>
> Message-ID:
> 	<F5830D8920D7BA4DB8BCFE1DC57164AC0347270C8C at IMCMBX2.MITRE.ORG>
> Content-Type: text/plain; charset="us-ascii"
> 
> Susan:
> 
> I meant to say that level 3 is the 'broken part' and is what needs the 
> attention of the community.  Paying too much attention to levels 1 & 2 
> is not necessarily a 'step backwards' but rather lower value 
> application of the collective energy of the group.
> 
> __
> David Weitzel, MS, JD, CIPP/G
> MITRE CIIS
> O-703.983.2639
> C-703.969.9740
> dweitzel at mitre.org
> 
> -----Original Message-----
> From: wg-p3-bounces at kantarainitiative.org
> [mailto:wg-p3-bounces at kantarainitiative.org] On Behalf Of 
> wg-p3-request at kantarainitiative.org
> Sent: Tuesday, August 11, 2009 11:25 AM
> To: wg-p3 at kantarainitiative.org
> Subject: Wg-p3 Digest, Vol 2, Issue 13
> 
> Send Wg-p3 mailing list submissions to
>         wg-p3 at kantarainitiative.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>  
> http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.
> org
> 
> or, via email, send a message with subject or body 'help' to
>         wg-p3-request at kantarainitiative.org
> 
> You can reach the person managing the list at
>         wg-p3-owner at kantarainitiative.org
> 
> When replying, please edit your Subject line so it is more specific 
> than "Re: Contents of Wg-p3 digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: Preparation for USG Privacy Workshop (Aug 10th) (Susan Landau)
>    2. Re: Preparation for USG Privacy Workshop (Aug 10th)
>       (J. Trent Adams)
>    3. Re: Preparation for USG Privacy Workshop (Aug 10th) (j stollman)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Tue, 11 Aug 2009 08:19:35 -0400
> From: Susan Landau <Susan.Landau at sun.com>
> Subject: Re: [Wg-p3] Preparation for USG Privacy Workshop (Aug 10th)
> To: Kantara P3WG <wg-p3 at kantarainitiative.org>
> Message-ID: <4A8161D7.8010806 at Sun.COM>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> On 08/11/09 07:48, Georgia Marsh wrote:
> > How was the meeting?
> >
> Divisive.  Here's my trip report.  Thanks for the info on US 
> government SAML uses; that came up indirectly during the meeting but 
> things were sufficiently heated that I dropped that in favor of asking 
> some other, somewhat pointed, questions.  But thanks much for your 
> help.  It was good to have that information in my back pocket if needed.
> 
> Best,
> 
> Susan
> 
> Judy Spencer, who is the co-chair of the Identity Management and 
> Access Management SC (special committee? signon committee?), ran the
meeting.
> She sought to focus only on Level of Assurance 1, a decision that was 
> objected to by many in the audience.
> 
> Most of the attendees appeared to be members of the federal government 
> and contractors.  There were very few privacy advocates in the room: 
> one from EPIC, a junior person from CDT, no one from EFF.  I suspect 
> this was due to too short notice (and in EFF's case, too expensive a 
> plane flight from west coast).
> 
> The morning was taken up with presentations by the various folks.  
> First Chris Louden of Protiviti, a federal contractor working on this 
> initiative gave an overview, and made the point that for efficiency's 
> sake, the government wanted to leverage work in the private sector.
> There had already been SAML profiles.  But OpenID had lots of traction 
> and so the government was going to leverage that for Level of 
> Assurance 1, where the government wanted to be able to identify the 
> same user each time the same user turned up but without any need to 
> tie identity to a particular person (so as to enable to return 
> customized webpages, send updates to the user if an email had been 
> supplied, etc.). Chris went through the privacy requirements for level 
> 1, which included unlinkability of the user between different sites 
> (something satisfied by OpenID 2.0 but not OpenID 1.0).
> 
> This was followed by a panel: Bob Morgan on InCommon, Don Thibeau and 
> Drummond Reed doing a tag team on OpenID and InfoCard Foundations and 
> Brett on Kantara.  The meeting was originally supposed to be on OpenID,
> InfoCard, and privacy issues but had broadened.   Don and Drummond spoke
> about OpenID 2.0 fulfilling the pseudonymity needs prescribed by the 
> federal profiles and that OpenID had billions of users. They did not 
> mention that it was OpenID 1.0 that had the large installed user base.
