Use Cases for Identity Brokers
Conference IIW8 Room/Time: 12/G
Convener: Ben Sapiro/Ashish Jain
Notes-taker: Ben Sapiro
Attendees: Alan K, Bob P, Alavilli P, Vittorio B, Ray V, Ashish J
Technology Discussed/Considered: Identity Broker Uses Cases
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
IP needs to have some sort of accreditation
why would the RP pay?
Alcohol sellers online
- verification that you're a child by accessing a school database
- Red flag automation for
you do not have correct control of the data collection
An industry based IP -
- all the banks want to have one single phase
- all the attorneys have one single issue
you become a very attractive target if an attacker can get onboard and generate identities via you
the more datasources you aggregate, the more useful you are - but the more risk you will be faced with
not unlike OpenID OP vs IdP debate - but unless you actually issues Identities, you're just an Identity Owner (not a provider)
An IP can perform correlations across multiple data sources
This is done in federation. Example – citizen of EU --> Italian IdP (using on behalf-of)
the main value is providing access to the data, not in aggregation (that is clearly secondary)
some of these are claims, some of these are too close to be background checks
- Is sex offender
- is criminal
- education history
- employment history
- DOB/Age/Over18
- Address verification
- Credit Check
- valid insurance
- reputation
- driving record
- frequent flyer miles
- of linkedin connections
- citizenship
- property ownership
- marital status
- connections to a group
- affiliations/membership
- professional status
- email ownership
(these have to be actively consumed by a third party, otherwise it's just information)
(if the information is about the requestor, it's a claim, otherwise not)
would require in-place access to data (no copies)
would require strong legal contracts forbiding mix and match to achieve information leakage
need to expose which sources you queried but not what the answers were
pricing could be comensurate with assurance level (did I ask gold level or silver level information sources)
pricing could be commensurate with granularity of information exposed (boolean versus scored)
Identity Broker is actually a claims broker (strict definition)
would need a process to feed in annotation/corrections and handle disputes
how do we resolve inconsistent data (database does A does not match B and C)?
Left Side of Board
Right Side of Board