Proofing the Masses

From IIW

Issue/Topic: Proofing the Masses (T1C)

Convener: Vikas Mahajan

Conference: IIW-East September 9-10, 2010 in Washington DC Complete Set of Notes

Notes-taker(s): Justin Tormey

Tags for the session - technology discussed/ideas considered:

Proof, verify, physical, trust, notary public, business model, market, audit

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

  • Issue: How do we “proof” 300 million+ US Citizens?
    • Daunting task for any identity provider hoping to provide higher level of assurance
    • Some levels require physical inspection of documents
      • Process similar to getting a passport
      • Birth certificate, utility bill, tax information, etc.
  • Example: Social Security Administration unable to handle flow of new requests coming in from baby boom generation.
    • Not enough office staff to handle the influx of new claims.
    • Can they off-load some of this to third-party sources?
  • What’s included in a Level 1 / 2/ 3 proof?
    • There are standards that exist, but they don’t specify exact documents or requirements
    • Depends on the level of confidence the issuing party requires.
    • Some government agencies require physical document checks for “Level 2” for example, while the specification doesn’t require those checks until “Level 4”
  • Concept: Team of trained volunteers, like the AARP, perform certification
    • AARP already doing physical checks for some tax preparation services they provide for free
  • Concept: Nearly everyone has a mobile phone, what if carriers could provide an authenticated identity?
    • Should there be a split between Identity Providers & Identity Proofing
    • There are many organizations, groups, companies, etc. that have some identity assets.
    • Companies could provide this data in an open market to Identity Providers
    • Who will consumers trust with their information?
      • Some organizations, like AARP or the Post Office have a perceived high degree of trustworthiness
  • What’s the business model for proofing?
    • Sell identity attributes and verified identities to Identity Providers
    • There needs to be some risk management assessments done
      • Who is liable for bad information?
      • Proofing can be done for free or cheap with no liability implied
      • Pay for some degree of protection
    • Audits need to be performed on a regular basis to ensure the proofing is high enough quality