From brett at projectliberty.org  Sat May 10 05:27:22 2008
From: brett at projectliberty.org (Brett McDowell)
Date: Sat, 10 May 2008 08:27:22 -0400
Subject: [Sig-ia] Fwd: Identity ANALYSIS Final 3.doc
References: <00a801c8b296$7c13a580$0201a8c0@SRSLT>
Message-ID: <2F70026D-6B42-42A9-9E7B-E8DEA9BA47DF@projectliberty.org>

FYI... (this is the final report from the group that is recommending  
HITSP adopt Liberty's IAF).

Begin forwarded message:

> From: "Johnathan Coleman [SRS]" <jc at SECURITYRS.COM>
> Date: May 10, 2008 8:07:56 AM EDT
> To: HITSP-SEC-PRIV-INFRA-DOM-TC at MAILLIST.ANSI.ORG
> Subject: Re: Identity ANALYSIS Final 3.doc
> Reply-To: "Johnathan Coleman [SRS]" <jc at SECURITYRS.COM>
>
> Dear SPI-TC membership,
> The version of the ICM-WG report sent out previously has been updated.
>
> The attached version (3a) is the version we will be reviewing during  
> the face to face.
>
> Thank you,
> Johnathan
>
> From: Johnathan Coleman [SRS] [mailto:jc at securityrs.com]
> Sent: Friday, May 09, 2008 7:24 PM
> To: 'HITSP-SEC-PRIV-INFRA-DOM-TC at MAILLIST.ANSI.ORG'
> Cc: 'HITSP-ICM-WG at MAILLIST.ANSI.ORG'
> Subject: FW: Identity ANALYSIS Final 3.doc
>
> Greetings SPI-TC membership,
>
> For your review, please find attached the final report from the  
> Identity Credentials Management Work Group (ICM-WG)
>
> The SPI-TC will review the recommendations from this report and seek  
> consensus on their adoption by the Technical Committee.
>
> On behalf of the committee leadership, I would like to thank Mike  
> Davis and Richard Thoreson (WG Cochairs),  all of the ICM-WG  
> participants and the invited speakers on an excellent report and job  
> well done.
>
> Johnathan
>
>  Johnathan Coleman, CISSP, CISM, CBRP
> Principal, Security Risk Solutions, Inc.
> 698 Fishermans Bnd., Mt. Pleasant, SC 29464
> Tel: (843) 442 9104 Fax: (419) 791 8477
> www.SecurityRiskSolutions.com
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080510/fb3ad200/attachment-0002.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Identity ANALYSIS Final 3a.doc
Type: application/msword
Size: 468480 bytes
Desc: not available
Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080510/fb3ad200/attachment-0001.doc 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080510/fb3ad200/attachment-0003.html 

From brett at projectliberty.org  Sat May 10 07:49:52 2008
From: brett at projectliberty.org (Brett McDowell)
Date: Sat, 10 May 2008 10:49:52 -0400
Subject: [Sig-ia] Fwd: LIAF submission to ITU-T's IdM GSI work
References: <5C71473E-1520-4B6C-A7B9-C72E4F705AD5@projectliberty.org>
Message-ID: <0DDF8E79-7EBC-43B1-9BF9-6263614649F5@projectliberty.org>

FYI... and, who is already planning on joining the IdM GSI meetings  
next week?  If we don't have anyone physically there I've been told we  
can get someone to call in.  We really need someone to call in who can  
speak to the IAF and take questions.  I have conflicts all week at  
IIW.  Any volunteers?

