From CoderreM at aetna.com Thu Nov 29 10:33:03 2007 From: CoderreM at aetna.com (Coderre, Mark) Date: Thu, 29 Nov 2007 13:33:03 -0500 Subject: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION Message-ID: <7B03492D640C0745B22C6DBF3A4042340646FF73@MDDP-EXCH-003.aeth.aetna.com> I am interested in the group's thoughts around combating registration fraud by leveraging partnered certified credentialing authorities to raise the assurance level of provisioned accounts. What may be a level 1 to me (alone) could become level 2 with validation from a ca that has a more authoritative reference. The same could be true of identities I can validate very strongly but others may not. I am interested in this within the healthcare industry (pharmacies especially) as well as financial since there are health/wealth synergies in the consumer product space. Mark Coderre Security Architecture Lead AIS Enterprise Architecture 860-636-2440 This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071129/5cbc420c/attachment.html From bob at bobpinheiro.com Thu Nov 29 14:58:29 2007 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Thu, 29 Nov 2007 17:58:29 -0500 Subject: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION In-Reply-To: <7B03492D640C0745B22C6DBF3A4042340646FF73@MDDP-EXCH-003.aet h.aetna.com> References: <7B03492D640C0745B22C6DBF3A4042340646FF73@MDDP-EXCH-003.aeth.aetna.com> Message-ID: <0JSA00BOFI6IS971@vms173001.mailsrvcs.net> I'm not sure I understand your question completely, but I think the basic idea is that you, as a relying party, would first need to decide whether you trust identity assertions received from identity providers that you can verify as being accredited by the Liberty IAF. Secondly, you would need to decide how much assurance you require of the identity assertion received. So if you need to be very certain of the identity claim you are trying to authenticate, you may only choose to trust an identity assertion if you can verify that the accredited identity provider has issued the assertion at Assurance Level 3 or 4. When you say that you only have level 1 assurance of an identity assertion, to me that might indicate two possible situations. Depending on how the business rules are defined between relying parties and identity providers, it may or may not be true that identity providers expect to receive some compensation for providing an identity assertion to a relying party. If so, it's likely that an assertion at level 4 would be worth more than an assertion at level 1. So maybe you have agreed only to pay for level 1 assertions, but not level 2 or higher assertions. In that case, the identity provider may issue a level 1 identity assertion to you, but not a level 2 or higher assertion. On the other hand, even if you are willing to pay for assertions at a higher assurance level, the identity provider may only be operating at level 1. If you need level 2 assurance for a particular identity assertion, and are willing to pay a higher price, you would then have to find another identity provider who can authenticate the claimed identity and provide an assertion at level 2. I don't think many scenarios that address the possible business arrangements between relying parties and identity providers have been worked out. But I would expect that a relying party would *not* need a specific business arrangement with each Liberty accredited identity provider if both are members of some (possibly different) federation(s). Seems like the relying party and the identity provider would need an agreement with the federation each is part of. If they are members of different federations, there would be inter-federation agreements that would govern payments and other trust arrangements between federations. I'm assuming here that the basic business model for IAF is that identity providers would derive some revenue from relying parties for providing identity assertions. I don't know any of this for sure, or if there are other models, but this seems like a rational approach. Maybe others might have a better understanding of these business issues. Bob Pinheiro At 01:33 PM 11/29/2007, Coderre, Mark wrote: >Content-class: urn:content-classes:message >Content-Type: multipart/alternative; > boundary="----_=_NextPart_001_01C832B6.47AC42A5" > >I am interested in the group's thoughts around combating >registration fraud by leveraging partnered certified credentialing >authorities to raise the assurance level of provisioned accounts. >What may be a level 1 to me (alone) could become level 2 with >validation from a ca that has a more authoritative reference. The >same could be true of identities I can validate very strongly but >others may not. > >I am interested in this within the healthcare industry (pharmacies >especially) as well as financial since there are health/wealth >synergies in the consumer product space. > >Mark Coderre >Security Architecture Lead >AIS Enterprise Architecture >860-636-2440 > >This e-mail may contain confidential or privileged information. If >you think you have received this e-mail in error, please advise the >sender by reply e-mail and then delete this e-mail immediately. >Thank you. Aetna >_______________________________________________ >Sig-ia mailing list >Sig-ia at lists.projectliberty.org >http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectliberty.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071129/38172887/attachment.html From CoderreM at aetna.com Thu Nov 29 16:08:48 2007 From: CoderreM at aetna.com (Coderre, Mark) Date: Thu, 29 Nov 2007 19:08:48 -0500 Subject: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION In-Reply-To: <0JSA00BOFI6IS971@vms173001.mailsrvcs.net> References: <7B03492D640C0745B22C6DBF3A4042340646FF73@MDDP-EXCH-003.aeth.aetna.com> <0JSA00BOFI6IS971@vms173001.mailsrvcs.net> Message-ID: <7B03492D640C0745B22C6DBF3A4042340647004A@MDDP-EXCH-003.aeth.aetna.com> The model I am thinking of is two Identity providers , neither of which may have a "store front" for in person proofing. Each IdP has distinctly different manners to validate an individual on-line as they represent different industries with different customer enrollment mechanisms. Since both may be the target of PII theft through collusion/collection of information from BOTNets, etc. they look to each other as a 2nd form of validation. This occurs today when an entity uses a Knowledge Based Authentication service to gain external identity validation. In this case the KBA may not always be required where the two partners share common customers. This is not necessarily a chicken and egg problem because each site has the option of limiting entitlements when they have solely proofed the individual. Once the individual can provide proof of initial registration from one to the other (and visa versa for that matter) , each site can elevate the level of assurance and resulting entitlements as desired....based on their value of the other entities registration process strength. It also has value where one partner has a storefront for in person proofing (showing a driver license with a picture) and another partner does not have that same luxury. But perhaps the latter partner has significant personal information such that their online registration requires significant knowledge of the person. These partners may view each other as somewhat equal. The relationship may be even or slightly favored ending up in a nominal fee. The last intriguing piece of this to me is that two partner may share common customers, but each may have customers registered the other is not aware of. Proof of identity from a trusted partner may be valuable in 1st touch customer relationships online. If someone comes anonymously as a new customer online to me but a trusted partner has vetted them and perhaps come to prove their email address appears accurate it does contain potential value. -Mark Coderre. ________________________________ From: Bob Pinheiro [mailto:bob at bobpinheiro.com] Sent: Thursday, November 29, 2007 5:58 PM To: Coderre, Mark; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION I'm not sure I understand your question completely, but I think the basic idea is that you, as a relying party, would first need to decide whether you trust identity assertions received from identity providers that you can verify as being accredited by the Liberty IAF. Secondly, you would need to decide how much assurance you require of the identity assertion received. So if you need to be very certain of the identity claim you are trying to authenticate, you may only choose to trust an identity assertion if you can verify that the accredited identity provider has issued the assertion at Assurance Level 3 or 4. When you say that you only have level 1 assurance of an identity assertion, to me that might indicate two possible situations. Depending on how the business rules are defined between relying parties and identity providers, it may or may not be true that identity providers expect to receive some compensation for providing an identity assertion to a relying party. If so, it's likely that an assertion at level 4 would be worth more than an assertion at level 1. So maybe you have agreed only to pay for level 1 assertions, but not level 2 or higher assertions. In that case, the identity provider may issue a level 1 identity assertion to you, but not a level 2 or higher assertion. On the other hand, even if you are willing to pay for assertions at a higher assurance level, the identity provider may only be operating at level 1. If you need level 2 assurance for a particular identity assertion, and are willing to pay a higher price, you would then have to find another identity provider who can authenticate the claimed identity and provide an assertion at level 2. I don't think many scenarios that address the possible business arrangements between relying parties and identity providers have been worked out. But I would expect that a relying party would *not* need a specific business arrangement with each Liberty accredited identity provider if both are members of some (possibly different) federation(s). Seems like the relying party and the identity provider would need an agreement with the federation each is part of. If they are members of different federations, there would be inter-federation agreements that would govern payments and other trust arrangements between federations. I'm assuming here that the basic business model for IAF is that identity providers would derive some revenue from relying parties for providing identity assertions. I don't know any of this for sure, or if there are other models, but this seems like a rational approach. Maybe others might have a better understanding of these business issues. Bob Pinheiro At 01:33 PM 11/29/2007, Coderre, Mark wrote: Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C832B6.47AC42A5" I am interested in the group's thoughts around combating registration fraud by leveraging partnered certified credentialing authorities to raise the assurance level of provisioned accounts. What may be a level 1 to me (alone) could become level 2 with validation from a ca that has a more authoritative reference. The same could be true of identities I can validate very strongly but others may not. I am interested in this within the healthcare industry (pharmacies especially) as well as financial since there are health/wealth synergies in the consumer product space. Mark Coderre Security Architecture Lead AIS Enterprise Architecture 860-636-2440 This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna _______________________________________________ Sig-ia mailing list Sig-ia at lists.projectliberty.org http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectlib erty.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071129/b135bd90/attachment-0001.html From Alex.Popowycz at fmr.com Fri Nov 30 05:40:14 2007 From: Alex.Popowycz at fmr.com (Popowycz, Alex) Date: Fri, 30 Nov 2007 08:40:14 -0500 Subject: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION References: <7B03492D640C0745B22C6DBF3A4042340646FF73@MDDP-EXCH-003.aeth.aetna.com> <0JSA00BOFI6IS971@vms173001.mailsrvcs.net> Message-ID: <5564F7E2BF2B5B43A8407F0060044EC8045202E9@MSGMROCLR2WIN.DMN1.FMR.COM> My read on the originating message was a bit different. To me the question revolved around compound authentication (a scenario described in detail within the Strong Authentication Expert Group and now in the Strong Authentication MRD developed within BMEG). In one scenario you rely on the authentication of a identity provider and combine that with the results of an authentication of a second identity provider (which could be the originating relying party) in effect creating a federated/distributed multi-factor authentication. I over simplified this from an additive authentication perspective because the underlying provisioning mechanisms may result in an answer that a mathematically nonsensical but logically relevant equation of 1+1=1.5. I would suggest reviewing the current strong auth mrd and look at foundational scenario 2 (the version I was looking at would have it as section 3.2). Alex _____ From: sig-ia-bounces at lists.projectliberty.org [mailto:sig-ia-bounces at lists.projectliberty.org] On Behalf Of Bob Pinheiro Sent: Thursday, November 29, 2007 5:58 PM To: Coderre, Mark; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION I'm not sure I understand your question completely, but I think the basic idea is that you, as a relying party, would first need to decide whether you trust identity assertions received from identity providers that you can verify as being accredited by the Liberty IAF. Secondly, you would need to decide how much assurance you require of the identity assertion received. So if you need to be very certain of the identity claim you are trying to authenticate, you may only choose to trust an identity assertion if you can verify that the accredited identity provider has issued the assertion at Assurance Level 3 or 4. When you say that you only have level 1 assurance of an identity assertion, to me that might indicate two possible situations. Depending on how the business rules are defined between relying parties and identity providers, it may or may not be true that identity providers expect to receive some compensation for providing an identity assertion to a relying party. If so, it's likely that an assertion at level 4 would be worth more than an assertion at level 1. So maybe you have agreed only to pay for level 1 assertions, but not level 2 or higher assertions. In that case, the identity provider may issue a level 1 identity assertion to you, but not a level 2 or higher assertion. On the other hand, even if you are willing to pay for assertions at a higher assurance level, the identity provider may only be operating at level 1. If you need level 2 assurance for a particular identity assertion, and are willing to pay a higher price, you would then have to find another identity provider who can authenticate the claimed identity and provide an assertion at level 2. I don't think many scenarios that address the possible business arrangements between relying parties and identity providers have been worked out. But I would expect that a relying party would *not* need a specific business arrangement with each Liberty accredited identity provider if both are members of some (possibly different) federation(s). Seems like the relying party and the identity provider would need an agreement with the federation each is part of. If they are members of different federations, there would be inter-federation agreements that would govern payments and other trust arrangements between federations. I'm assuming here that the basic business model for IAF is that identity providers would derive some revenue from relying parties for providing identity assertions. I don't know any of this for sure, or if there are other models, but this seems like a rational approach. Maybe others might have a better understanding of these business issues. Bob Pinheiro At 01:33 PM 11/29/2007, Coderre, Mark wrote: Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C832B6.47AC42A5" I am interested in the group's thoughts around combating registration fraud by leveraging partnered certified credentialing authorities to raise the assurance level of provisioned accounts. What may be a level 1 to me (alone) could become level 2 with validation from a ca that has a more authoritative reference. The same could be true of identities I can validate very strongly but others may not. I am interested in this within the healthcare industry (pharmacies especially) as well as financial since there are health/wealth synergies in the consumer product space. Mark Coderre Security Architecture Lead AIS Enterprise Architecture 860-636-2440 This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna _______________________________________________ Sig-ia mailing list Sig-ia at lists.projectliberty.org http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectlib erty.