Value of Verified ID
Conveners: Denise Tayleo, RL “Bob” Morgan
- Matt Klein
- Jeff Shan
- Marty Schleiff
- Jeff Stollman
- Kevin Trills
- Lucy Lynch
- David Brown
- Terry Hayes
+ dozen more
Relying party and identity/claim provider relationships where data about subjects is “verified” rather than ? asserted.
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
“Verified” is probably too narrow a concept. The real differentiation for some claims/attributes is that they are claimed by the asserting party to be useful for or compliant with some defined business process. This might involve some defined verification method (or set of methods) but might also involve things like user consent, notification of others (eg parents), auditing etc… The state of the art is to bake notions of “verified” (etc…) into claim definitions or business agreements. An interesting subject is permission management (“can use feature X”). Defining authority is not always clear, ef for age. Large intersection with Level of Assurance concepts.
Adding “verified” or “complaint” decoration to each delivered claim is appealing but too complicated so far. Many of their issues were dealt with in PKI certificate policies 15 years ago, but this has seen little use, and even there proliferation of per-company policy attributes was a problem.