Verified Claims

From IIW

Canonical use case: proving you are over 21, you are a frequent flyer gold member, etc. (see Dick Hardt's Identity 2.0 video)
University of Washington:

  • proving student status so that they can get deals from companies, e.g. download software from Microsoft
  • lots of other educational use cases: prove student graduated, transcript, faculty status
  • a bunch of universities have agreed on a common schema format
  • why not just verify email domain? Email namespace aren't all students, only a good approximation
  • how do you deal with appeals: i am a student, but the system doesn't verify me correctly. There are lots of edge cases, always need customer service.


Charles Schwab:

  • Want to see if they can accept openid or info card, but how can they trust claims? Worried about user's country of origin, credit history, terrorist list.
  • Can we leverage a charles schwab account (which has pre-verified a bunch of attributes) and use it elsewhere?
  • Can we make it easier to create a charles schwab account using verified claims elsewhere?


beenverified.com

  • example of a startup trying to intermediate verified claims
  • costly and unclear why RPs should trust this site


Other Topics:

  • How long should claims be valid for? Do we need continual audits (e.g. elevators / gas pumps audited regularly). Depends on cost model, e.g. if insurance is expensive, maybe can afford to do regular audits.
  • Assertions can be "local" -- institutions will be different depending on where the user is. (e.g. US has DMV, but other places may not.)
  • Some folks looking at leveraging trusted sources of social data. Allow user to e.g. claim linkedin profile, facebook profile, etc and generalize that to a credential.
  • Story about the lack of credentials in Wikipedia. SJ claimed to be professor of comparative religion and won a bunch of edit arguments. When he took up a job at wikia, he had to reveal himself (24yo).
  • How do we trust claims -- how do we know some party is authoritative? How do you verify security of the entire stack, down to network and device level?
  • We need common schemas for verified claims, to be used with openid/saml, etc.
  • We need out of band agreements between RP and authoritative verifier



- Vince Wu (vwu@google.com)