There is some information about this meeting next week here:

http://www.itu.int/ITU-T/gsi/idm/events.asp

Kind Regards,
-- Brett

Begin forwarded message:

> From: Brett McDowell <brett at projectliberty.org>
> Date: May 10, 2008 10:43:54 AM EDT
> To: xiaoya.yang at itu.int, sebek at itu.int
> Cc: Richard Brackney <rcbrack at VERIZON.NET>, Frank Villavicencio <frank.villavicencio at citi.com 
> >, Alex Popowycz <Alex.Popowycz at fmr.com>
> Subject: LIAF submission to ITU-T's IdM GSI work
>
> On behalf of Liberty Alliance, I am pleased to submit our latest  
> public draft of the Liberty Identity Assurance Framework for your  
> consideration.  Let me know if you have questions or if there are  
> any additional procedures I must follow for this submission to be  
> accepted.
>
> I have CC-ed the Co-Chairs of the Identity Assurance Expert Group,  
> the group within Liberty Alliance developing this framework and  
> associated accreditation program.
>
>
>
> Thank you for your time and consideration,
>
> ---
> Brett McDowell, Executive Director, Liberty Alliance
>
> P.S.
> I have attached the cover sheet in both .doc and .odt formats for  
> your convenience.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080510/6d87c87f/attachment-0004.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: liberty-identity-assurance-framework-v1.0.pdf
Type: application/pdf
Size: 880413 bytes
Desc: not available
Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080510/6d87c87f/attachment-0001.pdf 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080510/6d87c87f/attachment-0005.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Liberty Draft Contribution_3rd WD_eaa_2.doc
Type: application/octet-stream
Size: 139776 bytes
Desc: not available
Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080510/6d87c87f/attachment-0001.obj 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080510/6d87c87f/attachment-0006.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Liberty Draft Contribution_3rd WD_eaa_2.odt
Type: application/vnd.oasis.opendocument.text
Size: 121104 bytes
Desc: not available
Url : http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080510/6d87c87f/attachment-0001.bin 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080510/6d87c87f/attachment-0007.html 

From bob at bobpinheiro.com  Sat May 10 09:02:51 2008
From: bob at bobpinheiro.com (Bob Pinheiro)
Date: Sat, 10 May 2008 12:02:51 -0400
Subject: [Sig-ia] [iaeg] Fwd: LIAF submission to ITU-T's IdM GSI work
In-Reply-To: <200805101451.m4AEpDla032288@app7.bivio.biz>
References: <5C71473E-1520-4B6C-A7B9-C72E4F705AD5@projectliberty.org>
	<200805101451.m4AEpDla032288@app7.bivio.biz>
Message-ID: <0K0N00BP6TYRG8F7@vms046.mailsrvcs.net>

If no one is going to this meeting, and none of the WG chairs can do 
this, I'll volunteer PROVIDED that I don't have to pay for a call to Geneva.