> At this point, I asked some questions.  I asked about the number of 
> OpenID 2.0 users; this was not answered.  I asked about liability and 
> didn't get an answer. Nonetheless it was useful to plant these issues 
> for later discussion.
> 
> The afternoon session was devoted to privacy and identity and that was 
> the time for Q&A. Here I asked about extensibility, pointing out that 
> in security you architect for the whole solution, then cut back as 
> needed (and not the other way around) and that we will need 
> identifiers for health care with much higher levels of assurance.  
> Chris Louden of Protiviti said that they understand the issue and 
> they've got that covered.  At this point, various of the audience 
> picked up the issue of extensibility strongly.
> 
> Someone from MITRE spoke about the progress with level of assurance 3 
> and 4 and how this was a step backwards.
> 
> Don Schmidt of Microsoft said, "billions of burgers sold has nothing 
> to do with reality."
> 
> Jeff Stollman said that usability needs say that other levels 
> influence level 1.0.  "You can't talk about level 1.0 separately from 
> higher levels when you talk about usability"; you are making a huge 
> mistake by using OpenID for level 1.0 when you can't do OpenID for higher
levels.
> The audience resonated with this.
> 
> Tony Nadlin (sp?) said "Why are you going the industry route?  
> Liability issues have not been addressed?  What is your emergency 
> response initiative?  What is your liability initiative?"
> 
> Judy Spencer:  "For level 1, OpenID is absolutely appropriate.  We 
> want to enable technologies for people to use and OpenID is perfectly 
> acceptable at level 1.0."
> 
> Don Schmidt: Using OpenID is a really bad idea (this is a paraphrase).
> You're teaching people the wrong message about security. "If this is 
> successful and if there's a disconnect between this and higher levels 
> [because OpenID is not extensible for higher levels], in the end we 
> haven't done a good thing."  I was surprised to see Microsoft speaking 
> that way, but Schmidt was quite emphatic.
> 
> I would say that by the end of the meeting, there was a great deal of 
> dubiousness in the room concerning using OpenID even at level of 
> assurance 1.  The agencies will have to implement, of course.  But the 
> people there were clearly aware --- if they hadn't been earlier ---  
> of the problems with OpenID.
> 
> ***********************************************************
> Susan Landau                     phone: 413-259-2018
> Distinguished Engineer           fax: 413-253-2156
> 
>         Sun Microsystems Laboratories
>         MS UBUR02-311
>         35 Network Drive
>         Burlington MA 01803-0902
>         http://research.sun.com/people/slandau
> 
>         susan.landau at sun.com
> ************************************************************
> 
> 
> 
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Tue, 11 Aug 2009 09:43:13 -0400
> From: "J. Trent Adams" <jtrentadams at gmail.com>
> Subject: Re: [Wg-p3] Preparation for USG Privacy Workshop (Aug 10th)
> To: Susan.Landau at sun.com
> Cc: Kantara P3WG <wg-p3 at kantarainitiative.org>
> Message-ID: <4A817571.5050907 at gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Susan -
> 
> Excellent summary.  And great questions yesterday.
> 
> All -
> 
> To provide additional flavor to Susan's comments about usability, it 
> was brought up many times throughout the day.  I would classify some 
> of the issues as what could be called a contract with the users (i.e. 
> setting their expectations and how to meet them).  While Judy and 
> Chris tried to reinforce the focus on LOA 1, many saw a disconnect 
> between the usability requirements of this pilot and what might come 
> next with a higher ROI.
> 
> Of note on this point, Judy made an interesting comment toward the end 
> that I'm not sure is accurate (AFAIK).  She said that Don Thibeau had 
> mentioned to her that while OpenID can't move beyond LOA 1 today, 
> there are people in the OpenID community working on ways to address this
soon.
> 
> Also, Don was asked how much usability testing has taken place on 
> OpenID.  While he did say that he assumes Google and Yahoo have done 
> extensive testing on their own, he decided not to mention the report 
> that came out earlier this year illustrating how OpenID integration 
> decreases conversion rates.  His response was primarily that the pilot 
> should be rolled out and be adjusted according to reactions.
