B2B and B2C: How to Balance the Difference and Challenges of Each Environment

Issue/Topic: B2B & B2C: How to Balance the Differences and Challenges of Each Environment (T1B)

Convener: Rainer Hoerbe

Conference: IIW-East September 9-10, 2010 in Washington DC Complete Set of Notes

Notes-taker(s): Gary Moore

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

The discussion was based around how to create an environment to handle the complexities of dealing with business-citizen and business-business transactions.

From an Austrian perspective


 * Internal govt federation program
 * Had a unsuccessful national citizen PKI. Based national identity that is moving towards a SMS based solution but uptake still unknown
 * Challenges - privacy
 * B2b privacy less important to ensure audit ability
 * B2c more important for privacy

NIH federation within US govt. starting with PIV. 80% of business is outside govt - currently Incommon to universities. NLM 15000 users - no cross correlation - authorization is delegated to relying party

NIH does not want to be in the business of a credential provider In Austria centralized data allows higher assurance of identity - legislatively driven with benefit of small population - 8 million

NLM can use multiple LOA (levels of assurance) as well as multiple IDPs

There is a concern with Credential strength versus strength of identity proofing

Stepping up levels of assurance - how to do that?
 * Use of organizations like Lexus, Axiom, Equifax for information that can better identify the user

NIH Delegates risk to the companies and universities that they are dealing with

How to manage the separation of attribute definitions - use a common data dictionary or create a mapping service?

Austrian view - NIST is concerned with providing identity to RP - Austrian concern adds on making sure info only goes to the user - European privacy legislation requirement

How do we come up with appropriate definitions of LOA - need better guidelines for the definitions.

Within NIH NLM program In common level 1-2, also using 3 and 4 through PKI as well as OpenID for level 1

How to create international common definitions of LOA? Companies like Paypal are global but definitions of LOA are currently environment specific

TSCP program to issue credentials to the machines that are assured to be trustworthy. In Austria a similar thing for web infrastructure elements. For TSCP they are extending that to leverage trusted platform to ensure long term proper configuration of the environment.