Bob
---------------------------
Robert Pinheiro Consulting LLC
908-654-1939

At 10:49 AM 5/10/2008, Brett McDowell wrote:
>FYI... and, who is already planning on joining the IdM GSI meetings
>next week?  If we don't have anyone physically there I've been told we
>can get someone to call in.  We really need someone to call in who can
>speak to the IAF and take questions.  I have conflicts all week at
>IIW.  Any volunteers?
>
>There is some information about this meeting next week here:
>
>http://www.itu.int/ITU-T/gsi/idm/events.asp
>
>Kind Regards,
>-- Brett
>
>Begin forwarded message:
>
>>From: Brett McDowell <brett at projectliberty.org>
>>Date: May 10, 2008 10:43:54 AM EDT
>>To: xiaoya.yang at itu.int, sebek at itu.int
>>Cc: Richard Brackney <rcbrack at VERIZON.NET>, Frank Villavicencio 
>><frank.villavicencio at citi.com >, Alex Popowycz <Alex.Popowycz at fmr.com>
>>Subject: LIAF submission to ITU-T's IdM GSI work
>>
>>On behalf of Liberty Alliance, I am pleased to submit our latest
>>public draft of the Liberty Identity Assurance Framework for your
>>consideration.  Let me know if you have questions or if there are
>>any additional procedures I must follow for this submission to be
>>accepted.
>>
>>I have CC-ed the Co-Chairs of the Identity Assurance Expert Group,
>>the group within Liberty Alliance developing this framework and
>>associated accreditation program.
>>
>>
>>
>>Thank you for your time and consideration,
>>
>>---
>>Brett McDowell, Executive Director, Liberty Alliance
>>
>>P.S.
>>I have attached the cover sheet in both .doc and .odt formats for
>>your convenience.
>
>
>
>FYI... and, who is already planning on joining the IdM GSI meetings 
>next week?  If we don't have anyone physically there I've been told 
>we can get someone to call in.  We really need someone to call in 
>who can speak to the IAF and take questions.  I have conflicts all 
>week at IIW.  Any volunteers?
>
>There is some information about this meeting next week here:
>
><http://www.itu.int/ITU-T/gsi/idm/events.asp>http://www.itu.int/ITU-T/gsi/idm/events.asp
>
>Kind Regards,
>-- Brett
>
>Begin forwarded message:
>
>>From: Brett McDowell 
>><<mailto:brett at projectliberty.org>brett at projectliberty.org>
>>Date: May 10, 2008 10:43:54 AM EDT
>>To: <mailto:xiaoya.yang at itu.int>xiaoya.yang at itu.int, 
>><mailto:sebek at itu.int>sebek at itu.int
>>Cc: Richard Brackney 
>><<mailto:rcbrack at VERIZON.NET>rcbrack at VERIZON.NET>, Frank 
>>Villavicencio 
>><<mailto:frank.villavicencio at citi.com>frank.villavicencio at citi.com>, 
>>  Alex Popowycz <<mailto:Alex.Popowycz at fmr.com>Alex.Popowycz at fmr.com>
>>Subject: LIAF submission to ITU-T's IdM GSI work
>>
>>On behalf of Liberty Alliance, I am pleased to submit our latest 
>>public draft of the Liberty Identity Assurance Framework for your 
>>consideration.  Let me know if you have questions or if there are 
