Liability and Financial models for Identity Providers, Attribute Providers and Identity Proofers

Issue/Topic: Liability and Financial models for Identity Providers, Attribute Providers and Identity Proofers (T3E)

Conference: IIW-East September 9-10, 2010 in Washington DC Complete Set of Notes

Convener: Brian Kelly

Notes-taker(s): Brian Kelly

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


 * Who is responsible?
 * Who pays?
 * How much?

About a dozen people gathered to discuss the “L” word that has been omitted from many of the NSTIC and Trust Framework Provider documents and discussions – Liability. The first point raised was that we need to define what type of liability we are discussing and between whom. Liability between

1.Identity Provider (IdP) and Relying Party (RP)? 2.User and IdP? 3.User and RP? 4.Trust Framework Provider (TFP) and IdP? 5.TFP and RP?

Attribute Providers and Identity Proofers also belong in this mix, but we lumped them into IdP for sake of the discussion.

These are all areas where liability may be carried. Liability and risk current shift around from user to RP to IDP to TFPs. But who is really responsible? The concept of an “Identity FDIC” was raised, but not tackled. The conversation then shifted to the question of “who polices the system?” e.g. During an audit, an IdP gets kicked off the TFP whitelist for behaving badly.
 * How does this affect users of that IdP?
 * And more importantly, how does it affect the RPs that those users expect to access?

We also discussed how some RPs may require an IdP or a set of IdPs to access the RPs resources. There would be no alternative way to access the RP (e.g. StackOverflow requires an OpenID to sign-up; Airlines require a credit card to pay for food/drink while in flight).

This raises the trust that RPs and users are putting into an IdP and magnifies the liability on that IdP. There is one area where this will be protected: Citizen to Government – Government must always provide another way to access their services – even offline. Maybe government will always offer a username and password option. It’s debatable. The conversation then shifted into the financial discussion.
 * RP pays the IdP
 * User pays the IdP
 * IdP offers a substantial cost savings / convenience to the user or IdP

Think about a bank as an IdP or Attribute Provider (AP) that could offer its service as a value-add to its existing (vetted) customers. Someone mentioned that putting a “Fair Credit Reporting Act” in place for IdPs before critical mass of RPs is achieved might kill the “Identity Big Bang”.
 * RP adoption driver: lower fraud by outsourcing account sign-up / identity vetting
 * RP can take away risk from themselves by outsourcing to IdP

RP growth drives the market -> Not IdPs or TFPs or APs. Government has the capability to bootstrap the RP adoption process and get the ball rolling.