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071130/9d66b9f8/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 21903 bytes Desc: Outlook.jpg Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071130/9d66b9f8/attachment-0001.jpe From bob at bobpinheiro.com Fri Nov 30 07:47:22 2007 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Fri, 30 Nov 2007 10:47:22 -0500 Subject: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION In-Reply-To: <7B03492D640C0745B22C6DBF3A4042340647004A@MDDP-EXCH-003.aet h.aetna.com> References: <7B03492D640C0745B22C6DBF3A4042340646FF73@MDDP-EXCH-003.aeth.aetna.com> <0JSA00BOFI6IS971@vms173001.mailsrvcs.net> <7B03492D640C0745B22C6DBF3A4042340647004A@MDDP-EXCH-003.aeth.aetna.com> Message-ID: <0JSB002TTTCTB2E0@vms046.mailsrvcs.net> So let's say there are two identity providers. The first IdP proofs a person's identity at Assurance Level 1, say. According to the Identity Assurance Framework, there are several possibilities for how that could be done. The person could present two utility statements, for instance. I think you are suggesting that, in order to act as a sanity check on the identity proofing process, the first IdP decides to rely on an identity assertion received from a second IdP. But if the second IdP also proofs the person's identity at Assurance Level 1, the proofing process is (in theory) exactly equivalent to the proofing done by the first IdP, even if different documentation is used. For instance, instead of using two utility statements, the second IdP might use one signed bank or credit card, which is allowable under the Identity Assurance Framework. So the first IdP might be tempted to say, well, I've proofed this person using two utility statements. And now I can see that this second IdP has proofed this person using a signed bank card. So now I feel even more confident in the person's identity. While there seems to be some logic to this, I don't think it's necessarily true that the first IdP would know the proofing documentation used by the second IdP. The first IdP would only know that the second IdP performed an identity proofing that was completely equivalent to the one done by the first IdP. If the first IdP feels it needs more assurance of the person's identity than is provided by two utility bills, I don't think it is justifiable to rely on another identity assertion from a second IdP, at the same Assurance Level. In fact, if the first IdP lacks confidence that two utility bills is sufficient to establish identity, that IdP really needs to perform an identity proofing at a higher Assurance Level. Or, that IdP could rely on an identity assertion from a second IdP at a higher Assurance Level. In general, I don't think that a relying party that receives identity assertions from 10 separate IdPs, each at Assurance Level 1 for instance, can conclude that the combined Assurance Level provided by all 10 taken together is greater than Assurance Level 1. The same two utility bills may have been used for identity proofing at each of the 10 IdPs. And even if different documentation was provided at the different IdPs, by definition they each provide an equivalent level of assurance of the person's identity. So 10 identity assertions at the same Assurance Level do not somehow combine to yield an overall higher Assurance Level. But if one of those 10 IdPs were sending an identity assertion at Assurance Level 3, say, then the relying party could be confident of the claimed identity at Assurance Level 3. The other 9 assertions at Assurance Level 1 would not seem to make any difference. At least, that is how it seems to me. Can anyone provide an argument that this view is wrong? - Bob At 07:08 PM 11/29/2007, Coderre, Mark wrote: >The model I am thinking of is two Identity providers , neither of >which may have a "store front" for in person proofing. Each IdP has >distinctly different manners to validate an individual on-line as >they represent different industries with different customer >enrollment mechanisms. Since both may be the target of PII theft >through collusion/collection of information from BOTNets, etc. they >look to each other as a 2nd form of validation. This occurs today >when an entity uses a Knowledge Based Authentication service to gain >external identity validation. In this case the KBA may not always be >required where the two partners share common customers. > >This is not necessarily a chicken and egg problem because each site >has the option of limiting entitlements when they have solely >proofed the individual. Once the individual can provide proof of >initial registration from one to the other (and visa versa for that >matter) , each site can elevate the level of assurance and resulting >entitlements as desired....based on their value of the other >entities registration process strength. > >It also has value where one partner has a storefront for in person >proofing (showing a driver license with a picture) and another >partner does not have that same luxury. But perhaps the latter >partner has significant personal information such that their online >registration requires significant knowledge of the person. These >partners may view each other as somewhat equal. The relationship may >be even or slightly favored ending up in a nominal fee. > >The last intriguing piece of this to me is that two partner may >share common customers, but each may have customers registered the >other is not aware of. Proof of identity from a trusted partner may >be valuable in 1st touch customer relationships online. If someone >comes anonymously as a new customer online to me but a trusted >partner has vetted them and perhaps come to prove their email >address appears accurate it does contain potential value. > >-Mark Coderre. > > >---------- >From: Bob Pinheiro [mailto:bob at bobpinheiro.com] >Sent: Thursday, November 29, 2007 5:58 PM >To: Coderre, Mark; sig-ia at lists.projectliberty.org >Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains >to Multi-factor REGISTRATION > >I'm not sure I understand your question completely, but I think the >basic idea is that you, as a relying party, would first need to >decide whether you trust identity assertions received from identity >providers that you can verify as being accredited by the Liberty >IAF. Secondly, you would need to decide how much assurance you >require of the identity assertion received. So if you need to be >very certain of the identity claim you are trying to authenticate, >you may only choose to trust an identity assertion if you can verify >that the accredited identity provider has issued the assertion at >Assurance Level 3 or 4. > >When you say that you only have level 1 assurance of an identity >assertion, to me that might indicate two possible >situations. Depending on how the business rules are defined between >relying parties and identity providers, it may or may not be true >that identity providers expect to receive some compensation for >providing an identity assertion to a relying party. If so, it's >likely that an assertion at level 4 would be worth more than an >assertion at level 1. So maybe you have agreed only to pay for >level 1 assertions, but not level 2 or higher assertions. In that >case, the identity provider may issue a level 1 identity assertion >to you, but not a level 2 or higher assertion. On the other hand, >even if you are willing to pay for assertions at a higher assurance >level, the identity provider may only be operating at level 1. If >you need level 2 assurance for a particular identity assertion, and >are willing to pay a higher price, you would then have to find >another identity provider who can authenticate the claimed identity >and provide an assertion at level 2. > >I don't think many scenarios that address the possible business >arrangements between relying parties and identity providers have >been worked out. But I would expect that a relying party would >*not* need a specific business arrangement with each Liberty >accredited identity provider if both are members of some (possibly >different) federation(s). Seems like the relying party and the >identity provider would need an agreement with the federation each >is part of. If they are members of different federations, there >would be inter-federation agreements that would govern payments and >other trust arrangements between federations. > >I'm assuming here that the basic business model for IAF is that >identity providers would derive some revenue from relying parties >for providing identity assertions. I don't know any of this for >sure, or if there are other models, but this seems like a rational >approach. Maybe others might have a better understanding of these >business issues. > >Bob Pinheiro > > > >At 01:33 PM 11/29/2007, Coderre, Mark wrote: >>Content-class: urn:content-classes:message >>Content-Type: multipart/alternative; >> boundary="----_=_NextPart_001_01C832B6.47AC42A5" >> >>I am interested in the group's thoughts around combating >>registration fraud by leveraging partnered certified credentialing >>authorities to raise the assurance level of provisioned accounts. >>What may be a level 1 to me (alone) could become level 2 with >>validation from a ca that has a more authoritative reference. The >>same could be true of identities I can validate very strongly but >>others may not. >> >>I am interested in this within the healthcare industry (pharmacies >>especially) as well as financial since there are health/wealth >>synergies in the consumer product space. >> >>Mark Coderre >>Security Architecture Lead >>AIS Enterprise Architecture >>860-636-2440 >> >>This e-mail may contain confidential or privileged information. If >>you think you have received this e-mail in error, please advise the >>sender by reply e-mail and then delete this e-mail immediately. >>Thank you. Aetna >>_______________________________________________ >>Sig-ia mailing list >>Sig-ia at lists.projectliberty.org >>http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectliberty.org >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071130/49028ac6/attachment.html From altermap at mail.nih.gov Fri Nov 30 08:03:03 2007 From: altermap at mail.nih.gov (Alterman, Peter (NIH/CIT) [E]) Date: Fri, 30 Nov 2007 11:03:03 -0500 Subject: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION In-Reply-To: <0JSB002TTTCTB2E0@vms046.mailsrvcs.net> References: <7B03492D640C0745B22C6DBF3A4042340646FF73@MDDP-EXCH-003.aeth.aetna.com><0JSA00BOFI6IS971@vms173001.mailsrvcs.net><7B03492D640C0745B22C6DBF3A4042340647004A@MDDP-EXCH-003.aeth.aetna.com>, <0JSB002TTTCTB2E0@vms046.mailsrvcs.net> Message-ID: <79485227-6892-468E-9E7A-0D19E8C8B543@mimectl> An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071130/1b042ee0/attachment-0001.html From judith.spencer at gsa.gov Fri Nov 30 08:12:07 2007 From: judith.spencer at gsa.gov (judith.spencer at gsa.gov) Date: Fri, 30 Nov 2007 11:12:07 -0500 Subject: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION In-Reply-To: <79485227-6892-468E-9E7A-0D19E8C8B543@mimectl> Message-ID: Please don't forget NIST Special Publication 800-63 when looking at what the Feds do, and of course our foundational OMB Memorandum M-04-04. _______________________________ Judith Spencer Chair, Federal Identity Credentialing Committee 202-208-6576 Vision without Action is a Daydream Action without Vision is a Nightmare - Japanese Proverb "Alterman, Peter (NIH/CIT) [E]" Sent by: sig-ia-bounces at lists.projectliberty.org 11/30/2007 11:03 AM To "Bob Pinheiro" , "Coderre, Mark" , sig-ia at lists.projectliberty.org cc Subject Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION Bob, the levels are determined by a combination of buckets, of which ID proofing is one; the resistance to hacking of the technology is another and the trustworthiness/security of management of the whole megillah is the third. So, really, what you want to say is that if IdP X and IdP Y both do ID proofing comparably, the outputs into the overall assessments will be comparable. What you're point up is the need to have an ID proofing standard. We have FIPS 201 for high assurance, of course. We (Uncle) also have language for assertion-based credential levels in the E-Authentication Credential Assessment Framework. Might be helpful to use that as a starting point for the Liberty version. Brother Temoshok can add more. vr, Peter ---------------------------- Peter Alterman, Ph.D. Asst. CIO, E-Authentication, NIH and Chair, Federal PKI Policy Authority Cell: 301-252-8846 From: Bob Pinheiro Sent: Fri 11/30/2007 10:47 AM To: Coderre, Mark; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION So let's say there are two identity providers. The first IdP proofs a person's identity at Assurance Level 1, say. According to the Identity Assurance Framework, there are several possibilities for how that could be done. The person could present two utility statements, for instance. I think you are suggesting that, in order to act as a sanity check on the identity proofing process, the first IdP decides to rely on an identity assertion received from a second IdP. But if the second IdP also proofs the person's identity at Assurance Level 1, the proofing process is (in theory) exactly equivalent to the proofing done by the first IdP, even if different documentation is used. For instance, instead of using two