>>any additional procedures I must follow for this submission to be accepted.
>>
>>I have CC-ed the Co-Chairs of the Identity Assurance Expert Group, 
>>the group within Liberty Alliance developing this framework and 
>>associated accreditation program.
>
>
>
>>
>>
>>Thank you for your time and consideration,
>>
>>---
>>Brett McDowell, Executive Director, Liberty Alliance
>>
>>P.S.
>>I have attached the cover sheet in both .doc and .odt formats for 
>>your convenience.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080510/a2debb41/attachment.html 

From nfaut at kpmg.com  Mon May 12 13:09:44 2008
From: nfaut at kpmg.com (Faut, Nathan E)
Date: Mon, 12 May 2008 16:09:44 -0400
Subject: [Sig-ia] LIAF submission to ITU-T's IdM GSI work
Message-ID: <B5815EE55D504D409187506D2E13356705A755FA@USNSSEXC83.us.kworld.kpmg.com>

Jonathon, Mike, Richard, Brett, et.al.,

I have tried to catch up to you folks for last few weeks and never seem
to catch the meetings - would you confirm the telecon schedule for
observers like me?  Or send me the URL with the schedule, so I can put
that in my meeting reminder?

Also, I glanced at the Identity Analysis v.3a, and totally do not know
what "HITSP" is.  Can someone point me to a translation?

Thanks,

-Nathan
=-=-=-=-=-=-=-=-
Nathan Faut
Senior Associate, Federal IT Advisory Practice
KPMG LLP
office: 202-533-4471
FAX: 202-403-3126
cell: 301-335-2656



<html>
<body>
<p>***********************************************************************</p>
<p>The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else is
unauthorized. If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance on it, is
prohibited and may be unlawful. When addressed to our clients any opinions or
advice contained in this email are subject to the terms and conditions
expressed in the governing KPMG client engagement letter.</p>
<p>***********************************************************************</p>
</body>
</html>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080512/11aae931/attachment.html 

From joni at ieee-isto.org  Mon May 12 13:24:00 2008
From: joni at ieee-isto.org (Joan Brennan)
Date: Mon, 12 May 2008 13:24:00 -0700
Subject: [Sig-ia] LIAF submission to ITU-T's IdM GSI work
In-Reply-To: <B5815EE55D504D409187506D2E13356705A755FA@USNSSEXC83.us.kworld.kpmg.com>
References: <B5815EE55D504D409187506D2E13356705A755FA@USNSSEXC83.us.kworld.kpmg.com>
Message-ID: <947ea3330805121324w5ae29987g2aaf6d21841cf642@mail.gmail.com>

Hi Nathan,

HITSP is Healthcare Information Technology Standards Panel

The objective of HITSP is to serve and establish a cooperative partnership
between the public and private sectors to achieve a widely accepted and
useful set of standards that will enable and support widespread
interoperability among healthcare software applications in a Nationwide
Health Information Network for the United States.