> 
> Significant questions were also raised about privacy relating to 
> unintended self-exposure and masquerading.  Both issues were noted by 
> Chris Louden as he said they were issues that hadn't been previously 
> explored.
> 
> In the end, none of the topics raised appeared to indicate the 
> GSA/ICAM would slow down the pilot program to address them.
> 
> It was also very interesting that in response to questions, Brett 
> mentioned that Kantara has three groups working on or planning to work 
> on the following issues that were brought up:
> 
>  1. Usability
>  2. Certification
>  3. Privacy Assurance
>  4. Legal & Litigation
> 
> It was clear to me that Kantara was the only represented group in the 
> room positioned to deal across the board with the issues at the center 
> of the discussion.  It might make sense to reach out to the attendees 
> and invite them to participate in these activities.
> 
> Finally, it might not be known to the group, but Kantara submitted 
> it's Trust Framework Process proposal to the GSA/ICAM on Friday.  So 
> far, it's the only application they have received.
> 
> - Trent
> 
> 
> Susan Landau wrote:
> > On 08/11/09 07:48, Georgia Marsh wrote:
> >> How was the meeting?
> >>
> > Divisive.  Here's my trip report.  Thanks for the info on US 
> > government SAML uses; that came up indirectly during the meeting but 
> > things were sufficiently heated that I dropped that in favor of 
> > asking some other, somewhat pointed, questions.  But thanks much for 
> > your help.  It was good to have that information in my back pocket if
needed.
> >
> > Best,
> >
> > Susan
> >
> > Judy Spencer, who is the co-chair of the Identity Management and 
> > Access Management SC (special committee? signon committee?), ran the 
> > meeting.  She sought to focus only on Level of Assurance 1, a 
> > decision that was objected to by many in the audience.
> >
> > Most of the attendees appeared to be members of the federal 
> > government and contractors.  There were very few privacy advocates in
the room:
> > one from EPIC, a junior person from CDT, no one from EFF.  I suspect 
> > this was due to too short notice (and in EFF's case, too expensive a 
> > plane flight from west coast).
> >
> > The morning was taken up with presentations by the various folks.
> > First Chris Louden of Protiviti, a federal contractor working on 
> > this initiative gave an overview, and made the point that for 
> > efficiency's sake, the government wanted to leverage work in the private
sector.
> > There had already been SAML profiles.  But OpenID had lots of 
> > traction and so the government was going to leverage that for Level 
> > of Assurance 1, where the government wanted to be able to identify 
> > the same user each time the same user turned up but without any need 
> > to tie identity to a particular person (so as to enable to return 
> > customized webpages, send updates to the user if an email had been 
> > supplied, etc.). Chris went through the privacy requirements for 
> > level 1, which included unlinkability of the user between different 
> > sites (something satisfied by OpenID 2.0 but not OpenID 1.0).
> >
> > This was followed by a panel: Bob Morgan on InCommon, Don Thibeau 
> > and Drummond Reed doing a tag team on OpenID and InfoCard 
> > Foundations and Brett on Kantara.  The meeting was originally supposed
to be on
> > OpenID, InfoCard, and privacy issues but had broadened.   Don and
> > Drummond spoke about OpenID 2.0 fulfilling the pseudonymity needs 
> > prescribed by the federal profiles and that OpenID had billions of 
> > users. They did not mention that it was OpenID 1.0 that had the 
> > large installed user base.
> > At this point, I asked some questions.  I asked about the number of 
> > OpenID 2.0 users; this was not answered.  I asked about liability 
> > and didn't get an answer. Nonetheless it was useful to plant these 
> > issues for later discussion.
> >
> > The afternoon session was devoted to privacy and identity and that 
> > was the time for Q&A. Here I asked about extensibility, pointing out 
> > that in security you architect for the whole solution, then cut back 
> > as needed (and not the other way around) and that we will need 
> > identifiers for health care with much higher levels of assurance.
> > Chris Louden of Protiviti said that they understand the issue and 
> > they've got that covered.  At this point, various of the audience 
> > picked up the issue of extensibility strongly.
> >
> > Someone from MITRE spoke about the progress with level of assurance 
> > 3 and 4 and how this was a step backwards.
> >
> > Don Schmidt of Microsoft said, "billions of burgers sold has nothing 
> > to do with reality."
