Building Standards for "Trustable" ID Providers

Issue/Topic: Building Standards for “Trustable” ID Providers (T3D)

Conference: IIW-East September 9-10, 2010 in Washington DC Complete Set of Notes

Session: Day – Number - Space Location Thu 9/9 - 3 - D

Convener: Jay Unger

Notes-taker(s): Jay Unger

Attendees: Name             Affiliation Ty Stahl         Oracle Barb Flanagan    Trufina Jay Unger        Independent Consultant

Tags for the session - technology discussed/ideas considered:

OpenID, Identity Provider, Trust, Limited Authority Stroage, Trusted Computing

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

There being only 3 attendees including the facilitator this session was more of discussion about various “trust” issues associated with identity.

The session was opened with a discussion by the facilitator of his desire to find a technical means for building an ID Provider that could be trusted by users with their identity attributes because the mechanisms used to store, maintain and present those attributes fundamentally protected the attribute data from disclosure to anyone (even the IdP) without expressed permission from the user.

The facilitator asserted that mechanism like “least authority” storage systems and “trusted computing” could be used to create an implementation where stored attributes could only be accessed by a relying party that the user designated and only then with appropriate decryption keys supplied by the user.

The representative from Trufina described that systems role as both an attribute provider and attribute proofing service that uses third party data and means to verify and vet attributes originally asserted by the user. We also briefly discussed the “liability” model associated with an attribute provider and proofing service attesting that attributes “vetted” using third party data carried.