For More Info...
http://www.ansi.org/standards_activities/standards_boards_panels/hisb/hitsp.aspx?menuid=3<http://www.himss.org/ASP/topics_hitsp.asp>

Regarding the SIG-IA calls.  I believe the schedule for the conference calls
is under development and any call date will be posted on the wiki and sent
to the IA SIG list.

http://wiki.projectliberty.org/index.php/IASIG

Thanks,

Joni

2008/5/12 Faut, Nathan E <nfaut at kpmg.com>:

>  Jonathon, Mike, Richard, Brett, et.al.,
>
> I have tried to catch up to you folks for last few weeks and never seem to
> catch the meetings - would you confirm the telecon schedule for observers
> like me?  Or send me the URL with the schedule, so I can put that in my
> meeting reminder?
>
> Also, I glanced at the Identity Analysis v.3a, and totally do not know
> what "HITSP" is.  Can someone point me to a translation?
>
> Thanks,
>
> -Nathan
> =-=-=-=-=-=-=-=-
> Nathan Faut
> Senior Associate, Federal IT Advisory Practice
> KPMG LLP
> office: 202-533-4471
> FAX: 202-403-3126
> cell: 301-335-2656
>
>  ***********************************************************************
>
> The information in this email is confidential and may be legally privileged.
> It is intended solely for the addressee. Access to this email by anyone else is
> unauthorized. If you are not the intended recipient, any disclosure, copying,
> distribution or any action taken or omitted to be taken in reliance on it, is
> prohibited and may be unlawful. When addressed to our clients any opinions or
> advice contained in this email are subject to the terms and conditions
> expressed in the governing KPMG client engagement letter.
>
> ***********************************************************************
>
>
>
> _______________________________________________
> Sig-ia mailing list
> Sig-ia at lists.projectliberty.org
>
> http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectliberty.org
>
>


-- 
Joni Brennan
IEEE-ISTO
Liberty Alliance Project
Operations Manager
voice:+1 732-226-4223
email: joni at projectliberty.org
email: joni at ieee-isto.org
AIM: istojonib
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080512/53b243c3/attachment.html 

From bob at bobpinheiro.com  Tue May 13 10:04:29 2008
From: bob at bobpinheiro.com (Bob Pinheiro)
Date: Tue, 13 May 2008 13:04:29 -0400
Subject: [Sig-ia] Next ID Theft SIG Call: Wednesday, May 21
Message-ID: <0K0T00JVQGZOXPB4@vms173001.mailsrvcs.net>

Since assuming the chairmanship of the ID Theft SIG last year, it's 
been my belief that the primary purpose of this SIG should be to 
support a Liberty strategy or goal for defining best-practices or 
other specifications that would be applicable directly to preventing 
identity theft.    Although there may be more than one strategy or 
goal for doing this, I believe the work that Liberty is now doing 
regarding the Identity Assurance Framework could play an important role.

With that in mind, I presented to the Technology Expert Group last 
week one possible approach that combines high assurance electronic 
trust services that could be enabled by the IAF, and provided to 
consumers, with a Discovery capability enabled by the Liberty Web 
Services Framework.  This could potentially allow, for instance, 
electronic credentials issued by Liberty-accredited Identity 
Providers for specific consumer applications (ie, online banking or 
other financial services, electronic payment services, access to 
government services, access to online medical records, etc.) to be 
leveraged for authentication of anyone claiming the identity of 
holders of such credentials.   FYI, further details of this approach 
can be found 
<http://bobpinheiro.com/docs/AsssuranceServicesForPreventingIDTheft.pdf>here 
and <http://bobpinheiro.com/docs/TEG_May_8_2008.ppt>here.