> >
> > Jeff Stollman said that usability needs say that other levels 
> > influence level 1.0.  "You can't talk about level 1.0 separately 
> > from higher levels when you talk about usability"; you are making a 
> > huge mistake by using OpenID for level 1.0 when you can't do OpenID 
> > for higher levels. The audience resonated with this.
> >
> > Tony Nadlin (sp?) said "Why are you going the industry route?
> > Liability issues have not been addressed?  What is your emergency 
> > response initiative?  What is your liability initiative?"
> >
> > Judy Spencer:  "For level 1, OpenID is absolutely appropriate.  We 
> > want to enable technologies for people to use and OpenID is 
> > perfectly acceptable at level 1.0."
> >
> > Don Schmidt: Using OpenID is a really bad idea (this is a 
> > paraphrase).  You're teaching people the wrong message about security.
> > "If this is successful and if there's a disconnect between this and 
> > higher levels [because OpenID is not extensible for higher levels], 
> > in the end we haven't done a good thing."  I was surprised to see 
> > Microsoft speaking that way, but Schmidt was quite emphatic.
> >
> > I would say that by the end of the meeting, there was a great deal 
> > of dubiousness in the room concerning using OpenID even at level of 
> > assurance 1.  The agencies will have to implement, of course.  But 
> > the people there were clearly aware --- if they hadn't been earlier 
> > --- of the problems with OpenID.
> >
> > ***********************************************************
> > Susan Landau                     phone: 413-259-2018
> > Distinguished Engineer           fax: 413-253-2156
> >
> >        Sun Microsystems Laboratories
> >        MS UBUR02-311
> >        35 Network Drive
> >        Burlington MA 01803-0902
> >        http://research.sun.com/people/slandau
> >
> >        susan.landau at sun.com
> > ************************************************************
> >
> >
> >
> > _______________________________________________
> > Wg-p3 mailing list
> > Wg-p3 at kantarainitiative.org
> > http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiativ
> > e.org
> 
> --
> J. Trent Adams
> =jtrentadams
> 
> Profile: http://www.mediaslate.org/jtrentadams/
> LinkedIN: http://www.linkedin.com/in/jtrentadams
> Twitter: http://twitter.com/jtrentadams
> 
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Tue, 11 Aug 2009 11:24:56 -0400
> From: j stollman <stollman.j at gmail.com>
> Subject: Re: [Wg-p3] Preparation for USG Privacy Workshop (Aug 10th)
> To: "J. Trent Adams" <jtrentadams at gmail.com>
> Cc: Susan.Landau at sun.com, Kantara P3WG <wg-p3 at kantarainitiative.org>
> Message-ID:
>         <c0f2bd590908110824g55de9626t6fe27313c07a1200 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> All,
> 
> There was a critical item that drove the meeting that was never spoken.
> Vivek Kundra, the new Federal CIO is adamant about the use of OpenID.  
> He brought it into consideration and he has forced it down the throats 
> of the ICAM group.  As peons, they are marching to his drum.
> 
> On the spoken side, Susan's line of questions established the tone for 
> the controversy.
> 
> Following the conference I sent a note to Mary Ruddy, a private sector 
> identity advocate who is helping lead ICAM's integration with industry.
> In
> my note, I summarized my concerns about the meeting.  My comments to 
> her
> follow:
> 
>    1. I view the privacy issues of government access by the citizenry as
>    a
>    systems problem.  While I understand and agree with the need to "start
>    somewhere" and to start with the easy victories first, I don't think
>    that
>    pilots should begin until all of the system-wide issues have been
>    fully
>    considered.  I believe that the issues of usability have not been 
> thoroughly
>    considered.
>    2. One of the biggest concerns I have with usability is the need for
>    the
>    government to act *in loco parentis* to help ensure that users of the
>    system don't expose themselves to privacy issues through their own 
> actions.
>    While a site like Facebook may take a Buyer Beware attitude, the 
> government
>    needs to go a step further to prevent harm to its subjects as a result
>    of
>    users' ignorance of the privacy and security exposure that they 
> will face.