utility statements, the second IdP might use one signed bank or credit card, which is allowable under the Identity Assurance Framework. So the first IdP might be tempted to say, well, I've proofed this person using two utility statements. And now I can see that this second IdP has proofed this person using a signed bank card. So now I feel even more confident in the person's identity. While there seems to be some logic to this, I don't think it's necessarily true that the first IdP would know the proofing documentation used by the second IdP. The first IdP would only know that the second IdP performed an identity proofing that was completely equivalent to the one done by the first IdP. If the first IdP feels it needs more assurance of the person's identity than is provided by two utility bills, I don't think it is justifiable to rely on another identity assertion from a second IdP, at the same Assurance Level. In fact, if the first IdP lacks confidence that two utility bills is sufficient to establish identity, that IdP really needs to perform an identity proofing at a higher Assurance Level. Or, that IdP could rely on an identity assertion from a second IdP at a higher Assurance Level. In general, I don't think that a relying party that receives identity assertions from 10 separate IdPs, each at Assurance Level 1 for instance, can conclude that the combined Assurance Level provided by all 10 taken together is greater than Assurance Level 1. The same two utility bills may have been used for identity proofing at each of the 10 IdPs. And even if different documentation was provided at the different IdPs, by definition they each provide an equivalent level of assurance of the person's identity. So 10 identity assertions at the same Assurance Level do not somehow combine to yield an overall higher Assurance Level. But if one of those 10 IdPs were sending an identity assertion at Assurance Level 3, say, then the relying party could be confident of the claimed identity at Assurance Level 3. The other 9 assertions at Assurance Level 1 would not seem to make any difference. At least, that is how it seems to me. Can anyone provide an argument that this view is wrong? - Bob At 07:08 PM 11/29/2007, Coderre, Mark wrote: The model I am thinking of is two Identity providers , neither of which may have a "store front" for in person proofing. Each IdP has distinctly different manners to validate an individual on-line as they represent different industries with different customer enrollment mechanisms. Since both may be the target of PII theft through collusion/collection of information from BOTNets, etc. they look to each other as a 2nd form of validation. This occurs today when an entity uses a Knowledge Based Authentication service to gain external identity validation. In this case the KBA may not always be required where the two partners share common customers. This is not necessarily a chicken and egg problem because each site has the option of limiting entitlements when they have solely proofed the individual. Once the individual can provide proof of initial registration from one to the other (and visa versa for that matter) , each site can elevate the level of assurance and resulting entitlements as desired....based on their value of the other entities registration process strength. It also has value where one partner has a storefront for in person proofing (showing a driver license with a picture) and another partner does not have that same luxury. But perhaps the latter partner has significant personal information such that their online registration requires significant knowledge of the person. These partners may view each other as somewhat equal. The relationship may be even or slightly favored ending up in a nominal fee. The last intriguing piece of this to me is that two partner may share common customers, but each may have customers registered the other is not aware of. Proof of identity from a trusted partner may be valuable in 1st touch customer relationships online. If someone comes anonymously as a new customer online to me but a trusted partner has vetted them and perhaps come to prove their email address appears accurate it does contain potential value. -Mark Coderre. From: Bob Pinheiro [mailto:bob at bobpinheiro.com] Sent: Thursday, November 29, 2007 5:58 PM To: Coderre, Mark; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION I'm not sure I understand your question completely, but I think the basic idea is that you, as a relying party, would first need to decide whether you trust identity assertions received from identity providers that you can verify as being accredited by the Liberty IAF. Secondly, you would need to decide how much assurance you require of the identity assertion received. So if you need to be very certain of the identity claim you are trying to authenticate, you may only choose to trust an identity assertion if you can verify that the accredited identity provider has issued the assertion at Assurance Level 3 or 4. When you say that you only have level 1 assurance of an identity assertion, to me that might indicate two possible situations. Depending on how the business rules are defined between relying parties and identity providers, it may or may not be true that identity providers expect to receive some compensation for providing an identity assertion to a relying party. If so, it's likely that an assertion at level 4 would be worth more than an assertion at level 1. So maybe you have agreed only to pay for level 1 assertions, but not level 2 or higher assertions. In that case, the identity provider may issue a level 1 identity assertion to you, but not a level 2 or higher assertion. On the other hand, even if you are willing to pay for assertions at a higher assurance level, the identity provider may only be operating at level 1. If you need level 2 assurance for a particular identity assertion, and are willing to pay a higher price, you would then have to find another identity provider who can authenticate the claimed identity and provide an assertion at level 2. I don't think many scenarios that address the possible business arrangements between relying parties and identity providers have been worked out. But I would expect that a relying party would *not* need a specific business arrangement with each Liberty accredited identity provider if both are members of some (possibly different) federation(s). Seems like the relying party and the identity provider would need an agreement with the federation each is part of. If they are members of different federations, there would be inter-federation agreements that would govern payments and other trust arrangements between federations. I'm assuming here that the basic business model for IAF is that identity providers would derive some revenue from relying parties for providing identity assertions. I don't know any of this for sure, or if there are other models, but this seems like a rational approach. Maybe others might have a better understanding of these business issues. Bob Pinheiro At 01:33 PM 11/29/2007, Coderre, Mark wrote: Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C832B6.47AC42A5" I am interested in the group's thoughts around combating registration fraud by leveraging partnered certified credentialing authorities to raise the assurance level of provisioned accounts. What may be a level 1 to me (alone) could become level 2 with validation from a ca that has a more authoritative reference. The same could be true of identities I can validate very strongly but others may not. I am interested in this within the healthcare industry (pharmacies especially) as well as financial since there are health/wealth synergies in the consumer product space. Mark Coderre Security Architecture Lead AIS Enterprise Architecture 860-636-2440 This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna _______________________________________________ Sig-ia mailing list Sig-ia at lists.projectliberty.org http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectliberty.org _______________________________________________ Sig-ia mailing list Sig-ia at lists.projectliberty.org http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectliberty.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071130/ea50cb1d/attachment.html From Sreeram.Thirukkonda at FMR.COM Fri Nov 30 11:12:05 2007 From: Sreeram.Thirukkonda at FMR.COM (Thirukkonda, Sreeram) Date: Fri, 30 Nov 2007 14:12:05 -0500 Subject: [Sig-ia] Interest in Identity Assurance as it pertains toMulti-factor REGISTRATION References: <7B03492D640C0745B22C6DBF3A4042340646FF73@MDDP-EXCH-003.aeth.aetna.com><0JSA00BOFI6IS971@vms173001.mailsrvcs.net> <5564F7E2BF2B5B43A8407F0060044EC8045202E9@MSGMROCLR2WIN.DMN1.FMR.COM> Message-ID: <1FBD0171C3440F4D88AE274DCA9931EB0364BD97@MSGMROCLN2WIN.DMN1.FMR.COM> Mark, What you describe below in the healthcare context is very close to the intent for Foundational Scenario 2. In your use case, would the Level 1 authenticator also be responsible for the binding of the individual to the second factor / Level 2 credential as well as the associated liabilities ? Or do you see this as more of a function of the validation agent? If it helps, I would be happy to discuss this use case as well as provide an mrd overview in a future sig-ia call. Sreeram _____ From: sig-ia-bounces at lists.projectliberty.org [mailto:sig-ia-bounces at lists.projectliberty.org] On Behalf Of Popowycz, Alex Sent: Friday, November 30, 2007 8:40 AM To: Bob Pinheiro; Coderre, Mark; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains toMulti-factor REGISTRATION My read on the originating message was a bit different. To me the question revolved around compound authentication (a scenario described in detail within the Strong Authentication Expert Group and now in the Strong Authentication MRD developed within BMEG). In one scenario you rely on the authentication of a identity provider and combine that with the results of an authentication of a second identity provider (which could be the originating relying party) in effect creating a federated/distributed multi-factor authentication. I over simplified this from an additive authentication perspective because the underlying provisioning mechanisms may result in an answer that a mathematically nonsensical but logically relevant equation of 1+1=1.5. I would suggest reviewing the current strong auth mrd and look at foundational scenario 2 (the version I was looking at would have it as section 3.2). Alex _____ From: sig-ia-bounces at lists.projectliberty.org [mailto:sig-ia-bounces at lists.projectliberty.org] On Behalf Of Bob Pinheiro Sent: Thursday, November 29, 2007 5:58 PM To: Coderre, Mark; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION I'm not sure I understand your question completely, but I think the basic idea is that you, as a relying party, would first need to decide whether you trust identity assertions received from identity providers that you can verify as being accredited by the Liberty IAF. Secondly, you would need to decide how much assurance you require of the identity assertion received. So if you need to be very certain of the identity claim you are trying to authenticate, you may only choose to trust an identity assertion if you can verify that the accredited identity provider has issued the assertion at Assurance Level 3 or 4. When you say that you only have level 1 assurance of an identity assertion, to me that might indicate two possible situations. Depending on how the business rules are defined between relying parties and identity providers, it may or may not be true that identity providers expect to receive some compensation for providing an identity assertion to a relying party. If so, it's likely that an assertion at level 4 would be worth more than an assertion at level 1. So maybe you have agreed only to pay for level 1 assertions, but not level 2 or higher assertions. In that case, the identity provider may issue a level 1 identity assertion to you, but not a level 2 or higher assertion. On the other hand, even if you are willing to pay for assertions at a higher assurance level, the identity provider may only be operating at level 1. If you need level 2 assurance for a particular identity assertion, and are willing to pay a higher price, you would then have to find another identity provider who can authenticate the claimed identity and provide an assertion at level 2. I don't think many scenarios that address the possible business arrangements between relying parties and identity providers have been worked out. But I would expect that a relying party would *not* need a specific business arrangement with each Liberty accredited identity provider if both are members of some (possibly different) federation(s). Seems like the relying party and the identity provider would need an agreement with the federation each is part of. If they are members of different federations, there would be inter-federation agreements that would govern payments and other trust arrangements between federations. I'm assuming here that the basic business model for IAF is that identity providers would derive some revenue from relying parties for providing identity assertions. I don't know any of this for sure, or if there are other models, but this seems like a rational approach. Maybe others might have a better understanding of these business issues. Bob Pinheiro At 01:33 PM 11/29/2007, Coderre, Mark wrote: Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C832B6.47AC42A5" I am interested in the group's thoughts around combating registration fraud by leveraging partnered certified credentialing authorities to raise the assurance level of provisioned accounts. What may be a level 1 to me (alone) could become level 2 with validation from a ca that has a more authoritative reference. The same could be true of identities I can validate very strongly but others may not. I am interested in this within the healthcare industry (pharmacies especially) as well as financial since there are health/wealth synergies in the consumer product space. Mark Coderre Security Architecture Lead AIS Enterprise Architecture 860-636-2440 This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna _______________________________________________ Sig-ia mailing list Sig-ia at lists.projectliberty.org http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectlib erty.