While it is tempting to propose that Liberty ought to pursue such an 
approach if indeed Liberty is going to adopt any strategy or position 
on identity theft prevention, this assumes that (1) there is business 
value to potential Identity Providers and Relying Parties in high 
assurance electronic trust services for consumers, and (2) consumers 
will choose to use these electronic credentials for such 
purposes.  While we are now witnessing the beginnings of a market for 
low assurance identity services in the form of OpenID and self-issued 
Infocards, is there a consumer market for high assurance 
services?  Of course, the government could mandate the use of 
stronger authentication capabilities for some of these applications, 
such as occurred in the US for online banking.  However, it's not 
clear that such capabilities would necessarily satisfy the 
accreditation criteria set forth in the Liberty IAF, or that the 
providers of such capabilities would be interested in acting as 
Identity Providers for other purposes.

So I propose we hold the next ID Theft SIG call to discuss the 
following question: If a Liberty strategy/position on prevention of 
identity theft depends on the existence of a consumer market for high 
assurance electronic trust services, is it necessary to understand 
these market issues in more detail before Liberty adopts any position 
on identity theft prevention?    Or do we take the approach that "if 
we build it, they will come", and put aside these market issues?

More specifically, it might be interesting for someone to pull 
together some sort of future discussion or seminar on some of these 
market issues, to help clarify what a viable strategy might be for 
Liberty to adopt (should it decide to adopt any strategy at 
all).  For instance, PayPal offers OTP tokens to their users.  What 
has been their experience with user adoption?  Is PayPal a potential 
Identity Provider in the consumer space?  What about the banks and 
financial services companies that must provide stronger 
authentication for online access to their services?  Who are other 
potential Identity Providers in the consumer space?  These are just a 
few possible ideas.

It's also been suggested that further discussions related to 
IdentityTheft take place in some other group, such as the Identity 
Assurance Expert Group, the Public Policy Expert Group, or the 
Identity Assurance SIG.  That might make sense if identity theft 
efforts revolve around identity assurance.  On the other hand, these 
groups may be more focused on the technical and operational issues 
involving identity assurance.  In addition, there may be other 
identity theft topics that people may want to raise that don't 
concern identity assurance.  Any thoughts on this?  In my view, it 
would make sense to maintain the Identity Theft SIG, provided we can 
focus it on specific topics that would help to support a Liberty 
strategy on identity theft, and that there is sufficient interest 
among people to contribute their thoughts.

I am distributing this announcement to the IAEG, as well as the 
IA-SIG.  If anyone interested in these topics can't attend next 
week's call, please Reply All and post your thoughts and comments to 
the list(s).  Also, if there are other identity theft prevention 
strategies or approaches that anyone believes Liberty ought to 
pursue, including no strategy at all, please bring these up as well, 
either by posting to the list or during the call.

Wednesday, May 21, 2008
9:00 AM PT / 12 Noon ET / 1600 UTC
US/Canada toll-free number: 866-469-3239
US toll number: 650-429-3300
Attendee Code: 00119954 #

International numbers can be found at 
<http://wiki.projectliberty.org/index.php/IntnlDialInNum>wiki.projectliberty.org/index.php/IntlDialInNum 



Bob

---------------------------------------------
Robert Pinheiro Consulting LLC
bp at bobpinheiro.com
(908) 654-1939
<http://www.bobpinheiro.com/>www.bobpinheiro.com  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080513/cccb010a/attachment-0001.html 

From stollman.j at gmail.com  Tue May 13 16:35:23 2008
From: stollman.j at gmail.com (j stollman)
Date: Tue, 13 May 2008 19:35:23 -0400
Subject: [Sig-ia] Next ID Theft SIG Call: Wednesday, May 21
In-Reply-To: <0K0T00JVQGZOXPB4@vms173001.mailsrvcs.net>
References: <0K0T00JVQGZOXPB4@vms173001.mailsrvcs.net>
Message-ID: <c0f2bd590805131635mdc80419kd19c99ec5c5d72e3@mail.gmail.com>

Bob,

Your note raises some intriguing questions.  And because I am currently
booked for the time slotted for you call, I thought I would throw out some
ideas here.