>    3. The Government has many well thought-out regulations regarding
>    security and privacy, but these apply to the government; they do 
> not provide
>    guidance to the external users of Government systems.  Looking at 
> security
>    and privacy from the user perspective, the Government will not only
>    need
> to
>    be able to provide instructions to users on how to use Government
>    sites
>    (many of which may be obvious), but it will also need to provide
>    policy
>    guidance to users.  For example, it would be my recommendation that
>    users
> be
>    told to create an anonymous ID for accessing government web sites 
> at Level 1
>    and not use this ID for other purposes.  As per the profile,
>    correlation
> of
>    government sites will then be limited to information held only by the
>    Identity Provider and because the ID will not be used with other
>    non-Government sites, there will be no opportunity to correlate 
> usage with
>    them.
>    4. After consideration of usability, it may turn out to be a small
>    issue.  It may be determined that we can live with the problem of
>    having
> to
>    retrain users.
>    5. This consideration should consists of at least two concerns:  (1)
>    user
>    training and retraining and (2) scope creep.
>    6. The user training and retraining concern is whether it will be
>    difficult for non-computer-savvy users to understand and implement the
>    end-user policy guidance for Level 1 and then learn and apply new 
> guidance
>    for other levels.  This could be tested using life people.  Such
>    testing
> may
>    already have been done by some of the large commercial sites (Google,
>    Facebook, Yahoo, AOL, AARP, etc.) and may be available, without having
>    to
>    run new studies.
>    7. The scope creep concern is that agencies will begin adding
>    capabilities to their LoA 1 sites which start their migration to
>    higher
>    levels of assurance.  I believe it was Naomi Leftkovitz from the
>    Federal
>    Trade Commission who suggested that this is already a wide-spread 
> practice
>    in Federal agencies.  This practice can be measured and needs to be 
> measured
>    before LoA 1 can be isolated from the systems problem.
>    8. If either of these concerns turn out to be valid, then I would
>    recommend adding another vetting constraint to your technology screen
>    mechanism:  technologies must be readily extensible to higher levels
>    of
>    assurance.  Should this be the case, OpenID would not make the cut.
>    9. Another problem I had with the session in general yesterday is that
>    I
>    had the sense that the Level 1 acceptance of OpenID, SAML, and 
> Information
>    Cards was a *fait accompli*.  In the session, itself, there did not
>    seem
>    to be any resistance to OpenID and SAML.  But there was a lot of
>    concern
>    about OpenID.
>    10. I also recognize that OpenID is being pushed from the very top. 
>    But
>    the reason it is being pushed is based on a fallacious argument:  
> that the
>    Government should use OpenID because it is already ubiquitous. But
>    OpenID
>    2.0 is not ubiquitous.  In fact, the director of the OpenID Foundation
>    admits to not having a clue how many OpenID 2.0 users there are.  What
>    is
>    ubiquitous is OpenID 1.0 which everyone agrees does not meet the
>    Government's standards.  I have no axes to grind against OpenID or Don
>    Thibeau (whose integrity and honesty I highly respect).  But in my
>    gut, I
> do
>    not believe that OpenID warrants consideration until the issues noted
>    in
> 6
>    and 7 above have been fully considered.
> 
> Jeff
> 
> 
> 
> On Tue, Aug 11, 2009 at 9:43 AM, J. Trent Adams
> <jtrentadams at gmail.com>wrote:
> 
> > Susan -
> >
> > Excellent summary.  And great questions yesterday.
> >
> > All -
> >
> > To provide additional flavor to Susan's comments about usability, it 
> > was brought up many times throughout the day.  I would classify some 
> > of the issues as what could be called a contract with the users 
> > (i.e. setting their expectations and how to meet them).  While Judy 
> > and Chris tried to reinforce the focus on LOA 1, many saw a 
> > disconnect between the usability requirements of this pilot and what 
> > might come next with a higher ROI.
> >
> > Of note on this point, Judy made an interesting comment toward the 
> > end that I'm not sure is accurate (AFAIK).  She said that Don 
> > Thibeau had mentioned to her that while OpenID can't move beyond LOA 
> > 1 today, there are people in the OpenID community working on ways to
address this soon.
> >
> > Also, Don was asked how much usability testing has taken place on 
> > OpenID.  While he did say that he assumes Google and Yahoo have done 
> > extensive testing on their own, he decided not to mention the report 
> > that came out earlier this year illustrating how OpenID integration 
> > decreases conversion rates.  His response was primarily that the 
> > pilot should be rolled out and be adjusted according to reactions.
