Proofing the Masses
From IIW
Issue/Topic: Proofing the Masses (T1C)
Convener: Vikas Mahajan
Conference: IIW-East September 9-10, 2010 in Washington DC Complete Set of Notes
Notes-taker(s): Justin Tormey
Tags for the session - technology discussed/ideas considered:
Proof, verify, physical, trust, notary public, business model, market, audit
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
- Issue: How do we “proof” 300 million+ US Citizens?
- Daunting task for any identity provider hoping to provide higher level of assurance
- Some levels require physical inspection of documents
- Process similar to getting a passport
- Birth certificate, utility bill, tax information, etc.
- Example: Social Security Administration unable to handle flow of new requests coming in from baby boom generation.
- Not enough office staff to handle the influx of new claims.
- Can they off-load some of this to third-party sources?
- What’s included in a Level 1 / 2/ 3 proof?
- There are standards that exist, but they don’t specify exact documents or requirements
- Depends on the level of confidence the issuing party requires.
- Some government agencies require physical document checks for “Level 2” for example, while the specification doesn’t require those checks until “Level 4”
- Concept: Team of trained volunteers, like the AARP, perform certification
- AARP already doing physical checks for some tax preparation services they provide for free
- Concept: Nearly everyone has a mobile phone, what if carriers could provide an authenticated identity?
- Should there be a split between Identity Providers & Identity Proofing
- There are many organizations, groups, companies, etc. that have some identity assets.
- Companies could provide this data in an open market to Identity Providers
- Who will consumers trust with their information?
- Some organizations, like AARP or the Post Office have a perceived high degree of trustworthiness
- What’s the business model for proofing?
- Sell identity attributes and verified identities to Identity Providers
- There needs to be some risk management assessments done
- Who is liable for bad information?
- Proofing can be done for free or cheap with no liability implied
- Pay for some degree of protection
- Audits need to be performed on a regular basis to ensure the proofing is high enough quality