Date post: | 08-Jul-2015 |
Category: |
Documents |
Upload: | guestbd878c |
View: | 605 times |
Download: | 2 times |
Consumer Identity:
a Dutch Perspective on Benefits,
Issues and Next Steps
Maarten Wegdam, Novay
European Identity Conference 2010
6 May 2010, Munich
Novay?
• Dutch ICT research institute
• Formerly Telematica Instituut
• Innovation projects
• Networked innovation
• Independent, not-for-profit
• ~55 researchers, multi-disciplinary
• Customers include financial sector,
government and semi-government
2
The consumer identity problem
An old problem
3
The user Service provider
• High trust is too expensive
• People forget passwords
• Lack of (validated) attributes
• Low conversion
An old (?) solutionexternalize the identity with an identity provider
(authentication + attributes)
Why not (really) here yet?
4
Three big reasons
market
entry
issues
lack of
trust in
IdP
privacy
issues
Market entry issue
5
100% coverage of consumers
Chicken-egg
• Identity-providers vs relying parties
• Not any more for basic trust (?)
Unclear value chain
Trust and privacy issues
Don’t trust your identity provider!
• Security risk
• Business continuity risk
• Privacy risk
Reduce the need to trust the identity provider
• Through technical means, when possible …
• By making the identity provider ‘behave’
• Through laws
• Through competition
• By agreeing on a set of rules
6
7
Making the IdP behave and the
role of government
Decreasing regulation:
Note: models 1 to 3 require some form of
monopoly or regulator
Government issued
Government regulated
Trust framework
Free market (tech standard)
A trust framework
A set of rules that all players agree upon
To have more trust and a healthy ecosystem
• New identity providers can join
• Easy assess for RPs (scalability)
• Balancing interests between IdPs, RPs and users
• Privacy assurances
• Governance / audits
8
A Dutch perspective
• E-government solution (DigiD) cannot be
used in the private sector
• A basic-trust initiative: OpenIDplus.nl
• A high-trust initiative: cidSafe
9
+
OpenIDplus.nl trust framework
• Basic trust consumer-2-business identity
• Based on OpenID
• Subgoals
• Improve interoperability, security & privacy (somewhat)
• Set of rules for IdPs, and RPs, to increase trust
• Governance
• Standardize per-attribute validate methods
• Create critical mass (IdPs and especially RPs)
10
market
entry
OpenIDplus.nl
Per-attribute validation methods
• Standardization trust levels is needed for RP
• To interoperate with different IdPs (scalability)
• Common approach: levels of assurance for an identity
• NIST / STORK levels 1 to 4
• Combines authentication, identity binding etc
• BUT: existing IdPs support different sets of attributes,
validated in different ways
• Scalability compromise:
per-attribute standardized validation methods
11
OpenIDplus.nl
Status
• Draft specification and (very) draft rules
• Successful proof-of-concept with the specification
• Starting next phase: larger scale testing, setting up
governance, finalize spec & rules
• Go ‘live’ end of the year (?)
• Ongoing debate: how ‘big’ is the plus?
Non-exchaustive list of involved companies:
Wehkamp, SURFnet, ANWB, Hyves, Unive, TMG,
DigiNotar, NPO, Holder, ECP-EPN, Evidos, Novay
12
cidSafe initiativea safe consumer identity
• High-trust consumer identity
• Collaborative project by stakeholders
• Goal: breakthrough for high-trust consumer
identity in the Netherlands
• Short-term goal: if and how this is feasible,
with a focus on financial sector
13
cidSafe status
• Started in February 2010 …
• Studying Dutch and foreign successes and
failures; business case for relying parties;
business modeling; outline of trust
framework; evangelism …
• http://cidsafe.novay.nl
• Partners:
14
Why (now) two Dutch consumer identity
initiatives?
Too big (?) difference in
• needed trust
• value chain
• timeframes
• user perception (and context)
• possible role of government
A basic-trust solution will help a high-trust
solution!
15
Take aways
• Breakthrough in consumer identity by jointly
working on trust frameworks
• Balance openness with trust
• Role of government important and varies
between countries
In Netherlands:
• A basic-trust initiative: OpenIDplus.nl
• A high-trust initiative: cidSafe
16More information: http://maarten.wegdam.name