[WG-UMA] Authentication and moving money

Thomas Hardjono identity at hardjono.net
Thu Dec 16 10:26:28 EST 2010


Kevin,

This is an interesting use-case. I have a bunch of questions (and
curiosities):

(a) Who would operate the AMs in Australia?  And can the user choose
which AM to select from?

(b) Would an AM be the spring-board to various other government
services, (such as Medicare, Tax, Driver's license, etc) as well as
other government-related private services (eg, Medical (HCF, Medibank,
etc)).

(c) Is there some "trust framework" that the SuperID will be using
(eg. one from the OpenID exchange)?

cheers,

/thomas/


__________________________


--From: wg-uma-bounces at kantarainitiative.org
[mailto:wg-uma-bounces at kantarainitiative.org] On Behalf Of Kevin Cox
Sent: Wednesday, December 15, 2010 6:37 PM
To: wg-uma at kantarainitiative.org
Subject: [WG-UMA] Authentication and moving money

I have been following as best I can the working group whose work will
be of use to our organisation and would like to share with you a top
level description of our application and some ideas on where we think
UMA fits into our application.

We have just signed our first contract to deliver "SuperID" to
Australia's largest superannuation (pension) fund. A top level
description of what SuperID will achieve is attached. 

In UMA terms I believe the SuperID is an instance of an authentication
manager but with some important additions.  

1. Each instance of a SuperID is controlled by the individual
themselves. That is the authentication manager is the person. 
2. The authentication manager has memory.  The authentication
remembers its previous actions and so while it might take a little
longer to do a first request, then following requests become much
simpler.

SuperID itself uses OpenID to service usercode/passwords.

We believe the system will be resistant to fraud attacks because to
succeed an intruder has to take over the whole SuperID and cannot
incrementally attack a person by taking over a person's account in one
super fund.   It turns out this approach is also privacy friendly.

>From an implementation point of view we do not have to get industry
agreement for the industry to federate their identities.  Each Super
Fund will individually decide if they want to use SuperIDs for their
clients - but as the advantages are significant for those that adopt a
SuperID then we expect takeup to be quite rapid once it is
demonstrated to be working.

It is our intention to introduce other "IDs".  We are working on
OrganisationID where the organisation has multiple business units.
 The first one will be a bank which has at last count about 12
different businesses all with their own IDs.  Another one is GamingID
for competing online sports betting organisations. The main advantage
for them will be to share their black listed clients.

We have gone the route of multiple IDs - first because it is saleable
- but second because it fits in with the way the world works.  We each
have our own separate IDs and we really do not want our HealthID to be
confused with our GamingID.

We see many other organisations offering ID services along similar
lines and we see the work of UMA as providing a framework within which
different suppliers of IDs (like all the people who provide SuperIDs)
can communicate with each other.  A person should only have ONE
SuperID and so that means there needs to be some agreement on the
exchange of information between AMs. I think, when this happens, that
it will be the main way we will use UMA.

I know this is a "distraction" from the great work you are doing but I
hope you find it interesting.

Kevin Cox


-- 
0413961090
Home +61 2 62410647
Fax +61 2 6103 0144

http://www.linkedin.com/in/kevinrosscox



More information about the WG-UMA mailing list