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071130/3c8dbab8/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 21903 bytes Desc: Outlook.jpg Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071130/3c8dbab8/attachment-0001.jpe From CoderreM at aetna.com Fri Nov 30 13:38:04 2007 From: CoderreM at aetna.com (Coderre, Mark) Date: Fri, 30 Nov 2007 16:38:04 -0500 Subject: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION In-Reply-To: <5564F7E2BF2B5B43A8407F0060044EC8045202E9@MSGMROCLR2WIN.DMN1.FMR.COM> References: <7B03492D640C0745B22C6DBF3A4042340646FF73@MDDP-EXCH-003.aeth.aetna.com> <0JSA00BOFI6IS971@vms173001.mailsrvcs.net> <5564F7E2BF2B5B43A8407F0060044EC8045202E9@MSGMROCLR2WIN.DMN1.FMR.COM> Message-ID: <7B03492D640C0745B22C6DBF3A4042340647022F@MDDP-EXCH-003.aeth.aetna.com> Yes, this is exactly what I'm looking for. I agree that in that context 1+1=1.5....what is the URL to that doc? ________________________________ From: Popowycz, Alex [mailto:Alex.Popowycz at fmr.com] Sent: Friday, November 30, 2007 8:40 AM To: Bob Pinheiro; Coderre, Mark; sig-ia at lists.projectliberty.org Subject: RE: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION My read on the originating message was a bit different. To me the question revolved around compound authentication (a scenario described in detail within the Strong Authentication Expert Group and now in the Strong Authentication MRD developed within BMEG). In one scenario you rely on the authentication of a identity provider and combine that with the results of an authentication of a second identity provider (which could be the originating relying party) in effect creating a federated/distributed multi-factor authentication. I over simplified this from an additive authentication perspective because the underlying provisioning mechanisms may result in an answer that a mathematically nonsensical but logically relevant equation of 1+1=1.5. I would suggest reviewing the current strong auth mrd and look at foundational scenario 2 (the version I was looking at would have it as section 3.2). Alex ________________________________ From: sig-ia-bounces at lists.projectliberty.org [mailto:sig-ia-bounces at lists.projectliberty.org] On Behalf Of Bob Pinheiro Sent: Thursday, November 29, 2007 5:58 PM To: Coderre, Mark; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION I'm not sure I understand your question completely, but I think the basic idea is that you, as a relying party, would first need to decide whether you trust identity assertions received from identity providers that you can verify as being accredited by the Liberty IAF. Secondly, you would need to decide how much assurance you require of the identity assertion received. So if you need to be very certain of the identity claim you are trying to authenticate, you may only choose to trust an identity assertion if you can verify that the accredited identity provider has issued the assertion at Assurance Level 3 or 4. When you say that you only have level 1 assurance of an identity assertion, to me that might indicate two possible situations. Depending on how the business rules are defined between relying parties and identity providers, it may or may not be true that identity providers expect to receive some compensation for providing an identity assertion to a relying party. If so, it's likely that an assertion at level 4 would be worth more than an assertion at level 1. So maybe you have agreed only to pay for level 1 assertions, but not level 2 or higher assertions. In that case, the identity provider may issue a level 1 identity assertion to you, but not a level 2 or higher assertion. On the other hand, even if you are willing to pay for assertions at a higher assurance level, the identity provider may only be operating at level 1. If you need level 2 assurance for a particular identity assertion, and are willing to pay a higher price, you would then have to find another identity provider who can authenticate the claimed identity and provide an assertion at level 2. I don't think many scenarios that address the possible business arrangements between relying parties and identity providers have been worked out. But I would expect that a relying party would *not* need a specific business arrangement with each Liberty accredited identity provider if both are members of some (possibly different) federation(s). Seems like the relying party and the identity provider would need an agreement with the federation each is part of. If they are members of different federations, there would be inter-federation agreements that would govern payments and other trust arrangements between federations. I'm assuming here that the basic business model for IAF is that identity providers would derive some revenue from relying parties for providing identity assertions. I don't know any of this for sure, or if there are other models, but this seems like a rational approach. Maybe others might have a better understanding of these business issues. Bob Pinheiro At 01:33 PM 11/29/2007, Coderre, Mark wrote: Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C832B6.47AC42A5" I am interested in the group's thoughts around combating registration fraud by leveraging partnered certified credentialing authorities to raise the assurance level of provisioned accounts. What may be a level 1 to me (alone) could become level 2 with validation from a ca that has a more authoritative reference. The same could be true of identities I can validate very strongly but others may not. I am interested in this within the healthcare industry (pharmacies especially) as well as financial since there are health/wealth synergies in the consumer product space. Mark Coderre Security Architecture Lead AIS Enterprise Architecture 860-636-2440 This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna _______________________________________________ Sig-ia mailing list Sig-ia at lists.projectliberty.org http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectlib erty.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071130/3b46d733/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 21903 bytes Desc: Outlook.jpg Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071130/3b46d733/attachment-0001.jpe From dan.combs at globalidentitysolutions.com Fri Nov 30 14:19:42 2007 From: dan.combs at globalidentitysolutions.com (Dan Combs) Date: Fri, 30 Nov 2007 17:19:42 -0500 Subject: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION In-Reply-To: References: <79485227-6892-468E-9E7A-0D19E8C8B543@mimectl> Message-ID: <00b901c8339f$1b0aac00$6c01a8c0@daniel2kumquat> Mark's question is a good one. It encapsulates ideas and discussions occurring elsewhere and may well perch on the line between Identity 1.0 and Identity 2.0. I do not know whether these ideas have been included in current policy and practice under Liberty Alliance or discussions but if not it may be worthwhile to open this for consideration. Mark, forgive me if I misunderstand what scheme of levels you are using. In this comment I am referencing the Federal Government scheme described in NIST 800-63 where level 1 has no identity verification. One change I would suggest is to center the discussion on level 2 and higher. One can imagine identity functions following other trends in web development with Identity 2.0 including Identity Oriented Architecture, Identity As A Service, Identity Mashups, reputational identity and other variations all providing value to consumers of identity functions. It seems likely that relying parties do and will desire a much richer context and content in order to customize their own operations to mitigate risk, control costs, meet particular needs and other reasonable aspirations of system owners and operators such as Mark has hinted at in his email. It seems as if the email conversation highlights this desire and numerous conversations in various E-Authentication and other meetings anticipated this. I, as a relying party, am not likely in the future to be content to know simply that someone provides a credential meeting the requirements of a particular level. I want more detail. Which documents were checked, when, where, how, were they verified with the source, etc. What is it that a credential or identity services provider claims to be doing and is there certification or other reason for me to believe that they are doing it? I can then make informed choices about using the information or services available. Even though few seem willing to publish or release detailed research of information as of yet, what seems to be working to reduce fraud and other identity related crimes and mischief is to change approaches and concepts of the various identity components: Identity verification performed periodically and perpetually rather than just as an entrance gateway process, user pattern development and monitoring, checking of individual attributes for inappropriate sharing or repeated use, feedback loops for users to involve them in preventing fraud and abuse. There is substantial value in being able to gaze across an array of systems or lots of interactions and transactions to see patterns of behavior, multiple registrations involving end-user attributes, or even to share information about discovery of fraud and abuse. It seems likely that In order to meet service and security requirements relying parties will act as good consumers and migrate to sources of identity services and information that provide better value which may include a much richer, more adaptable and flexible approach to identity functions and the related risks and threats. Best regards, Dan Dan Combs Director, National Emergency Preparedness Coordinating Council www.nationalepcc.org Board Member, EC3 (NECCC) www.ec3.org Program Director, MIT Real ID Forum MIT Real ID Forum Real-ID-NPRM Member, Harvard Policy Group Dan.combs at nationalepcc.org 202-558-6910 515-238-8428 mobile Skype: dan combs Thanks for making the Atlanta Regional Conference a success Information and Registration for the EC3/NEPCC Emergency Governance workgroup _____ From: judith.spencer at gsa.gov [mailto:judith.spencer at gsa.gov] Sent: Friday, November 30, 2007 11:12 AM To: altermap at mail.nih.gov Cc: Coderre, Mark; sig-ia-bounces at lists.projectliberty.org; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION Please don't forget NIST Special Publication 800-63 when looking at what the Feds do, and of course our foundational OMB Memorandum M-04-04. _______________________________ Judith Spencer Chair, Federal Identity Credentialing Committee 202-208-6576 Vision without Action is a Daydream Action without Vision is a Nightmare - Japanese Proverb "Alterman, Peter (NIH/CIT) [E]" Sent by: sig-ia-bounces at lists.projectliberty.org 11/30/2007 11:03 AM To "Bob Pinheiro" , "Coderre, Mark" , sig-ia at lists.projectliberty.org cc Subject Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION Bob, the levels are determined by a combination of buckets, of which ID proofing is one; the resistance to hacking of the technology is another and the trustworthiness/security of management of the whole megillah is the third. So, really, what you want to say is that if IdP X and IdP Y both do ID proofing comparably, the outputs into the overall assessments will be comparable. What you're point up is the need to have an ID proofing standard. We have FIPS 201 for high assurance, of course. We (Uncle) also have language for assertion-based credential levels in the E-Authentication Credential Assessment Framework. Might be helpful to use that as a starting point for the Liberty version. Brother Temoshok can add more. vr, Peter ---------------------------- Peter Alterman, Ph.D. Asst. CIO, E-Authentication, NIH and Chair, Federal PKI Policy Authority Cell: 301-252-8846 _____ From: Bob Pinheiro Sent: Fri 11/30/2007 10:47 AM To: Coderre, Mark; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION So let's say there are two identity providers. The first IdP proofs a person's identity at Assurance Level 1, say. According to the Identity Assurance Framework, there are several possibilities for how that could be done. The person could present two utility statements, for instance. I think you are suggesting that, in order to act as a sanity check on the identity proofing process, the first IdP decides to rely on an identity assertion received from a second IdP. But if the second IdP also proofs the person's identity at Assurance Level 1, the proofing process is (in theory) exactly equivalent to the proofing done by the first IdP, even if different documentation is used. For instance, instead of using two utility statements, the second IdP might use one signed bank or credit card, which is allowable under the Identity Assurance Framework. So the first IdP might be tempted to say, well, I've proofed this person using two utility statements. And now I can see that this second IdP has proofed this person using a signed bank card. So now I feel even more confident in the person's identity. While there seems to be some logic to this, I don't think it's necessarily true that the first IdP would know the proofing documentation used by the second IdP. The first IdP would only know that the second IdP performed an identity proofing that was completely equivalent to the one done by the first IdP. If the first IdP feels it needs more assurance of the person's identity than is provided by two utility bills, I don't think it is justifiable to rely on another identity assertion from a second IdP, at the same Assurance Level. In fact, if the first IdP lacks confidence that two utility bills is sufficient to establish identity, that IdP really needs to perform an identity proofing at a higher Assurance Level. Or, that IdP could rely on an identity assertion from a second IdP at a higher Assurance Level. In general, I don't think that a relying party that receives identity assertions from 10 separate IdPs, each at Assurance Level 1 for instance, can conclude that the combined Assurance Level provided by all 10 taken together is greater than Assurance Level 1. The same two utility bills may have been used for identity proofing at each of the 10 IdPs. And even if different documentation was provided at the different IdPs, by definition they each provide an equivalent level of assurance of the person's identity. So 10 identity assertions at the same Assurance Level do not somehow combine to yield an overall higher Assurance Level. But if one of those 10 IdPs were sending an identity assertion at Assurance Level 3, say, then the relying party could be confident of the claimed identity at Assurance Level 3. The other 9 assertions at Assurance Level 1 would not seem to make any difference. At least, that is how it seems to me. Can anyone provide an argument that this view is wrong? - Bob At 07:08 PM 11/29/2007, Coderre, Mark wrote: The model I am thinking of is two Identity providers , neither of which may have a "store front" for in person proofing. Each IdP has distinctly different manners to validate an individual on-line as they represent different industries with different customer enrollment mechanisms. Since both may be the target of PII theft through collusion/collection of information from BOTNets, etc. they look to each other as a 2nd form of validation. This occurs today when an entity uses a Knowledge Based Authentication service to gain external identity validation. In this case the KBA may not always be required where the two partners share common customers. This is not necessarily a chicken and egg problem because each site has the option of limiting entitlements when they have solely proofed the individual. Once the individual can provide proof of initial registration from one to the other (and visa versa for that matter) , each site can elevate the level of assurance and resulting entitlements as desired....based on their value of the other entities registration process strength. It also has value where