> >
> > Significant questions were also raised about privacy relating to 
> > unintended self-exposure and masquerading.  Both issues were noted 
> > by Chris Louden as he said they were issues that hadn't been 
> > previously explored.
> >
> > In the end, none of the topics raised appeared to indicate the 
> > GSA/ICAM would slow down the pilot program to address them.
> >
> > It was also very interesting that in response to questions, Brett 
> > mentioned that Kantara has three groups working on or planning to 
> > work on the following issues that were brought up:
> >
> >  1. Usability
> >  2. Certification
> >  3. Privacy Assurance
> >  4. Legal & Litigation
> >
> > It was clear to me that Kantara was the only represented group in 
> > the room positioned to deal across the board with the issues at the 
> > center of the discussion.  It might make sense to reach out to the 
> > attendees and invite them to participate in these activities.
> >
> > Finally, it might not be known to the group, but Kantara submitted 
> > it's Trust Framework Process proposal to the GSA/ICAM on Friday.  So 
> > far, it's the only application they have received.
> >
> > - Trent
> >
> >
> > Susan Landau wrote:
> > > On 08/11/09 07:48, Georgia Marsh wrote:
> > >> How was the meeting?
> > >>
> > > Divisive.  Here's my trip report.  Thanks for the info on US 
> > > government SAML uses; that came up indirectly during the meeting 
> > > but things were sufficiently heated that I dropped that in favor 
> > > of asking some other, somewhat pointed, questions.  But thanks 
> > > much for your help.  It was good to have that information in my back
pocket if needed.
> > >
> > > Best,
> > >
> > > Susan
> > >
> > > Judy Spencer, who is the co-chair of the Identity Management and 
> > > Access Management SC (special committee? signon committee?), ran 
> > > the meeting.  She sought to focus only on Level of Assurance 1, a 
> > > decision that was objected to by many in the audience.
> > >
> > > Most of the attendees appeared to be members of the federal 
> > > government and contractors.  There were very few privacy advocates in
the room:
> > > one from EPIC, a junior person from CDT, no one from EFF.  I 
> > > suspect this was due to too short notice (and in EFF's case, too 
> > > expensive a plane flight from west coast).
> > >
> > > The morning was taken up with presentations by the various folks.
> > > First Chris Louden of Protiviti, a federal contractor working on 
> > > this initiative gave an overview, and made the point that for 
> > > efficiency's sake, the government wanted to leverage work in the
private sector.
> > > There had already been SAML profiles.  But OpenID had lots of 
> > > traction and so the government was going to leverage that for 
> > > Level of Assurance 1, where the government wanted to be able to 
> > > identify the same user each time the same user turned up but 
> > > without any need to tie identity to a particular person (so as to 
> > > enable to return customized webpages, send updates to the user if 
> > > an email had been supplied, etc.). Chris went through the privacy 
> > > requirements for level 1, which included unlinkability of the user 
> > > between different sites (something satisfied by OpenID 2.0 but not
OpenID 1.0).
> > >
> > > This was followed by a panel: Bob Morgan on InCommon, Don Thibeau 
> > > and Drummond Reed doing a tag team on OpenID and InfoCard 
> > > Foundations and Brett on Kantara.  The meeting was originally supposed
to be on
> > > OpenID, InfoCard, and privacy issues but had broadened.   Don and
> > > Drummond spoke about OpenID 2.0 fulfilling the pseudonymity needs 
> > > prescribed by the federal profiles and that OpenID had billions of 
> > > users. They did not mention that it was OpenID 1.0 that had the 
> > > large installed user base.
> > > At this point, I asked some questions.  I asked about the number 
> > > of OpenID 2.0 users; this was not answered.  I asked about 
> > > liability and didn't get an answer. Nonetheless it was useful to 
> > > plant these issues for later discussion.
> > >
> > > The afternoon session was devoted to privacy and identity and that 
> > > was the time for Q&A. Here I asked about extensibility, pointing 
> > > out that in security you architect for the whole solution, then 
> > > cut back as needed (and not the other way around) and that we will 
> > > need identifiers for health care with much higher levels of assurance.
