Verified Claims

Canonical use case: proving you are over 21, you are a frequent flyer gold member, etc. (see Dick Hardt's Identity 2.0 video) University of Washington: Charles Schwab: beenverified.com Other Topics: - Vince Wu (vwu@google.com)
 * proving student status so that they can get deals from companies, e.g. download software from Microsoft
 * lots of other educational use cases: prove student graduated, transcript, faculty status
 * a bunch of universities have agreed on a common schema format
 * why not just verify email domain? Email namespace aren't all students, only a good approximation
 * how do you deal with appeals: i am a student, but the system doesn't verify me correctly. There are lots of edge cases, always need customer service.
 * Want to see if they can accept openid or info card, but how can they trust claims? Worried about user's country of origin, credit history, terrorist list.
 * Can we leverage a charles schwab account (which has pre-verified a bunch of attributes) and use it elsewhere?
 * Can we make it easier to create a charles schwab account using verified claims elsewhere?
 * example of a startup trying to intermediate verified claims
 * costly and unclear why RPs should trust this site
 * How long should claims be valid for? Do we need continual audits (e.g. elevators / gas pumps audited regularly). Depends on cost model, e.g. if insurance is expensive, maybe can afford to do regular audits.
 * Assertions can be "local" -- institutions will be different depending on where the user is. (e.g. US has DMV, but other places may not.)
 * Some folks looking at leveraging trusted sources of social data. Allow user to e.g. claim linkedin profile, facebook profile, etc and generalize that to a credential.
 * Story about the lack of credentials in Wikipedia. SJ claimed to be professor of comparative religion and won a bunch of edit arguments. When he took up a job at wikia, he had to reveal himself (24yo).
 * How do we trust claims -- how do we know some party is authoritative? How do you verify security of the entire stack, down to network and device level?
 * We need common schemas for verified claims, to be used with openid/saml, etc.
 * We need out of band agreements between RP and authoritative verifier