one partner has a storefront for in person proofing (showing a driver license with a picture) and another partner does not have that same luxury. But perhaps the latter partner has significant personal information such that their online registration requires significant knowledge of the person. These partners may view each other as somewhat equal. The relationship may be even or slightly favored ending up in a nominal fee. The last intriguing piece of this to me is that two partner may share common customers, but each may have customers registered the other is not aware of. Proof of identity from a trusted partner may be valuable in 1st touch customer relationships online. If someone comes anonymously as a new customer online to me but a trusted partner has vetted them and perhaps come to prove their email address appears accurate it does contain potential value. -Mark Coderre. _____ From: Bob Pinheiro [ mailto:bob at bobpinheiro.com] Sent: Thursday, November 29, 2007 5:58 PM To: Coderre, Mark; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION I'm not sure I understand your question completely, but I think the basic idea is that you, as a relying party, would first need to decide whether you trust identity assertions received from identity providers that you can verify as being accredited by the Liberty IAF. Secondly, you would need to decide how much assurance you require of the identity assertion received. So if you need to be very certain of the identity claim you are trying to authenticate, you may only choose to trust an identity assertion if you can verify that the accredited identity provider has issued the assertion at Assurance Level 3 or 4. When you say that you only have level 1 assurance of an identity assertion, to me that might indicate two possible situations. Depending on how the business rules are defined between relying parties and identity providers, it may or may not be true that identity providers expect to receive some compensation for providing an identity assertion to a relying party. If so, it's likely that an assertion at level 4 would be worth more than an assertion at level 1. So maybe you have agreed only to pay for level 1 assertions, but not level 2 or higher assertions. In that case, the identity provider may issue a level 1 identity assertion to you, but not a level 2 or higher assertion. On the other hand, even if you are willing to pay for assertions at a higher assurance level, the identity provider may only be operating at level 1. If you need level 2 assurance for a particular identity assertion, and are willing to pay a higher price, you would then have to find another identity provider who can authenticate the claimed identity and provide an assertion at level 2. I don't think many scenarios that address the possible business arrangements between relying parties and identity providers have been worked out. But I would expect that a relying party would *not* need a specific business arrangement with each Liberty accredited identity provider if both are members of some (possibly different) federation(s). Seems like the relying party and the identity provider would need an agreement with the federation each is part of. If they are members of different federations, there would be inter-federation agreements that would govern payments and other trust arrangements between federations. I'm assuming here that the basic business model for IAF is that identity providers would derive some revenue from relying parties for providing identity assertions. I don't know any of this for sure, or if there are other models, but this seems like a rational approach. Maybe others might have a better understanding of these business issues. Bob Pinheiro At 01:33 PM 11/29/2007, Coderre, Mark wrote: Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C832B6.47AC42A5" I am interested in the group's thoughts around combating registration fraud by leveraging partnered certified credentialing authorities to raise the assurance level of provisioned accounts. What may be a level 1 to me (alone) could become level 2 with validation from a ca that has a more authoritative reference. The same could be true of identities I can validate very strongly but others may not. I am interested in this within the healthcare industry (pharmacies especially) as well as financial since there are health/wealth synergies in the consumer product space. Mark Coderre Security Architecture Lead AIS Enterprise Architecture 860-636-2440 This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna _______________________________________________ Sig-ia mailing list Sig-ia at lists.projectliberty.org http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectliberty .org _______________________________________________ Sig-ia mailing list Sig-ia at lists.projectliberty.org http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectliberty .org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071130/59c096e8/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 5065 bytes Desc: not available Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071130/59c096e8/attachment-0001.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: dan.combs at nationalepcc.org.vcf Type: text/x-vcard Size: 287 bytes Desc: not available Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071130/59c096e8/attachment-0001.vcf From CoderreM at aetna.com Fri Nov 30 15:14:11 2007 From: CoderreM at aetna.com (Coderre, Mark) Date: Fri, 30 Nov 2007 18:14:11 -0500 Subject: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION In-Reply-To: <00b901c8339f$1b0aac00$6c01a8c0@daniel2kumquat> References: <79485227-6892-468E-9E7A-0D19E8C8B543@mimectl> <00b901c8339f$1b0aac00$6c01a8c0@daniel2kumquat> Message-ID: <7B03492D640C0745B22C6DBF3A40423406470259@MDDP-EXCH-003.aeth.aetna.com> I have my eye on the NIST 800-63 too....yes the discussion should be level 2 and higher. The thought that IdPs may express the "how" the level was achieved electronically is interesting. I would have thought that would have been in the due dilligence of the legal agreements. Web 2.0 with secure interchange is a use case I hope to stay "in front of". As a newcomer to the group - where is the artifact reference library for this sig? ________________________________ From: Dan Combs [mailto:dan.combs at globalidentitysolutions.com] Sent: Friday, November 30, 2007 5:20 PM To: Coderre, Mark; sig-ia-bounces at lists.projectliberty.org; sig-ia at lists.projectliberty.org Subject: RE: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION Mark's question is a good one. It encapsulates ideas and discussions occurring elsewhere and may well perch on the line between Identity 1.0 and Identity 2.0. I do not know whether these ideas have been included in current policy and practice under Liberty Alliance or discussions but if not it may be worthwhile to open this for consideration. Mark, forgive me if I misunderstand what scheme of levels you are using. In this comment I am referencing the Federal Government scheme described in NIST 800-63 where level 1 has no identity verification. One change I would suggest is to center the discussion on level 2 and higher. One can imagine identity functions following other trends in web development with Identity 2.0 including Identity Oriented Architecture, Identity As A Service, Identity Mashups, reputational identity and other variations all providing value to consumers of identity functions. It seems likely that relying parties do and will desire a much richer context and content in order to customize their own operations to mitigate risk, control costs, meet particular needs and other reasonable aspirations of system owners and operators such as Mark has hinted at in his email. It seems as if the email conversation highlights this desire and numerous conversations in various E-Authentication and other meetings anticipated this. I, as a relying party, am not likely in the future to be content to know simply that someone provides a credential meeting the requirements of a particular level. I want more detail. Which documents were checked, when, where, how, were they verified with the source, etc. What is it that a credential or identity services provider claims to be doing and is there certification or other reason for me to believe that they are doing it? I can then make informed choices about using the information or services available. Even though few seem willing to publish or release detailed research of information as of yet, what seems to be working to reduce fraud and other identity related crimes and mischief is to change approaches and concepts of the various identity components: Identity verification performed periodically and perpetually rather than just as an entrance gateway process, user pattern development and monitoring, checking of individual attributes for inappropriate sharing or repeated use, feedback loops for users to involve them in preventing fraud and abuse. There is substantial value in being able to gaze across an array of systems or lots of interactions and transactions to see patterns of behavior, multiple registrations involving end-user attributes, or even to share information about discovery of fraud and abuse. It seems likely that In order to meet service and security requirements relying parties will act as good consumers and migrate to sources of identity services and information that provide better value which may include a much richer, more adaptable and flexible approach to identity functions and the related risks and threats. Best regards, Dan Dan Combs Director, National Emergency Preparedness Coordinating Council www.nationalepcc.org Board Member, EC3 (NECCC) www.ec3.org Program Director, MIT Real ID Forum MIT Real ID Forum Real-ID-NPRM Member, Harvard Policy Group Dan.combs at nationalepcc.org 202-558-6910 515-238-8428 mobile Skype: dan combs Thanks for making the Atlanta Regional Conference a success Information and Registration for the EC3/NEPCC Emergency Governance workgroup ________________________________ From: judith.spencer at gsa.gov [mailto:judith.spencer at gsa.gov] Sent: Friday, November 30, 2007 11:12 AM To: altermap at mail.nih.gov Cc: Coderre, Mark; sig-ia-bounces at lists.projectliberty.org; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION Please don't forget NIST Special Publication 800-63 when looking at what the Feds do, and of course our foundational OMB Memorandum M-04-04. _______________________________ Judith Spencer Chair, Federal Identity Credentialing Committee 202-208-6576 Vision without Action is a Daydream Action without Vision is a Nightmare - Japanese Proverb "Alterman, Peter (NIH/CIT) [E]" Sent by: sig-ia-bounces at lists.projectliberty.org 11/30/2007 11:03 AM To "Bob Pinheiro" , "Coderre, Mark" , sig-ia at lists.projectliberty.org cc Subject Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION Bob, the levels are determined by a combination of buckets, of which ID proofing is one; the resistance to hacking of the technology is another and the trustworthiness/security of management of the whole megillah is the third. So, really, what you want to say is that if IdP X and IdP Y both do ID proofing comparably, the outputs into the overall assessments will be comparable. What you're point up is the need to have an ID proofing standard. We have FIPS 201 for high assurance, of course. We (Uncle) also have language for assertion-based credential levels in the E-Authentication Credential Assessment Framework. Might be helpful to use that as a starting point for the Liberty version. Brother Temoshok can add more. vr, Peter ---------------------------- Peter Alterman, Ph.D. Asst. CIO, E-Authentication, NIH and Chair, Federal PKI Policy Authority Cell: 301-252-8846 ________________________________ From: Bob Pinheiro Sent: Fri 11/30/2007 10:47 AM To: Coderre, Mark; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION So let's say there are two identity providers. The first IdP proofs a person's identity at Assurance Level 1, say. According to the Identity Assurance Framework, there are several possibilities for how that could be done. The person could present two utility statements, for instance. I think you are suggesting that, in order to act as a sanity check on the identity proofing process, the first IdP decides to rely on an identity assertion received from a second IdP. But if the second IdP also proofs the person's identity at Assurance Level 1, the proofing process is (in theory) exactly equivalent to the proofing done by the first IdP, even if different documentation is used. For instance, instead of using two utility statements, the second IdP might use one signed bank or credit card, which is allowable under the Identity Assurance Framework. So the first IdP might be tempted to say, well, I've proofed this person using two utility statements. And now I can see that this second IdP has proofed this person using a signed bank card. So now I feel even more confident in the person's identity. While there seems to be some logic to this, I don't think it's necessarily true that the first IdP would know the proofing documentation used by the second IdP. The first IdP would only know that the second IdP performed an identity proofing that was completely equivalent to the one done by the first IdP. If the first IdP feels it needs more assurance of the person's identity than is provided by two utility bills, I don't think it is justifiable to rely on another identity assertion from a second IdP, at the same Assurance Level. In fact, if the first IdP lacks confidence that two utility bills is sufficient to establish identity, that IdP really needs to perform an identity proofing at a higher Assurance Level. Or, that IdP could rely on an identity assertion from a second IdP at a higher Assurance Level. In general, I don't think that a relying party that receives identity assertions from 10 separate IdPs, each at Assurance Level 1 for instance, can conclude that the combined Assurance Level provided by all 10 taken together is greater than Assurance Level 1. The same two utility bills may have been used for identity proofing at each of the 10 IdPs. And even if different documentation was provided at the different IdPs, by definition they each provide an equivalent level of assurance of the person's identity. So 10 identity assertions at the same Assurance Level do not somehow combine to yield an overall higher Assurance Level. But if one of those 10 IdPs were sending an identity assertion at Assurance Level 3, say, then the relying party could be confident of the claimed identity at Assurance Level 3. The other 9 assertions at Assurance Level 1 would not seem to make any difference. At least, that is how it seems to me. Can anyone provide an argument that this view is wrong? - Bob At 07:08 PM 11/29/2007, Coderre, Mark wrote: The model I am thinking of is two Identity providers , neither of which may have a "store front" for in person proofing. Each IdP has distinctly different manners to validate an individual on-line as they represent different industries with different customer enrollment mechanisms. Since both may be the target of PII theft through