Identity Brokers

Conference IIW8 Room/Time: 5/B

Convener: Ben Sapiro

Notes-taker:None – notes created post session by convener

Attendees:

Technology Discussed/Considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

There are repositories of identity information that will/may not be exposed to the identity commons
 * Banks that don’t see a business model for exposing their reliable identities
 * Government agencies that have highly

There is a role for an identity broker that: The Identity Broker is an Identity Provider that uses someone else’s identity data to support claims but assumes the role of the Identity Provider with associated liability. The Identity Broker discloses the sources it used to create the claim/assertion and appends it as metadata to the claim/assertion. Equifax is sort of an Identity Broker but delivers data as is (assumes zero liability) and doesn’t tell you how it got the data. There would need to be an identity proofing process that would query the private data source in a non-privacy invasive manner. Would require a strong consent model – “user A, I will query the following data sets to generate the claim you requested, is that ok?”
 * acquires access to these authoritative information sources
 * generates claims on behalf of the user to present to relying parties
 * Presenting user provided data set (my name is X, by DOB is Y, my drivers license is Z) for boolean confirmation by the identity data repository (these are all true, these are not all true)
 * Limiting/throttling the number of queries against elements within a user provided (you queried the same drivers license three times while varying the name and DOB, therefore, you must be fishing, so go away)

Conclusions:
 * Need uses cases
 * Need policy on user privacy protection and pass-through of claims information
 * How does an Identity broker show that it’s done a claims transformation while still remaining relationship to the original data (or is it just a legal/trust me approach)?
 * What are the responsibilities and legal obligations of an Identity Broker?
 * What’s the mechanism for exposing the Identity Broker’s source data so that RP’s can make conclusions about the reliability of the claim?