Building Standards for "Trustable" ID Providers
Issue/Topic: Building Standards for “Trustable” ID Providers (T3D)
Conference: IIW-East September 9-10, 2010 in Washington DC Complete Set of Notes
Session: Day – Number - Space Location Thu 9/9 - 3 - D
Convener: Jay Unger
Notes-taker(s): Jay Unger
Attendees: Name Affiliation Ty Stahl Oracle Barb Flanagan Trufina Jay Unger Independent Consultant
Tags for the session - technology discussed/ideas considered:
OpenID, Identity Provider, Trust, Limited Authority Stroage, Trusted Computing
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
There being only 3 attendees including the facilitator this session was more of discussion about various “trust” issues associated with identity.
The session was opened with a discussion by the facilitator of his desire to find a technical means for building an ID Provider that could be trusted by users with their identity attributes because the mechanisms used to store, maintain and present those attributes fundamentally protected the attribute data from disclosure to anyone (even the IdP) without expressed permission from the user.
The facilitator asserted that mechanism like “least authority” storage systems and “trusted computing” could be used to create an implementation where stored attributes could only be accessed by a relying party that the user designated and only then with appropriate decryption keys supplied by the user.
The representative from Trufina described that systems role as both an attribute provider and attribute proofing service that uses third party data and means to verify and vet attributes originally asserted by the user. We also briefly discussed the “liability” model associated with an attribute provider and proofing service attesting that attributes “vetted” using third party data carried.