collusion/collection of information from BOTNets, etc. they look to each other as a 2nd form of validation. This occurs today when an entity uses a Knowledge Based Authentication service to gain external identity validation. In this case the KBA may not always be required where the two partners share common customers. This is not necessarily a chicken and egg problem because each site has the option of limiting entitlements when they have solely proofed the individual. Once the individual can provide proof of initial registration from one to the other (and visa versa for that matter) , each site can elevate the level of assurance and resulting entitlements as desired....based on their value of the other entities registration process strength. It also has value where one partner has a storefront for in person proofing (showing a driver license with a picture) and another partner does not have that same luxury. But perhaps the latter partner has significant personal information such that their online registration requires significant knowledge of the person. These partners may view each other as somewhat equal. The relationship may be even or slightly favored ending up in a nominal fee. The last intriguing piece of this to me is that two partner may share common customers, but each may have customers registered the other is not aware of. Proof of identity from a trusted partner may be valuable in 1st touch customer relationships online. If someone comes anonymously as a new customer online to me but a trusted partner has vetted them and perhaps come to prove their email address appears accurate it does contain potential value. -Mark Coderre. ________________________________ From: Bob Pinheiro [mailto:bob at bobpinheiro.com ] Sent: Thursday, November 29, 2007 5:58 PM To: Coderre, Mark; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION I'm not sure I understand your question completely, but I think the basic idea is that you, as a relying party, would first need to decide whether you trust identity assertions received from identity providers that you can verify as being accredited by the Liberty IAF. Secondly, you would need to decide how much assurance you require of the identity assertion received. So if you need to be very certain of the identity claim you are trying to authenticate, you may only choose to trust an identity assertion if you can verify that the accredited identity provider has issued the assertion at Assurance Level 3 or 4. When you say that you only have level 1 assurance of an identity assertion, to me that might indicate two possible situations. Depending on how the business rules are defined between relying parties and identity providers, it may or may not be true that identity providers expect to receive some compensation for providing an identity assertion to a relying party. If so, it's likely that an assertion at level 4 would be worth more than an assertion at level 1. So maybe you have agreed only to pay for level 1 assertions, but not level 2 or higher assertions. In that case, the identity provider may issue a level 1 identity assertion to you, but not a level 2 or higher assertion. On the other hand, even if you are willing to pay for assertions at a higher assurance level, the identity provider may only be operating at level 1. If you need level 2 assurance for a particular identity assertion, and are willing to pay a higher price, you would then have to find another identity provider who can authenticate the claimed identity and provide an assertion at level 2. I don't think many scenarios that address the possible business arrangements between relying parties and identity providers have been worked out. But I would expect that a relying party would *not* need a specific business arrangement with each Liberty accredited identity provider if both are members of some (possibly different) federation(s). Seems like the relying party and the identity provider would need an agreement with the federation each is part of. If they are members of different federations, there would be inter-federation agreements that would govern payments and other trust arrangements between federations. I'm assuming here that the basic business model for IAF is that identity providers would derive some revenue from relying parties for providing identity assertions. I don't know any of this for sure, or if there are other models, but this seems like a rational approach. Maybe others might have a better understanding of these business issues. Bob Pinheiro At 01:33 PM 11/29/2007, Coderre, Mark wrote: Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C832B6.47AC42A5" I am interested in the group's thoughts around combating registration fraud by leveraging partnered certified credentialing authorities to raise the assurance level of provisioned accounts. What may be a level 1 to me (alone) could become level 2 with validation from a ca that has a more authoritative reference. The same could be true of identities I can validate very strongly but others may not. I am interested in this within the healthcare industry (pharmacies especially) as well as financial since there are health/wealth synergies in the consumer product space. Mark Coderre Security Architecture Lead AIS Enterprise Architecture 860-636-2440 This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna _______________________________________________ Sig-ia mailing list Sig-ia at lists.projectliberty.org http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectlib erty.org _______________________________________________ Sig-ia mailing list Sig-ia at lists.projectliberty.org http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectlib erty.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071130/07ad55cb/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 5065 bytes Desc: image001.gif Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071130/07ad55cb/attachment-0001.gif From joni at ieee-isto.org Fri Nov 30 15:48:42 2007 From: joni at ieee-isto.org (joni at ieee-isto.org) Date: Fri, 30 Nov 2007 15:48:42 -0800 Subject: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION In-Reply-To: <7B03492D640C0745B22C6DBF3A4042340647022F@MDDP-EXCH-003.aeth.aetna.com> Message-ID: Hello Mark, One point of clarification - Unfortunately, the Strong Authentication MRD document Alex is referencing is currently in Liberty Member Only review. The intent is to release the document publicly but this initial draft has not yet been approved for release to the public. I not able to commit to the release schedule of the document but I believe it will be in early Q1 2008. As soon as the document is released we will be sure to notify this group. Liberty members who are also in the IA SIG can find the document on the members site homepage under "all participant review" file name - Strong_Auth_mrd_v0.7.doc Cheers, Joni Brennan IEEE-ISTO Liberty Alliance Project Operations Manager voice:+1 732-226-4223 email: joni at projectliberty.org "Coderre, Mark" "Popowycz, Alex" Sent by: , "Bob sig-ia-bounces Pinheiro" , @lists.project liberty.org cc Subject 11/30/2007 Re: [Sig-ia] Interest in Identity 01:38 PM Assurance as it pertains to Multi-factor REGISTRATION Yes, this is exactly what I'm looking for. I agree that in that context 1+1=1.5....what is the URL to that doc? From: Popowycz, Alex [mailto:Alex.Popowycz at fmr.com] Sent: Friday, November 30, 2007 8:40 AM To: Bob Pinheiro; Coderre, Mark; sig-ia at lists.projectliberty.org Subject: RE: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION My read on the originating message was a bit different. To me the question revolved around compound authentication (a scenario described in detail within the Strong Authentication Expert Group and now in the Strong Authentication MRD developed within BMEG). In one scenario you rely on the authentication of a identity provider and combine that with the results of an authentication of a second identity provider (which could be the originating relying party) in effect creating a federated/distributed multi-factor authentication. I over simplified this from an additive authentication perspective because the underlying provisioning mechanisms may result in an answer that a mathematically nonsensical but logically relevant equation of 1+1=1.5. I would suggest reviewing the current strong auth mrd and look at foundational scenario 2 (the version I was looking at would have it as section 3.2). (Embedded image moved to file: pic24065.jpg) Alex From: sig-ia-bounces at lists.projectliberty.org [mailto:sig-ia-bounces at lists.projectliberty.org] On Behalf Of Bob Pinheiro Sent: Thursday, November 29, 2007 5:58 PM To: Coderre, Mark; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION I'm not sure I understand your question completely, but I think the basic idea is that you, as a relying party, would first need to decide whether you trust identity assertions received from identity providers that you can verify as being accredited by the Liberty IAF. Secondly, you would need to decide how much assurance you require of the identity assertion received. So if you need to be very certain of the identity claim you are trying to authenticate, you may only choose to trust an identity assertion if you can verify that the accredited identity provider has issued the assertion at Assurance Level 3 or 4. When you say that you only have level 1 assurance of an identity assertion, to me that might indicate two possible situations. Depending on how the business rules are defined between relying parties and identity providers, it may or may not be true that identity providers expect to receive some compensation for providing an identity assertion to a relying party. If so, it's likely that an assertion at level 4 would be worth more than an assertion at level 1. So maybe you have agreed only to pay for level 1 assertions, but not level 2 or higher assertions. In that case, the identity provider may issue a level 1 identity assertion to you, but not a level 2 or higher assertion. On the other hand, even if you are willing to pay for assertions at a higher assurance level, the identity provider may only be operating at level 1. If you need level 2 assurance for a particular identity assertion, and are willing to pay a higher price, you would then have to find another identity provider who can authenticate the claimed identity and provide an assertion at level 2. I don't think many scenarios that address the possible business arrangements between relying parties and identity providers have been worked out. But I would expect that a relying party would *not* need a specific business arrangement with each Liberty accredited identity provider if both are members of some (possibly different) federation(s). Seems like the relying party and the identity provider would need an agreement with the federation each is part of. If they are members of different federations, there would be inter-federation agreements that would govern payments and other trust arrangements between federations. I'm assuming here that the basic business model for IAF is that identity providers would derive some revenue from relying parties for providing identity assertions. I don't know any of this for sure, or if there are other models, but this seems like a rational approach. Maybe others might have a better understanding of these business issues. Bob Pinheiro At 01:33 PM 11/29/2007, Coderre, Mark wrote: Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C832B6.47AC42A5" I am interested in the group's thoughts around combating registration fraud by leveraging partnered certified credentialing authorities to raise the assurance level of provisioned accounts. What may be a level 1 to me (alone) could become level 2 with validation from a ca that has a more authoritative reference. The same could be true of identities I can validate very strongly but others may not. I am interested in this within the healthcare industry (pharmacies especially) as well as financial since there are health/wealth synergies in the consumer product space. Mark Coderre Security Architecture Lead AIS Enterprise Architecture 860-636-2440 This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna _______________________________________________ Sig-ia mailing list Sig-ia at lists.projectliberty.org http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectliberty.org _______________________________________________ Sig-ia mailing list Sig-ia at lists.projectliberty.org http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectliberty.org -------------- next part -------------- A non-text attachment was scrubbed... Name: pic24065.jpg Type: image/jpeg Size: 21903 bytes Desc: not available Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071130/6506c7a7/attachment-0001.jpg From altermap at mail.nih.gov Fri Nov 30 21:04:01 2007 From: altermap at mail.nih.gov (Alterman, Peter (NIH/CIT) [E]) Date: Sat, 1 Dec 2007 00:04:01 -0500 Subject: [Sig-ia] Interest in Identity Assurance as it pertains toMulti-factor REGISTRATION References: <79485227-6892-468E-9E7A-0D19E8C8B543@mimectl><00b901c8339f$1b0aac00$6c01a8c0@daniel2kumquat> <7B03492D640C0745B22C6DBF3A40423406470259@MDDP-EXCH-003.aeth.aetna.com> Message-ID: <8C40DAAF38B0A84C9312702FA41930EA0443026F@NIHCESMLBX3.nih.gov> I don't believe in fractal LOA :-) ---------------------------- Peter Alterman, Ph.D. Asst. CIO, E-Authentication, NIH and Chair, Federal PKI Policy Authority Cell: 301-252-8846 ________________________________ From: Coderre, Mark [mailto:CoderreM at aetna.com] Sent: Fri 11/30/2007 6:14 PM To: Dan Combs; sig-ia-bounces at lists.projectliberty.org; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains toMulti-factor REGISTRATION I have my eye on the NIST 800-63 too....yes the discussion should be level 2 and higher. The thought that IdPs may express the "how" the level was achieved electronically is interesting. I would have thought that would have been in the due dilligence of the legal agreements. Web 2.0 with secure interchange is a use case I hope to stay "in front of". As a newcomer to the group - where is the artifact reference library for this sig? ________________________________ From: Dan Combs [mailto:dan.combs at globalidentitysolutions.com] Sent: Friday, November 30, 2007 5:20 PM To: Coderre, Mark; sig-ia-bounces at lists.projectliberty.org; sig-ia at lists.projectliberty.org Subject: RE: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION Mark's question is a good one. It encapsulates ideas and discussions occurring elsewhere and may well perch on the line between Identity 1.0 and Identity 2.0. I do not know whether these ideas have been included in current policy and practice under Liberty Alliance or discussions but if not it may be worthwhile to open this for consideration. Mark, forgive me if I misunderstand what scheme of levels you are using. In this comment I am referencing the Federal Government scheme described in NIST 800-63 where level 1 has no identity verification. One change I would suggest is to center the discussion on level 2 and higher. One can imagine identity functions following other trends in web development with Identity 2.0 