Verified Identity Claims

Issue/Topic: VERIFIED IDENTITY CLAIMS – An introduction to U-Prove privacy-enhancing technology

Session: Tuesday 3C

Conference: IIW-11 November 2-4, Mountain View, Complete Notes Page

Convener: Craig Wittenberg (Microsoft)

Notes-taker(s): Ariel Gordon (Microsoft)

Tags: Verified Claims; Identity Attributes; Privacy; Privacy Enhancing Technology; Cryptography; user-centric technology: user control.

Participants:


 * Craig Wittenberg	Microsoft
 * Ariel Gordon	Microsoft
 * Jan Unger
 * Tim Cole	KuppingerCole
 * Bret Tobey	Assa Abloy
 * John Fontana	Ping Identity
 * Jon Webb	Sony PlayStation network
 * Nishant Kaushix	Oracle
 * Takeshi Kitagawa	NTT Communications
 * Mark Horstmeier	Kynetx
 * Matt Tebo	Proviti
 * Greg Turner	Sierra Systems
 * Mike Min	Booz
 * Guibin Kony	Google
 * Aravmdan Ranga	PayPal
 * Tom Leon	AOL
 * Jim Fenton	Cisco
 * Dale Olds	Novell
 * Ben Goodman	Novell
 * Fady Semaan	AOL
 * Henrik Biering	Peer Craft
 * Stuart Proffitt	Novell
 * Jeff Stollman	Secure Identity
 * Ambarsh Malpar	CA
 * Alex Ran	Intuit
 * Thomas Hardjono	MIT Kerberos
 * Peter Capek	Self
 * Lloyd Burch	Novell
 * Kimberly Little	LexisNexis
 * Frank Travestino	eBay
 * Heather Ford	UC Berkeley

Discussion notes:



Verified Identity Claims -- Technical introduction Craig Wittenberg presented the U-Prove technology U-Prove well respected in academia. Originally created by Credentica; purchased by Microsoft two years ago; incubated as part of the Verified Claims Team. Similar characteristics as X.509 certificate but with much better privacy characteristics. Craig presented a few scenarios, starting with Alice purchasing wine online and proving that she's over 21 and that she's a resident of WA state. Other scenarios included leveraging a German eID to access citizen and private services. Many clarification Q&amp;A followed on the technology and its benefits, including: Q: Why not do back-end attribute exchange? Why go through all this trouble for exchanging attributes?

A: There are scenarios with privacy requirements such as un-traceability. If you take the case where Governments issue identity claims, there are requirements for the government not to be able to trace where the user is using his proof of age (for example). Depending on the geography, the privacy requirements may come from the government itself or from Privacy Groups. Q: If there is a Cloud Service that stores and releases information, does it effectively create a secondary IdP?

A: If there are no client side bits, there is effectively a “broker” in the cloud that manages the user’s private keys. Microsoft and its partners are investigating different ways to build the u-prove verified claims agent that mitigates those issues.

there is a powerpoint deck associated with this session: U-Prove technology overview-Nov2010.pptx