[WG-UMA] Authentication and moving money

Kevin Cox kevin.cox at edentiti.com
Wed Dec 15 18:37:22 EST 2010


I have been following as best I can the working group whose work will be of
use to our organisation and would like to share with you a top level
description of our application and some ideas on where we think UMA fits
into our application.

We have just signed our first contract to deliver "SuperID" to Australia's
largest superannuation (pension) fund. A top level description of what
SuperID will achieve is attached.

In UMA terms I believe the SuperID is an instance of an authentication
manager but with some important additions.


   1. Each instance of a SuperID is controlled by the individual themselves.
   That is the authentication manager is the person.
   2. The authentication manager has memory.  The authentication remembers
   its previous actions and so while it might take a little longer to do a
   first request, then following requests become much simpler.


SuperID itself uses OpenID to service usercode/passwords.

We believe the system will be resistant to fraud attacks because to succeed
an intruder has to take over the whole SuperID and cannot incrementally
attack a person by taking over a person's account in one super fund.   It
turns out this approach is also privacy friendly.

>From an implementation point of view we do not have to get industry
agreement for the industry to federate their identities.  Each Super Fund
will individually decide if they want to use SuperIDs for their clients -
but as the advantages are significant for those that adopt a SuperID then we
expect takeup to be quite rapid once it is demonstrated to be working.

It is our intention to introduce other "IDs".  We are working on
OrganisationID where the organisation has multiple business units.  The
first one will be a bank which has at last count about 12 different
businesses all with their own IDs.  Another one is GamingID for competing
online sports betting organisations. The main advantage for them will be to
share their black listed clients.

We have gone the route of multiple IDs - first because it is saleable - but
second because it fits in with the way the world works.  We each have our
own separate IDs and we really do not want our HealthID to be confused with
our GamingID.

We see many other organisations offering ID services along similar lines and
we see the work of UMA as providing a framework within which different
suppliers of IDs (like all the people who provide SuperIDs) can communicate
with each other.  A person should only have ONE SuperID and so that means
there needs to be some agreement on the exchange of information between AMs.
I think, when this happens, that it will be the main way we will use UMA.

I know this is a "distraction" from the great work you are doing but I hope
you find it interesting.

Kevin Cox


-- 
0413961090
Home +61 2 62410647
Fax +61 2 6103 0144

http://www.linkedin.com/in/kevinrosscox
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-uma/attachments/20101216/39bf94e4/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SuperID-5.doc
Type: application/msword
Size: 36864 bytes
Desc: not available
Url : http://kantarainitiative.org/pipermail/wg-uma/attachments/20101216/39bf94e4/attachment-0001.doc 


More information about the WG-UMA mailing list