including Identity Oriented Architecture, Identity As A Service, Identity Mashups, reputational identity and other variations all providing value to consumers of identity functions. It seems likely that relying parties do and will desire a much richer context and content in order to customize their own operations to mitigate risk, control costs, meet particular needs and other reasonable aspirations of system owners and operators such as Mark has hinted at in his email. It seems as if the email conversation highlights this desire and numerous conversations in various E-Authentication and other meetings anticipated this. I, as a relying party, am not likely in the future to be content to know simply that someone provides a credential meeting the requirements of a particular level. I want more detail. Which documents were checked, when, where, how, were they verified with the source, etc. What is it that a credential or identity services provider claims to be doing and is there certification or other reason for me to believe that they are doing it? I can then make informed choices about using the information or services available. Even though few seem willing to publish or release detailed research of information as of yet, what seems to be working to reduce fraud and other identity related crimes and mischief is to change approaches and concepts of the various identity components: Identity verification performed periodically and perpetually rather than just as an entrance gateway process, user pattern development and monitoring, checking of individual attributes for inappropriate sharing or repeated use, feedback loops for users to involve them in preventing fraud and abuse. There is substantial value in being able to gaze across an array of systems or lots of interactions and transactions to see patterns of behavior, multiple registrations involving end-user attributes, or even to share information about discovery of fraud and abuse. It seems likely that In order to meet service and security requirements relying parties will act as good consumers and migrate to sources of identity services and information that provide better value which may include a much richer, more adaptable and flexible approach to identity functions and the related risks and threats. Best regards, Dan Dan Combs Director, National Emergency Preparedness Coordinating Council www.nationalepcc.org Board Member, EC3 (NECCC) www.ec3.org Program Director, MIT Real ID Forum MIT Real ID Forum Real-ID-NPRM Member, Harvard Policy Group Dan.combs at nationalepcc.org 202-558-6910 515-238-8428 mobile Skype: dan combs Thanks for making the Atlanta Regional Conference a success Information and Registration for the EC3/NEPCC Emergency Governance workgroup ________________________________ From: judith.spencer at gsa.gov [mailto:judith.spencer at gsa.gov] Sent: Friday, November 30, 2007 11:12 AM To: altermap at mail.nih.gov Cc: Coderre, Mark; sig-ia-bounces at lists.projectliberty.org; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION Please don't forget NIST Special Publication 800-63 when looking at what the Feds do, and of course our foundational OMB Memorandum M-04-04. _______________________________ Judith Spencer Chair, Federal Identity Credentialing Committee 202-208-6576 Vision without Action is a Daydream Action without Vision is a Nightmare - Japanese Proverb "Alterman, Peter (NIH/CIT) [E]" Sent by: sig-ia-bounces at lists.projectliberty.org 11/30/2007 11:03 AM To "Bob Pinheiro" , "Coderre, Mark" , sig-ia at lists.projectliberty.org cc Subject Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION Bob, the levels are determined by a combination of buckets, of which ID proofing is one; the resistance to hacking of the technology is another and the trustworthiness/security of management of the whole megillah is the third. So, really, what you want to say is that if IdP X and IdP Y both do ID proofing comparably, the outputs into the overall assessments will be comparable. What you're point up is the need to have an ID proofing standard. We have FIPS 201 for high assurance, of course. We (Uncle) also have language for assertion-based credential levels in the E-Authentication Credential Assessment Framework. Might be helpful to use that as a starting point for the Liberty version. Brother Temoshok can add more. vr, Peter ---------------------------- Peter Alterman, Ph.D. Asst. CIO, E-Authentication, NIH and Chair, Federal PKI Policy Authority Cell: 301-252-8846 ________________________________ From: Bob Pinheiro Sent: Fri 11/30/2007 10:47 AM To: Coderre, Mark; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION So let's say there are two identity providers. The first IdP proofs a person's identity at Assurance Level 1, say. According to the Identity Assurance Framework, there are several possibilities for how that could be done. The person could present two utility statements, for instance. I think you are suggesting that, in order to act as a sanity check on the identity proofing process, the first IdP decides to rely on an identity assertion received from a second IdP. But if the second IdP also proofs the person's identity at Assurance Level 1, the proofing process is (in theory) exactly equivalent to the proofing done by the first IdP, even if different documentation is used. For instance, instead of using two utility statements, the second IdP might use one signed bank or credit card, which is allowable under the Identity Assurance Framework. So the first IdP might be tempted to say, well, I've proofed this person using two utility statements. And now I can see that this second IdP has proofed this person using a signed bank card. So now I feel even more confident in the person's identity. While there seems to be some logic to this, I don't think it's necessarily true that the first IdP would know the proofing documentation used by the second IdP. The first IdP would only know that the second IdP performed an identity proofing that was completely equivalent to the one done by the first IdP. If the first IdP feels it needs more assurance of the person's identity than is provided by two utility bills, I don't think it is justifiable to rely on another identity assertion from a second IdP, at the same Assurance Level. In fact, if the first IdP lacks confidence that two utility bills is sufficient to establish identity, that IdP really needs to perform an identity proofing at a higher Assurance Level. Or, that IdP could rely on an identity assertion from a second IdP at a higher Assurance Level. In general, I don't think that a relying party that receives identity assertions from 10 separate IdPs, each at Assurance Level 1 for instance, can conclude that the combined Assurance Level provided by all 10 taken together is greater than Assurance Level 1. The same two utility bills may have been used for identity proofing at each of the 10 IdPs. And even if different documentation was provided at the different IdPs, by definition they each provide an equivalent level of assurance of the person's identity. So 10 identity assertions at the same Assurance Level do not somehow combine to yield an overall higher Assurance Level. But if one of those 10 IdPs were sending an identity assertion at Assurance Level 3, say, then the relying party could be confident of the claimed identity at Assurance Level 3. The other 9 assertions at Assurance Level 1 would not seem to make any difference. At least, that is how it seems to me. Can anyone provide an argument that this view is wrong? - Bob At 07:08 PM 11/29/2007, Coderre, Mark wrote: The model I am thinking of is two Identity providers , neither of which may have a "store front" for in person proofing. Each IdP has distinctly different manners to validate an individual on-line as they represent different industries with different customer enrollment mechanisms. Since both may be the target of PII theft through collusion/collection of information from BOTNets, etc. they look to each other as a 2nd form of validation. This occurs today when an entity uses a Knowledge Based Authentication service to gain external identity validation. In this case the KBA may not always be required where the two partners share common customers. This is not necessarily a chicken and egg problem because each site has the option of limiting entitlements when they have solely proofed the individual. Once the individual can provide proof of initial registration from one to the other (and visa versa for that matter) , each site can elevate the level of assurance and resulting entitlements as desired....based on their value of the other entities registration process strength. It also has value where one partner has a storefront for in person proofing (showing a driver license with a picture) and another partner does not have that same luxury. But perhaps the latter partner has significant personal information such that their online registration requires significant knowledge of the person. These partners may view each other as somewhat equal. The relationship may be even or slightly favored ending up in a nominal fee. The last intriguing piece of this to me is that two partner may share common customers, but each may have customers registered the other is not aware of. Proof of identity from a trusted partner may be valuable in 1st touch customer relationships online. If someone comes anonymously as a new customer online to me but a trusted partner has vetted them and perhaps come to prove their email address appears accurate it does contain potential value. -Mark Coderre. ________________________________ From: Bob Pinheiro [mailto:bob at bobpinheiro.com ] Sent: Thursday, November 29, 2007 5:58 PM To: Coderre, Mark; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION I'm not sure I understand your question completely, but I think the basic idea is that you, as a relying party, would first need to decide whether you trust identity assertions received from identity providers that you can verify as being accredited by the Liberty IAF. Secondly, you would need to decide how much assurance you require of the identity assertion received. So if you need to be very certain of the identity claim you are trying to authenticate, you may only choose to trust an identity assertion if you can verify that the accredited identity provider has issued the assertion at Assurance Level 3 or 4. When you say that you only have level 1 assurance of an identity assertion, to me that might indicate two possible situations. Depending on how the business rules are defined between relying parties and identity providers, it may or may not be true that identity providers expect to receive some compensation for providing an identity assertion to a relying party. If so, it's likely that an assertion at level 4 would be worth more than an assertion at level 1. So maybe you have agreed only to pay for level 1 assertions, but not level 2 or higher assertions. In that case, the identity provider may issue a level 1 identity assertion to you, but not a level 2 or higher assertion. On the other hand, even if you are willing to pay for assertions at a higher assurance level, the identity provider may only be operating at level 1. If you need level 2 assurance for a particular identity assertion, and are willing to pay a higher price, you would then have to find another identity provider who can authenticate the claimed identity and provide an assertion at level 2. I don't think many scenarios that address the possible business arrangements between relying parties and identity providers have been worked out. But I would expect that a relying party would *not* need a specific business arrangement with each Liberty accredited identity provider if both are members of some (possibly different) federation(s). Seems like the relying party and the identity provider would need an agreement with the federation each is part of. If they are members of different federations, there would be inter-federation agreements that would govern payments and other trust arrangements between federations. I'm assuming here that the basic business model for IAF is that identity providers would derive some revenue from relying parties for providing identity assertions. I don't know any of this for sure, or if there are other models, but this seems like a rational approach. Maybe others might have a better understanding of these business issues. Bob Pinheiro At 01:33 PM 11/29/2007, Coderre, Mark wrote: Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C832B6.47AC42A5" I am interested in the group's thoughts around combating registration fraud by leveraging partnered certified credentialing authorities to raise the assurance level of provisioned accounts. What may be a level 1 to me (alone) could become level 2 with validation from a ca that has a more authoritative reference. The same could be true of identities I can validate very strongly but others may not. I am interested in this within the healthcare industry (pharmacies especially) as well as financial since there are health/wealth synergies in the consumer product space. Mark Coderre Security Architecture Lead AIS Enterprise Architecture 860-636-2440 This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna _______________________________________________ Sig-ia mailing list Sig-ia at lists.projectliberty.org http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectliberty.org _______________________________________________ Sig-ia mailing list Sig-ia at lists.projectliberty.org http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectliberty.org This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071201/d3e51a90/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 5065 bytes Desc: image001.gif Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071201/d3e51a90/attachment-0001.gif From altermap at mail.nih.gov Fri Nov 30 21:15:10 2007 From: altermap at mail.nih.gov (Alterman, Peter (NIH/CIT) [E]) Date: Sat, 1 Dec 2007 00:15:10 -0500 Subject: [Sig-ia] Interest in Identity Assurance as it pertains toMulti-factor REGISTRATION References: <79485227-6892-468E-9E7A-0D19E8C8B543@mimectl> <00b901c8339f$1b0aac00$6c01a8c0@daniel2kumquat> Message-ID: <8C40DAAF38B0A84C9312702FA41930EA04430270@NIHCESMLBX3.nih.gov> Dan, the whole point of federating is to obviate the need to do all that checking on each IdP. That scales like a concrete block in the middle of the river. If you want to do that kind of diligence on each IdP then you are a silo. And if you're passing up Level 1 (hey, not something I would argue against) then you're focusing your high beams on Level 2 only, cuz I'll stand pretty firm on the Level 3 and 4 requirements as requiring real crypto and real management. What is important in the context of identity is in the three buckets: identity proofing quality; credential technology assurance; system management security and reliability. I do not believe it's fruitful to reinvent authN; that boat is gone. I think the real play is in two different areas, viz. attribute reliability and authZ integration. Who is authoritative for each attribute an identity asserts and how does one validate the attribute