It is my contention that there is a market for the high-assurance credential
that you discussed, but the market is a bit of a chicken-and-egg problem.
Institutions won't support the credential until there is a large enough body
of credential holders to warrant investing in the infrastructure needed.
And potential credential holders won't be compelled until there are enough
uses of the credential to go through the (possibly costly) process of
obtaining such credentials.

The market could get a big shot in the arm from a government mandate such as
the Real ID Act, but at the moment it is not clear that the current mandate
is going to be broadly supported (at least, in the next few years).

The compelling rationale for credential holders is to be able to use one
credential for multiple uses, removing the need for a wallet full of
credentials and a long list of passcodes associated with each one.

The resistance to such an approach lies in both fear identity theft as well
as fear of data aggregation.  As more and more data are tied to a single
credential, the impact of someone linking all of the personal data
associated with the various accounts (banking, credit cards, medical
records, etc.) supported by the single credential grows.  And the incentive
to hack into the system grows with it.

In other words, the linked issues of identity theft and privacy represent a
critical barrier to success.  This seems to be an issue that is common to
the IAF because the concept of federating identity has the same impact:
creating a link (the credential information) to a broader range of
information and access privileges.  These become an increasingly tempting
target as the breadth of services covered grows.

I'd be very interested in learning where this goes on your call.

Jeff



2008/5/13 Bob Pinheiro <bob at bobpinheiro.com>:

>  Since assuming the chairmanship of the ID Theft SIG last year, it's been
> my belief that the primary purpose of this SIG should be to support a
> Liberty strategy or goal for defining best-practices or other specifications
> that would be applicable directly to preventing identity theft.    Although
> there may be more than one strategy or goal for doing this, I believe the
> work that Liberty is now doing regarding the Identity Assurance Framework
> could play an important role.
>
> With that in mind, I presented to the Technology Expert Group last week
> one possible approach that combines high assurance electronic trust services
> that could be enabled by the IAF, and provided to consumers, with a
> Discovery capability enabled by the Liberty Web Services Framework.  This
> could potentially allow, for instance, electronic credentials issued by
> Liberty-accredited Identity Providers for specific consumer applications
> (ie, online banking or other financial services, electronic payment
> services, access to government services, access to online medical records,
> etc.) to be leveraged for authentication of anyone claiming the identity of
> holders of such credentials.   FYI, further details of this approach can be
> found here<http://bobpinheiro.com/docs/AsssuranceServicesForPreventingIDTheft.pdf>and
> here <http://bobpinheiro.com/docs/TEG_May_8_2008.ppt>.
>
> While it is tempting to propose that Liberty ought to pursue such an
> approach if indeed Liberty is going to adopt any strategy or position on
> identity theft prevention, this assumes that (1) there is business value to
> potential Identity Providers and Relying Parties in high assurance
> electronic trust services for consumers, and (2) consumers will choose to
> use these electronic credentials for such purposes.  While we are now
> witnessing the beginnings of a market for low assurance identity services in
> the form of OpenID and self-issued Infocards, is there a consumer market for
> high assurance services?  Of course, the government could mandate the use of
> stronger authentication capabilities for some of these applications, such as
> occurred in the US for online banking.  However, it's not clear that such
> capabilities would necessarily satisfy the accreditation criteria set forth
> in the Liberty IAF, or that the providers of such capabilities would be
> interested in acting as Identity Providers for other purposes.
>
> So I propose we hold the next ID Theft SIG call to discuss the following
> question: If a Liberty strategy/position on prevention of identity theft
> depends on the existence of a consumer market for high assurance electronic
> trust services, is it necessary to understand these market issues in more
> detail before Liberty adopts any position on identity theft prevention?
> Or do we take the approach that "if we build it, they will come", and put
> aside these market issues?
>
> More specifically, it might be interesting for someone to pull together
> some sort of future discussion or seminar on some of these market issues, to
> help clarify what a viable strategy might be for Liberty to adopt (should it
> decide to adopt any strategy at all).  For instance, PayPal offers OTP
> tokens to their users.  What has been their experience with user adoption?
> Is PayPal a potential Identity Provider in the consumer space?  What about
> the banks and financial services companies that must provide stronger
> authentication for online access to their services?  Who are other potential
> Identity Providers in the consumer space?  These are just a few possible
> ideas.
>
> It's also been suggested that further discussions related to IdentityTheft
> take place in some other group, such as the Identity Assurance Expert Group,
> the Public Policy Expert Group, or the Identity Assurance SIG.  That might
> make sense if identity theft efforts revolve around identity assurance.  On
> the other hand, these groups may be more focused on the technical and
> operational issues involving identity assurance.  In addition, there may be
> other identity theft topics that people may want to raise that don't concern
> identity assurance.  Any thoughts on this?  In my view, it would make sense
> to maintain the Identity Theft SIG, provided we can focus it on specific
> topics that would help to support a Liberty strategy on identity theft, and
> that there is sufficient interest among people to contribute their thoughts.
>
>
> I am distributing this announcement to the IAEG, as well as the IA-SIG.
> If anyone interested in these topics can't attend next week's call, please
> Reply All and post your thoughts and comments to the list(s).  Also, if
> there are other identity theft prevention strategies or approaches that
> anyone believes Liberty ought to pursue, including no strategy at all,
> please bring these up as well, either by posting to the list or during the
> call.
>
> *Wednesday, May 21, 2008
> 9:00 AM PT / 12 Noon ET / 1600 UTC
> US/Canada toll-free number: 866-469-3239
> US toll number: 650-429-3300
> Attendee Code: 00119954 #*
>
> *International numbers can be found at
> wiki.projectliberty.org/index.php/IntlDialInNum<http://wiki.projectliberty.org/index.php/IntnlDialInNum>
>
>
> *Bob
>
> ---------------------------------------------
> Robert Pinheiro Consulting LLC
> bp at bobpinheiro.com
> (908) 654-1939
> www.bobpinheiro.com
>
> _______________________________________________
> Sig-ia mailing list
> Sig-ia at lists.projectliberty.org
>
> http://lists.projectliberty.org/mailman/listinfo/sig-ia_lists.projectliberty.org
>
>