> > > Chris Louden of Protiviti said that they understand the issue and 
> > > they've got that covered.  At this point, various of the audience 
> > > picked up the issue of extensibility strongly.
> > >
> > > Someone from MITRE spoke about the progress with level of 
> > > assurance 3 and 4 and how this was a step backwards.
> > >
> > > Don Schmidt of Microsoft said, "billions of burgers sold has 
> > > nothing to do with reality."
> > >
> > > Jeff Stollman said that usability needs say that other levels 
> > > influence level 1.0.  "You can't talk about level 1.0 separately 
> > > from higher levels when you talk about usability"; you are making 
> > > a huge mistake by using OpenID for level 1.0 when you can't do 
> > > OpenID for higher levels. The audience resonated with this.
> > >
> > > Tony Nadlin (sp?) said "Why are you going the industry route?
> > > Liability issues have not been addressed?  What is your emergency 
> > > response initiative?  What is your liability initiative?"
> > >
> > > Judy Spencer:  "For level 1, OpenID is absolutely appropriate.  We 
> > > want to enable technologies for people to use and OpenID is 
> > > perfectly acceptable at level 1.0."
> > >
> > > Don Schmidt: Using OpenID is a really bad idea (this is a 
> > > paraphrase).  You're teaching people the wrong message about security.
> > > "If this is successful and if there's a disconnect between this 
> > > and higher levels [because OpenID is not extensible for higher 
> > > levels], in the end we haven't done a good thing."  I was 
> > > surprised to see Microsoft speaking that way, but Schmidt was quite
emphatic.
> > >
> > > I would say that by the end of the meeting, there was a great deal 
> > > of dubiousness in the room concerning using OpenID even at level 
> > > of assurance 1.  The agencies will have to implement, of course.  
> > > But the people there were clearly aware --- if they hadn't been 
> > > earlier --- of the problems with OpenID.
> > >
> > > ***********************************************************
> > > Susan Landau                     phone: 413-259-2018
> > > Distinguished Engineer           fax: 413-253-2156
> > >
> > >        Sun Microsystems Laboratories
> > >        MS UBUR02-311
> > >        35 Network Drive
> > >        Burlington MA 01803-0902
> > >        http://research.sun.com/people/slandau
> > >
> > >        susan.landau at sun.com
> > > ************************************************************
> > >
> > >
> > >
> > > _______________________________________________
> > > Wg-p3 mailing list
> > > Wg-p3 at kantarainitiative.org
> > >
> > http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiativ
> > e.org
> >
> > --
> > J. Trent Adams
> > =jtrentadams
> >
> > Profile: http://www.mediaslate.org/jtrentadams/
> > LinkedIN: http://www.linkedin.com/in/jtrentadams
> > Twitter: http://twitter.com/jtrentadams
> >
> >
> > _______________________________________________
> > Wg-p3 mailing list
> > Wg-p3 at kantarainitiative.org
> > http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiativ
> > e.org
> >
> 
> 
> 
> --
> Jeff Stollman
> stollman.j at gmail.com
> 1 202.683.8699
> -------------- next part -------------- An HTML attachment was 
> scrubbed...
> URL:
> <http://kantarainitiative.org/pipermail/wg-p3_kantarainitiative.org/at
> tachme nts/20090811/1fae0bf7/attachment.html>
> 
> ------------------------------
> 
> _______________________________________________
> Wg-p3 mailing list
> Wg-p3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.
> org
> 
> 
> End of Wg-p3 Digest, Vol 2, Issue 13
> ************************************
> 
> 
> 
> ------------------------------
> 
> _______________________________________________
> Wg-p3 mailing list
> Wg-p3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.
> org
> 
> 
> End of Wg-p3 Digest, Vol 2, Issue 16
> ************************************
> 
> 
Robin Wilton

Director, Future Identity
Director of Privacy and Public Policy, Liberty Alliance


www.futureidentity.eu
+44 (0)705 005 2931
====================================================================
Structured consulting on digital identity, privacy and public policy
====================================================================
Future Identity is a limited company number 6777002, registered in England &
Wales




------------------------------

_______________________________________________
Wg-p3 mailing list
Wg-p3 at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org


End of Wg-p3 Digest, Vol 2, Issue 18
************************************




More information about the Wg-p3 mailing list