Level 3 and 4 Credentials in the Exosystem (3H)

Level 3 & 4 Credentials in the Ecosystem (3H)

Convener: Mike Magrath

Notes-taker(s): Mike Magrath

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


 * Question on Levels and their meaning ,and benefit, and what the level mean
 * Use Cases: Sensitive, personal info such as healthcare and financial institutions
 * Other bodies have other definitions
 * Europe has only one level
 * Need policy for what can be done at what level (e.g. how much credit you can get with a credential)
 * Bindings, proofing, etc. are criteria in various levels
 * US Federal Government is not liable, but there is liability in Europe
 * FIPS 201 and SP800-63 is for government and for G2C, G2B, C2G, etc.
 * o SP800-63 written for issuer and relying party
 * How does the consumer use Level 3 in the commercial world?
 * Use out of band transactions to verify identity to obtain a higher level credential
 * Actually care about the attributes involved for a transaction rather than an arbitrary assurance level
 * Back end fraud protection is what give value to PayPal and eBay rather than the authentication
 * Identity credentials are not transaction credentials and the same authentication might not be appropriate
 * Open Identity Exchange exists and is a starting point so Trust Frameworks can be formed
 * It is not just about the authentication, but the validation of the source that counts
 * Does one have to notify when a street identity is “invalid?”
 * There is also an issue of confidence level of attribute – How old is it?
 * o Police accept a Driver’s License address that is 5 years old
 * Will people use a smartphone to logon to a computer?
 * If embedded in phone (ubiquitous terminalization) it will be more accepted
 * o Low payment only?
 * o Healthcare?
 * o When do you need the higher assurance?
 * If pervasive smartphones bring down cost, the gap for acceptance and use of high assurance goes away
 * Do we use the Carrot or the Stick?