-- 
Jeff Stollman
stollman.j at gmail.com
1 202.683.8699
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080513/5d629b2e/attachment.html 

From bob at bobpinheiro.com  Tue May 20 05:04:29 2008
From: bob at bobpinheiro.com (Bob Pinheiro)
Date: Tue, 20 May 2008 08:04:29 -0400
Subject: [Sig-ia] REMINDER: Next ID Theft SIG Call: Wednesday, May 21
In-Reply-To: <0K0T00JVQGZOXPB4@vms173001.mailsrvcs.net>
References: <0K0T00JVQGZOXPB4@vms173001.mailsrvcs.net>
Message-ID: <mailman.0.1211285252.17692.sig-ia_lists.projectliberty.org@lists.projectliberty.org>

At 01:04 PM 5/13/2008, Bob Pinheiro wrote:
>Since assuming the chairmanship of the ID Theft SIG last year, it's 
>been my belief that the primary purpose of this SIG should be to 
>support a Liberty strategy or goal for defining best-practices or 
>other specifications that would be applicable directly to preventing 
>identity theft.    Although there may be more than one strategy or 
>goal for doing this, I believe the work that Liberty is now doing 
>regarding the Identity Assurance Framework could play an important role.
>
>With that in mind, I presented to the Technology Expert Group last 
>week one possible approach that combines high assurance electronic 
>trust services that could be enabled by the IAF, and provided to 
>consumers, with a Discovery capability enabled by the Liberty Web 
>Services Framework.  This could potentially allow, for instance, 
>electronic credentials issued by Liberty-accredited Identity 
>Providers for specific consumer applications (ie, online banking or 
>other financial services, electronic payment services, access to 
>government services, access to online medical records, etc.) to be 
>leveraged for authentication of anyone claiming the identity of 
>holders of such credentials.   FYI, further details of this approach 
>can be found 
><http://bobpinheiro.com/docs/AsssuranceServicesForPreventingIDTheft.pdf>here 
>and <http://bobpinheiro.com/docs/TEG_May_8_2008.ppt>here.
>
>While it is tempting to propose that Liberty ought to pursue such an 
>approach if indeed Liberty is going to adopt any strategy or 
>position on identity theft prevention, this assumes that (1) there 
>is business value to potential Identity Providers and Relying 
>Parties in high assurance electronic trust services for consumers, 
>and (2) consumers will choose to use these electronic credentials 
>for such purposes.  While we are now witnessing the beginnings of a 
>market for low assurance identity services in the form of OpenID and 
>self-issued Infocards, is there a consumer market for high assurance 
>services?  Of course, the government could mandate the use of 
>stronger authentication capabilities for some of these applications, 
>such as occurred in the US for online banking.  However, it's not 
>clear that such capabilities would necessarily satisfy the 
>accreditation criteria set forth in the Liberty IAF, or that the 
>providers of such capabilities would be interested in acting as 
>Identity Providers for other purposes.
>
>So I propose we hold the next ID Theft SIG call to discuss the 
>following question: If a Liberty strategy/position on prevention of 
>identity theft depends on the existence of a consumer market for 
>high assurance electronic trust services, is it necessary to 
>understand these market issues in more detail before Liberty adopts 
>any position on identity theft prevention?    Or do we take the 
>approach that "if we build it, they will come", and put aside these 
>market issues?
>
>More specifically, it might be interesting for someone to pull 
>together some sort of future discussion or seminar on some of these 
>market issues, to help clarify what a viable strategy might be for 
>Liberty to adopt (should it decide to adopt any strategy at 
>all).  For instance, PayPal offers OTP tokens to their users.  What 
>has been their experience with user adoption?  Is PayPal a potential 
>Identity Provider in the consumer space?  What about the banks and 
>financial services companies that must provide stronger 
>authentication for online access to their services?  Who are other 
>potential Identity Providers in the consumer space?  These are just 
>a few possible ideas.
>
>It's also been suggested that further discussions related to 
>IdentityTheft take place in some other group, such as the Identity 
>Assurance Expert Group, the Public Policy Expert Group, or the 
>Identity Assurance SIG.  That might make sense if identity theft 
>efforts revolve around identity assurance.  On the other hand, these 
>groups may be more focused on the technical and operational issues 
>involving identity assurance.  In addition, there may be other 
>identity theft topics that people may want to raise that don't 
>concern identity assurance.  Any thoughts on this?  In my view, it 
>would make sense to maintain the Identity Theft SIG, provided we can 
>focus it on specific topics that would help to support a Liberty 
>strategy on identity theft, and that there is sufficient interest 
>among people to contribute their thoughts.
>
>I am distributing this announcement to the IAEG, as well as the 
>IA-SIG.  If anyone interested in these topics can't attend next 
>week's call, please Reply All and post your thoughts and comments to 
>the list(s).  Also, if there are other identity theft prevention 
>strategies or approaches that anyone believes Liberty ought to 
>pursue, including no strategy at all, please bring these up as well, 
>either by posting to the list or during the call.
>
>Wednesday, May 21, 2008
>9:00 AM PT / 12 Noon ET / 1600 UTC
>US/Canada toll-free number: 866-469-3239
>US toll number: 650-429-3300
>Attendee Code: 00119954 #
>
>International numbers can be found at 
><http://wiki.projectliberty.org/index.php/IntnlDialInNum>wiki.projectliberty.org/index.php/IntlDialInNum 
>
>
>
>Bob
>
>---------------------------------------------
>Robert Pinheiro Consulting LLC
>bp at bobpinheiro.com
>(908) 654-1939
><http://www.bobpinheiro.com/>www.bobpinheiro.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080520/1231e6ff/attachment.html