Verified Claims
From IIW
Canonical use case: proving you are over 21, you are a frequent flyer gold member, etc. (see Dick Hardt's Identity 2.0 video)
University of Washington:
- proving student status so that they can get deals from companies, e.g. download software from Microsoft
- lots of other educational use cases: prove student graduated, transcript, faculty status
- a bunch of universities have agreed on a common schema format
- why not just verify email domain? Email namespace aren't all students, only a good approximation
- how do you deal with appeals: i am a student, but the system doesn't verify me correctly. There are lots of edge cases, always need customer service.
Charles Schwab:
- Want to see if they can accept openid or info card, but how can they trust claims? Worried about user's country of origin, credit history, terrorist list.
- Can we leverage a charles schwab account (which has pre-verified a bunch of attributes) and use it elsewhere?
- Can we make it easier to create a charles schwab account using verified claims elsewhere?
beenverified.com
- example of a startup trying to intermediate verified claims
- costly and unclear why RPs should trust this site
Other Topics:
- How long should claims be valid for? Do we need continual audits (e.g. elevators / gas pumps audited regularly). Depends on cost model, e.g. if insurance is expensive, maybe can afford to do regular audits.
- Assertions can be "local" -- institutions will be different depending on where the user is. (e.g. US has DMV, but other places may not.)
- Some folks looking at leveraging trusted sources of social data. Allow user to e.g. claim linkedin profile, facebook profile, etc and generalize that to a credential.
- Story about the lack of credentials in Wikipedia. SJ claimed to be professor of comparative religion and won a bunch of edit arguments. When he took up a job at wikia, he had to reveal himself (24yo).
- How do we trust claims -- how do we know some party is authoritative? How do you verify security of the entire stack, down to network and device level?
- We need common schemas for verified claims, to be used with openid/saml, etc.
- We need out of band agreements between RP and authoritative verifier
- Vince Wu (vwu@google.com)