From bob at bobpinheiro.com Wed Jun 25 22:57:59 2008 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Thu, 26 Jun 2008 01:57:59 -0400 Subject: [Sig-ia] Potential Liberty Alliance Deliverables Related to Identity Theft Message-ID: On an Identity Theft SIG call earlier this year, we discussed the Liberty Identity Assurance Framework, and especially its potential as an enabler of a large-scale authentication system that could help to prevent identity theft. There was also a suggestion that maybe the Identity Theft SIG (and other groups within Liberty) might have a role in putting together some White Papers that could provide a more complete picture of how a LIAF-enabled authentication system could help to prevent identity theft. Although the "identity" that is stolen in identity theft could refer to the identity of a business or even a government entity, identity theft is mainly of interest to us and others as it refers to an individual consumer's identity that is misused by imposters to gain various identity-related services. For this reason, the ability of LIAF-enabled authentication systems to prevent identity theft is closely tied to the viability of high assurance identity trust services offered by Identity Providers for use by individual consumers. Here's a tentative list of possible White Papers and Specifications that address ways in which Liberty products can help to prevent identity theft. We are soliciting your opinion about the usefulness of these potential deliverables, your comments and suggests for modifications or changes to this list, as well as your interest in acting as a subject matter expert on any of these potential deliverables if there is sufficient interest to proceed. White Papers 1. White Paper that compares identity proofing methods used by financial institutions, motor vehicle bureaus, and REAL ID, to Liberty IAF identity proofing requirements at the appropriate assurance levels. 2. White Paper describing the concept of a large-scale identity network / authentication system consisting of Liberty-accredited Identity Providers, and Relying Parties who agree to honor credentials/tokens issued by any accredited Identity Provider. This network could enable any Relying Party that is a member to authenticate the identity claim of anyone presenting credentials/tokens (at the appropriate Assurance Level) issued by any Liberty-accredited Identity Provider that is also a member. This identity network / authentication system may result from the inter-federation of different identity federations, so that Relying Parties and Identity Providers belonging to different federations are able to trust each other. 3. White Paper describing possible business models that would make high assurance trust services economically viable for use by consumers. One potential model might require Relying Parties to pay Identity Providers for identity assertions. This could be akin to credit grantors paying consumer credit bureaus for information about a consumer's credit history. Such a model might be viable in the context of allowing Relying Parties to satisfy the recently-issued Red Flag Rules that require credit grantors to have written identity theft prevention programs. Another possible business model might focus on individual consumers themselves paying a fee to an Identity Provider for identity theft protection, similar to what people pay today for credit monitoring services and other identity theft prevention services (based on fraud alerts or credit freezes) that have emerged recently. 4. White Paper describing how an identity network / authentication system can be extended so that identity claims made to Relying Parties on the basis of personally identifiable information can be authenticated, if the personal information is associated with the identity of someone who has been issued credentials/tokens as part of a high assurance trust service from an accredited Identity Provider. This extension would involve a Discovery Service that can discover the appropriate Identity Provider on the basis of personally identifiable information. Background: Even if a LIAF-enabled identity network / authentication system were to exist, it is assumed that a person whose identity is to be authenticated needs to present some sort of credentials or tokens to the service provider / relying party. But many cases of identity theft result when stolen personal information is used by an imposter to claim someone else's identity. In that situation, the stolen personal information itself acts as a "credential", and the service provider / relying party has no corresponding token to authenticate the claim of identity. Is there any way that someone who possesses Liberty-accredited credentials/tokens can still be protected against identity theft, if the identity theft occurs by means of stolen personal information? 5. White Paper that explores the usefulness and viability of a range of potential LIAF-enabled high assurance trust services for consumers. As one example, online banking and bill payment services pose high degrees of risk to consumers if unauthorized persons can gain access to these accounts, or are able to drain money from these accounts. Will Relying Parties such as financial institutions and others be willing to accept high assurance credentials for access to these accounts that have been issued by other, Liberty-accredited Identity Providers? Would financial institutions or other business entities be willing to act as Identity Providers for authentication of their consumer customers to other entities? Another example could involve the Identity Providers that issue managed Information Cards. These managed Information Cards, unlike self-issued cards, essentially provide high assurance trust services to Relying Parties on behalf of the "owners" of these Information Cards, many of whom may be individual consumers. The recently formed Information Card Foundation, which is concerned with the use of electronic ID cards on the Internet, is also a new Liberty Alliance member. Might the LIAF play a role in establishing the trust relationships between the Relying Party users of Information Cards, and the Information Providers that issue managed cards? 6. White Paper that discusses the characteristics of authentication tokens most likely to be used in high assurance consumer authentication applications, and compares these characteristics to authentication token requirements defined by NIST 800-63 "Electronic Authentication Guideline", at various assurance levels. Specifications / Best-Practices 1. Specifications for a Discovery Service that identifies the specific accredited Identity Provider that is able to authenticate an identity claim using credentials/tokens issued by that Identity Provider, on the basis of personally identifiable information presented to the Discovery Service that is associated with the holder of those credentials/tokens. Such a Discovery Service is necessary to prevent identity theft when stolen personal information is used to make claims of identity. Request for Comments / Call for Participation We would greatly appreciate your comments on this list of potential White Papers and Specifications. At this time, there is no commitment by Liberty to produce any of these deliverables. We are interested in determining whether there exists sufficient interest among various Liberty interest groups (ID Theft SIG, IA-SIG, IAEG) to consider proceeding with any of these. Do these seem appropriate and useful for Liberty to produce, given that identity theft is a subject of sufficient importance to Liberty Alliance that it has created an Identity Theft Prevention SIG? Would you suggest any changes, modifications, or deletions to anything on the list? Are there any other potential White Papers that you think might be useful but that weren't included here? If you do not think that Liberty should be pursuing any of this, that is also a useful piece of information as well. Would it be useful to schedule an ID Theft SIG call to discuss these potential deliverables further? Would you be interested in acting as a subject matter expert in helping to produce any of these deliverables, provided that someone else does most of the work, with your role mainly confined to providing expertise and guidance? You can respond by replying back to the list from which you received this (ID Theft SIG, IA-SIG, IAEG). Or if you prefer, you can respond to me directly. Thanks Bob Pinheiro, Identity Theft Prevention SIG Chair --------------------------------------------- Robert Pinheiro Consulting LLC bob at bobpinheiro.com (908) 654-1939 www.bobpinheiro.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080626/e475dbd0/attachment.html