Identity Commons Claims Agent Working Group

Session Topic: Identity Commons Claims Agent Working Group

Convener: Paul Trevithick

Notes-taker(s):Mike Hanson & Patricia Wiebe

Tags for the session - technology discussed/ideas considered:

A link to the Claims Agent charter: http://wiki.idcommons.net/ Claims_Agent_Charter.

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Intro: A Claims Agent is a piece of software that conveys claims from some set of Claim Providers to some set of Relying Parties. A new Claims Agent Working Group is being setup that talks about how do we build this; focusing on eGoverment initially, skipping the question of how to log in.

For example, an RP asks, "are you over 21" or "do you have health insurance". eGovernment is interesting because it is privacy sensitive and, in many governments, sometimes has an interest in not being seen as Big Brotherish.

Sal D'Agostino: Relation to UMA?

Paul T: CAWG is more focused in privacy, more interested in augmentation of UI.

Paul Bryan: No browser or user-centricity in the model; transaction usually doesn't have a person in it. Lots of backchannel flow.

X: If the Claims Agent were an UMA Access Manager, it could provide tokens for person-present and person-not-present claims.

Paul T: The goal of the WG is to not invent anything, but to put together the technology that we've got. Facebook has demonstrated a way of providing a non- distributed, closed implementation of this. Let's try to narrowly focus on a small number of use cases, but also think broadly about existing technologies, e.g. OAuth, OpenID ABC, UMA. Emphasis on working code, less on specs as an initial goal.

Craig Wittenberg, Microsoft: Looking for participants for the W3C effort. Talked with several states who are interested in being issuers and RPs - title issuers in VA, employment insurance in CA, something in WA. Commercial partners, including Northrop Grummand; other vendors. Federal agencies, are interested, perhaps as RPs since they are not yet ready to be issuers, e.g. USDA is interested in fraud prevention. Commercial issuers, including some large banks to be issuers.

Sal D'Agostino: VA is issuing smart cards for emergency responders, e.g. RP case is

that I'm a firefighter.

Craig W: The cards are great for some cases; the underlying tech is x509 certificates, which doesn't work in every case.

Discussion: Is the WG going to work on authentication of RPs to a claims agent? The threat model here is inappropriate disclosure of claims to an RP, or the reuse of a bearer token to an RP.

UMA was brought up again - does UMA enumerate these use cases? Counterargument is that UMA is focused on authorization, not claims discovery.

Discussion: Identity Oracle concept? e.g. The ability to purchase a beer could be conveyed by a minimal disclosure token that indicates legal age, or it could be conveyed by an oracle that indicates whether you can buy beer. UMA is closer to the identical oracle; front-channel solutions different in that the issuer doesn't know who is asking the question. Paul: The claims agent could be stateful (it's my identity oracle) or state-free (it's more generic).

Issuer-to-agent discussion:  How does the issuer announce claim availability? This has been a major problem with models before this. The infocard model expected the user to provision cards beforehand. If you didn't have a card, the UX was pretty bad.

Wendell Baker, Yahoo!:  In the targeted ads business, all this stuff happens everyday. Content sites and ad networks generate ephemeral claims about the users. The requesting parties are advertisers, or agencies that try to get the ads in front of users. The claims agent is an economist's agent. Lots of discussion here has been about login or heavyweight claims; this is very different from ad placement which is very fast and low cost. Craig: to what extent would the user be involved in the flow? Wendell: somewhat if the user goes into an interest manager and flips bits; more granularly as the user signals their intent by moving around the web.

Discussion: Interesting parallels exist to the ad industry. Cost of a false positive for a "is a doctor" claim is obviously much lower! Privacy issues for some claims are much more important. Machine-readable privacy policies allow the claims agent to be much more interesting - InfoCards demonstrated that the "rational actor" theory of claims management doesn't work (too much user interaction, too invasive). Definition of "minimal" is very hard. Informed consent is also hard.

Note for WG: The claims agent should be able to broker claims that range from fully identity-bound to fully blinded (that is, the issuer does not know who the RPs are). This becomes a policy issue for the RP; the claims agent would process a policy from the RP to determine which issuers or claims could satisfy the request.

To participate in the WG, talk to Paul T. Notes by: Patricia Wiebe

• Work group is under IdCommons, not Kantara

• Claims agent focuses on claims passed over front channel, user centric model

••• UMA and OpenID ABC protocols are over back channel

• Craig (Microsoft) reported that he has commitments of some companies, state govts to deploy

• Bearer tokens have problems, need something stronger

••• Has this problem has been solved in UMA, SAML; caution about re- inventing

• Are there similarities to Bob Blakely’s work on “identity oracle”?

• Should a claims agent be stateless? Require authentication to use the agent?

• The agent needs to have a relationship with both parties (claims provider, relying party)

• Need to enable both strongly identified and fully anonymous users

• Relying parties need to have declarative policy, as a machine readable document

••• Policy specifies who to trust – should be able to specify issuers or trust framework

• Need more discussion on agent-to-claims provider “introduction”

•••Need to do better than idea of provisioning information cards

• Consider different solution layers, e.g. transport versus application

• Should the agent be able to say “yes” on behalf of the user?

• The rational actor model isn’t accepted anymore

••• can’t prompt the user to consent to share their claims for every transaction

• Next steps... start participating in working group conference calls; meet weekly or biweekly?

Thanks Patricia. Great notes!

I have one minor correction and one addition. The one minor correction is that “UMA and OpenID ABC protocols are over back channel” isn’t quite correct. Both have front channel elements (e.g., UMA and the permission granting process) and back channel

elements (enabling the out of band retrieval of some claims). Craig.