and how - absent the Grids' use of authN tokens for authZ - do we streamline authZ? But I natter. Have a great weekend. Peter ---------------------------- Peter Alterman, Ph.D. Asst. CIO, E-Authentication, NIH and Chair, Federal PKI Policy Authority Cell: 301-252-8846 ________________________________ From: Dan Combs [mailto:dan.combs at globalidentitysolutions.com] Sent: Fri 11/30/2007 5:19 PM To: 'Coderre, Mark'; sig-ia-bounces at lists.projectliberty.org; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains toMulti-factor REGISTRATION Mark's question is a good one. It encapsulates ideas and discussions occurring elsewhere and may well perch on the line between Identity 1.0 and Identity 2.0. I do not know whether these ideas have been included in current policy and practice under Liberty Alliance or discussions but if not it may be worthwhile to open this for consideration. Mark, forgive me if I misunderstand what scheme of levels you are using. In this comment I am referencing the Federal Government scheme described in NIST 800-63 where level 1 has no identity verification. One change I would suggest is to center the discussion on level 2 and higher. One can imagine identity functions following other trends in web development with Identity 2.0 including Identity Oriented Architecture, Identity As A Service, Identity Mashups, reputational identity and other variations all providing value to consumers of identity functions. It seems likely that relying parties do and will desire a much richer context and content in order to customize their own operations to mitigate risk, control costs, meet particular needs and other reasonable aspirations of system owners and operators such as Mark has hinted at in his email. It seems as if the email conversation highlights this desire and numerous conversations in various E-Authentication and other meetings anticipated this. I, as a relying party, am not likely in the future to be content to know simply that someone provides a credential meeting the requirements of a particular level. I want more detail. Which documents were checked, when, where, how, were they verified with the source, etc. What is it that a credential or identity services provider claims to be doing and is there certification or other reason for me to believe that they are doing it? I can then make informed choices about using the information or services available. Even though few seem willing to publish or release detailed research of information as of yet, what seems to be working to reduce fraud and other identity related crimes and mischief is to change approaches and concepts of the various identity components: Identity verification performed periodically and perpetually rather than just as an entrance gateway process, user pattern development and monitoring, checking of individual attributes for inappropriate sharing or repeated use, feedback loops for users to involve them in preventing fraud and abuse. There is substantial value in being able to gaze across an array of systems or lots of interactions and transactions to see patterns of behavior, multiple registrations involving end-user attributes, or even to share information about discovery of fraud and abuse. It seems likely that In order to meet service and security requirements relying parties will act as good consumers and migrate to sources of identity services and information that provide better value which may include a much richer, more adaptable and flexible approach to identity functions and the related risks and threats. Best regards, Dan Dan Combs Director, National Emergency Preparedness Coordinating Council www.nationalepcc.org Board Member, EC3 (NECCC) www.ec3.org Program Director, MIT Real ID Forum MIT Real ID Forum Real-ID-NPRM Member, Harvard Policy Group Dan.combs at nationalepcc.org 202-558-6910 515-238-8428 mobile Skype: dan combs Thanks for making the Atlanta Regional Conference a success Information and Registration for the EC3/NEPCC Emergency Governance workgroup ________________________________ From: judith.spencer at gsa.gov [mailto:judith.spencer at gsa.gov] Sent: Friday, November 30, 2007 11:12 AM To: altermap at mail.nih.gov Cc: Coderre, Mark; sig-ia-bounces at lists.projectliberty.org; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION Please don't forget NIST Special Publication 800-63 when looking at what the Feds do, and of course our foundational OMB Memorandum M-04-04. _______________________________ Judith Spencer Chair, Federal Identity Credentialing Committee 202-208-6576 Vision without Action is a Daydream Action without Vision is a Nightmare - Japanese Proverb "Alterman, Peter (NIH/CIT) [E]" Sent by: sig-ia-bounces at lists.projectliberty.org 11/30/2007 11:03 AM To "Bob Pinheiro" , "Coderre, Mark" , sig-ia at lists.projectliberty.org cc Subject Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION Bob, the levels are determined by a combination of buckets, of which ID proofing is one; the resistance to hacking of the technology is another and the trustworthiness/security of management of the whole megillah is the third. So, really, what you want to say is that if IdP X and IdP Y both do ID proofing comparably, the outputs into the overall assessments will be comparable. What you're point up is the need to have an ID proofing standard. We have FIPS 201 for high assurance, of course. We (Uncle) also have language for assertion-based credential levels in the E-Authentication Credential Assessment Framework. Might be helpful to use that as a starting point for the Liberty version. Brother Temoshok can add more. vr, Peter ---------------------------- Peter Alterman, Ph.D. Asst. CIO, E-Authentication, NIH and Chair, Federal PKI Policy Authority Cell: 301-252-8846 ________________________________ From: Bob Pinheiro Sent: Fri 11/30/2007 10:47 AM To: Coderre, Mark; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION So let's say there are two identity providers. The first IdP proofs a person's identity at Assurance Level 1, say. According to the Identity Assurance Framework, there are several possibilities for how that could be done. The person could present two utility statements, for instance. I think you are suggesting that, in order to act as a sanity check on the identity proofing process, the first IdP decides to rely on an identity assertion received from a second IdP. But if the second IdP also proofs the person's identity at Assurance Level 1, the proofing process is (in theory) exactly equivalent to the proofing done by the first IdP, even if different documentation is used. For instance, instead of using two utility statements, the second IdP might use one signed bank or credit card, which is allowable under the Identity Assurance Framework. So the first IdP might be tempted to say, well, I've proofed this person using two utility statements. And now I can see that this second IdP has proofed this person using a signed bank card. So now I feel even more confident in the person's identity. While there seems to be some logic to this, I don't think it's necessarily true that the first IdP would know the proofing documentation used by the second IdP. The first IdP would only know that the second IdP performed an identity proofing that was completely equivalent to the one done by the first IdP. If the first IdP feels it needs more assurance of the person's identity than is provided by two utility bills, I don't think it is justifiable to rely on another identity assertion from a second IdP, at the same Assurance Level. In fact, if the first IdP lacks confidence that two utility bills is sufficient to establish identity, that IdP really needs to perform an identity proofing at a higher Assurance Level. Or, that IdP could rely on an identity assertion from a second IdP at a higher Assurance Level. In general, I don't think that a relying party that receives identity assertions from 10 separate IdPs, each at Assurance Level 1 for instance, can conclude that the combined Assurance Level provided by all 10 taken together is greater than Assurance Level 1. The same two utility bills may have been used for identity proofing at each of the 10 IdPs. And even if different documentation was provided at the different IdPs, by definition they each provide an equivalent level of assurance of the person's identity. So 10 identity assertions at the same Assurance Level do not somehow combine to yield an overall higher Assurance Level. But if one of those 10 IdPs were sending an identity assertion at Assurance Level 3, say, then the relying party could be confident of the claimed identity at Assurance Level 3. The other 9 assertions at Assurance Level 1 would not seem to make any difference. At least, that is how it seems to me. Can anyone provide an argument that this view is wrong? - Bob At 07:08 PM 11/29/2007, Coderre, Mark wrote: The model I am thinking of is two Identity providers , neither of which may have a "store front" for in person proofing. Each IdP has distinctly different manners to validate an individual on-line as they represent different industries with different customer enrollment mechanisms. Since both may be the target of PII theft through collusion/collection of information from BOTNets, etc. they look to each other as a 2nd form of validation. This occurs today when an entity uses a Knowledge Based Authentication service to gain external identity validation. In this case the KBA may not always be required where the two partners share common customers. This is not necessarily a chicken and egg problem because each site has the option of limiting entitlements when they have solely proofed the individual. Once the individual can provide proof of initial registration from one to the other (and visa versa for that matter) , each site can elevate the level of assurance and resulting entitlements as desired....based on their value of the other entities registration process strength. It also has value where one partner has a storefront for in person proofing (showing a driver license with a picture) and another partner does not have that same luxury. But perhaps the latter partner has significant personal information such that their online registration requires significant knowledge of the person. These partners may view each other as somewhat equal. The relationship may be even or slightly favored ending up in a nominal fee. The last intriguing piece of this to me is that two partner may share common customers, but each may have customers registered the other is not aware of. Proof of identity from a trusted partner may be valuable in 1st touch customer relationships online. If someone comes anonymously as a new customer online to me but a trusted partner has vetted them and perhaps come to prove their email address appears accurate it does contain potential value. -Mark Coderre. ________________________________ From: Bob Pinheiro [mailto:bob at bobpinheiro.com ] Sent: Thursday, November 29, 2007 5:58 PM To: Coderre, Mark; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] Interest in Identity Assurance as it pertains to Multi-factor REGISTRATION I'm not sure I understand your question completely, but I think the basic idea is that you, as a relying party, would first need to decide whether you trust identity assertions received from identity providers that you can verify as being accredited by the Liberty IAF. Secondly, you would need to decide how much assurance you require of the identity assertion received. So if you need to be very certain of the identity claim you are trying to authenticate, you may only choose to trust an identity assertion if you can verify that the accredited identity provider has issued the assertion at Assurance Level 3 or 4. When you say that you only have level 1 assurance of an identity assertion, to me that might indicate two possible situations. Depending on how the business rules are defined between relying parties and identity providers, it may or may not be true that identity providers expect to receive some compensation for providing an identity assertion to a relying party. If so, it's likely that an assertion at level 4 would be worth more than an assertion at level 1. So maybe you have agreed only to pay for level 1 assertions, but not level 2 or higher assertions. In that case, the identity provider may issue a level 1 identity assertion to you, but not a level 2 or higher assertion. On the other hand, even if you are willing to pay for assertions at a higher assurance level, the identity provider may only be operating at level 1. If you need level 2 assurance for a particular identity assertion, and are willing to pay a higher price, you would then have to find another identity provider who can authenticate the claimed identity and provide an assertion at level 2. I don't think many scenarios that address the possible business arrangements between relying parties and identity providers have been worked out. But I would expect that a relying party would *not* need a specific business arrangement with each Liberty accredited identity provider if both are members of some (possibly different) federation(s). Seems like the relying party and the identity provider would need an agreement with the federation each is part of. If they are members of different federations, there would be inter-federation agreements that would govern payments and other trust arrangements between federations. I'm assuming here that the basic business model for IAF is that identity providers would derive some revenue from relying parties for providing identity assertions. I don't know any of this for sure, or if there are other models, but this seems like a rational approach. Maybe others might have a better understanding of these business issues. Bob Pinheiro At 01:33 PM 11/29/2007, Coderre, Mark wrote: Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C832B6.47AC42A5" I am interested in the group's thoughts around combating registration fraud by leveraging partnered certified credentialing authorities to raise the assurance level of provisioned accounts. What may be a level 1 to me (alone) could become level 2 with validation from a ca that has a more authoritative reference. The same could be true of identities I can validate very strongly but others may not. I am interested in this within the healthcare industry (pharmacies especially) as well as financial since there are health/wealth synergies in the consumer product space. Mark Coderre Security Architecture Lead AIS Enterprise Architecture 860-636-2440 This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna _______________________________________________ Sig-ia mailing list Sig-ia at lists.projectliberty.org http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectliberty.org _______________________________________________ Sig-ia mailing list Sig-ia at lists.projectliberty.org http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectliberty.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071201/70c19c8e/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 5065 bytes Desc: image001.gif Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20071201/70c19c8e/attachment-0001.gif