[Wg-p3] Conference call reminder: Thursday 20th August

Bob Pinheiro kantara at bobpinheiro.com
Mon Aug 17 10:07:08 PDT 2009

I think there are several issues that need to be resolved (not 
necessarily on this call) as the various WGs push forward with their work:

1.  The discussion of Levels of Assurance on the P3W list mixes up two 
schemes for defining LoA: the NIST 800-63 / OMB04-04 scheme which uses 
LoA 1 - 4, and which was adapted by Kantara in defining its Identity 
Assurance Framework, and the British scheme defined in the UK Cabinet 
Office document "Identity Risk Management for e-Government Services", 
which uses LoA 0-3.  Although these two schemes are roughly equivalent, 
they are not exactly the same in terms of identity proofing 
requirements, types of credentials required at the various LoAs, etc..  
So I think some decision needs to be made as to how to deal with this 
situation.  In further discussions involving LoA, is reference being 
made to the NIST/Kantara IAF scheme or the UK scheme?    Do we feel that 
a new LoA scheme is needed which somehow combines the two, or otherwise 
incorporates changes the WG believes are necessary?  Do we need to 
evaluate and better understand the differences between the two schemes 
before deciding how to answer these questions?

2.  One of the topics that is coming up in the email discussions is the 
appropriate LoAs for consumer-related applications.  In the Consumer 
Identity WG, a working assumption is that the types of consumer identity 
issues that are of most importance, and that the WG should be dealing 
with, come into play at "high assurance" levels, or at NIST LoA 3.  
Although there is not that much difference between NIST LoAs 2 and 3 in 
terms of how identity proofing is done (the main differences have to do 
with how the supporting identity information/documentation is verified), 
there is a big difference in terms of identity credentialing required.  
At NIST LoA 2, a password alone is sufficient for authentication to an 
identity provider, whereas at NIST LoA 3, the IAF requires 
authentication based on either a one-time password or a cryptographic 
key.  Too often consumer applications (in the US) are considered to be 
at NIST LoA 2, which absolves the relying parties of having to deal with 
the fact that consumers generally do not have authentication tokens 
appropriate for NIST LoA 3 (that is, OTP generators or crypto keys).  
One of the challenges for us (at least IMO), and for the Consumer 
Identity WG in particular, is how we can create an identity ecosystem 
that enables consumers to authenticate themselves using high assurance 
identity tokens (ie, OTP generators or crypto keys).  This may be 
different in the UK and other parts of the world, so addressing these 
differences in an organization such as Kantara will be a challenge.

3.  Regarding the user interface issue and the use of OpenID at the 
higher assurance levels, there is a perception that OpenId is 
inappropriate at these higher assurance levels.  In the case where an 
identity assertion is required from an OpenID identity provider that 
asserts something about the consumer's identity, this may indeed be 
true.  However, there are other cases where the relying party doesn't 
need to actually establish the consumer's identity each time the 
consumer accesses some high-value online resource, but instead what is 
required is to authenticate that the person seeking access is the same 
person who initially enrolled.  For instance, when logging into an 
online banking service, what's needed is to verify that the person 
seeking access is the person who initially enrolled (whose identity was 
presumably verified at that time).  So in that case, OpenID may be 
appropriate, as long as the OpenID is bound to the account during 
enrollment, and subsequent authentication using the OpenID is based on 
something stronger than a password (ie, a OTP or crypto key).  But then 
there's the user interface issue.  Will consumers be confused if OpenID 
is required for some situations, but other identity technologies such as 
Information Cards are used in other cases?

I've raised a number of points here that I think are also relevant to 
other WGs such as the Identity Assurance WG, Consumer Identity WG, and 
the (proposed) User Login Experience WG. 


Bob Pinheiro
Chair, Consumer Identity WG
kantara at bobpinheiro.com

Robin Wilton wrote:
> Greetings -
> A quick reminder that we have our next conf-call coming up on Thursday 
> Aug 20th, at 16:00 BST (08:00 PST, 11:00 EST, 17:00 CET). Can I 
> request that a P3WG member of the Japan WG/DG please contact me by 
> email, so that we can plan for a possible sync-up or liaison session 
> in Las Vegas?
> Here are the dial-in numbers, which you can also find via the P3WG 
> home page, here 
> <http://kantarainitiative.org/confluence/display/p3wg/Home>.
>     * US/Canada toll-free number:  1.866.305.1460
>     * Direct dial (toll) number: +1.416.620.1296
>     * Attendee Code: 9247530
>     * International toll-free numbers:
>           o UK: 0800 917 5847
>           o Netherlands: 08002659007
>           o Belgium: 080079491
>           o Japan: 00531160345
> Draft agenda (suggestions/contributions welcome):
> 1 - Re-cap of 10th August meeting at GSA (Washington DC) on US plans 
> for C2G authentication;
> 2 - Matters arising from (1); P3WG and authentication policy in a 
> multi-LoA environment. It's clear that this is a complex topic, but 
> also that P3WG members have a lot of relevant expertise and detailed 
> knowledge. I suggest we should look at what the group could to do 
> define and produce something which sums up the problem area clearly 
> and simply, and offers practical guidance to stakeholders. Our aim 
> should be to produce something which reflects the perspectives of a 
> broad range of stakeholders, and provides policymakers with 
> appropriate input to their decision-making in this area.
> I would like to reach a conclusion, by the end of the call, as to 
> whether the Group wishes to define a work item here, and if so whether 
> anyone would volunteer to draft a high-level work plan (scope, goals, 
> description of deliverables) in time for the Las Vegas meetings.
> 3 - Planning for the Kantara plenaries in Las Vegas: review the 
> conference time-table and room allocation. Current agenda is visible 
> online here 
> <http://kantarainitiative.org/confluence/display/GI/Kantara+Initiative+Conferences>.
> 4 - Nominations for Vice Chair and Secretary
> 5 - Stand-in arrangements for September 3rd conference call (RW not 
> available...).
> I look forward to a productive call on Thursday.
> With best wishes -
> Robin
> Robin Wilton
> Director, Future Identity
> Director of Privacy and Public Policy, Liberty Alliance
> www.futureidentity.eu
> +44 (0)705 005 2931
> ====================================================================
> Structured consulting on digital identity, privacy and public policy
> ====================================================================
> Future Identity is a limited company number 6777002, registered in England & Wales
> ------------------------------------------------------------------------
> _______________________________________________
> Wg-p3 mailing list
> Wg-p3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-p3_kantarainitiative.org/attachments/20090817/b4eb038f/attachment-0001.html>

More information about the Wg-p3 mailing list