From Robin.Wilton at Sun.COM Wed Jul 2 05:58:02 2008
From: Robin.Wilton at Sun.COM (Robin Wilton)
Date: Wed, 02 Jul 2008 13:58:02 +0100
Subject: [SIG-IDtheft] Shameless trawling for votes...
Message-ID: <486B7B5A.7040101@sun.com>
Hi folks -
Just to let you know that my blog has made the shortlist for
ComputerWeekly's IT blogs 2008 :^)
If you are inclined to do so, you can add your vote (to my one... ahem)
via the following URL:
http://www.computerweekly.com/blogawards.htm
Just scroll down to the list at the bottom of that page, select the "IT
law and governance" category and you should see me in there.
I will have no idea you have done it (so you can claim the credit anyway
;^), but if you do - thank you!!
R
--
Corporate Architect - Federated Identity
CTO Office (Business Alliances)
robin.wilton at sun.com
Tel: +44 (0)705 005 2931
http://blogs.sun.com/racingsnake
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3351 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080702/02bc3323/attachment.bin
From enelson at secureprivacysolutions.com Mon Jul 7 09:03:09 2008
From: enelson at secureprivacysolutions.com (Eric Nelson)
Date: Mon, 7 Jul 2008 09:03:09 -0700
Subject: [SIG-IDtheft] Potential Liberty Alliance Deliverables Related
to Identity Theft
Message-ID: <001801c8e04a$f447ff60$dcd7fe20$@com>
I thought the link to a recent conference for proposed Internet policies and
recommendations by the OECD might be of interest to the group.
http://www.oecd.org/FutureInternet
The recommendations from the conference provide a good overview of the
global direction and requirements and tie into the need for the secure
applications and technologies mentioned below.
Best regards, Eric
Eric Nelson, CIPP
Principal - Privacy and Information Security
Logo176047
"Protecting your customer's information through people, processes and
policies"
www.SecurePrivacySolutions.com
949.721.5897 (office)
714.612.0367 (mobile)
From: sig-idtheft-bounces at lists.projectliberty.org
[mailto:sig-idtheft-bounces at lists.projectliberty.org] On Behalf Of Bob
Pinheiro
Sent: Wednesday, June 25, 2008 10:58 PM
To: sig-idtheft at lists.projectliberty.org; iaeg at projectliberty.org;
sig-ia at lists.projectliberty.org
Subject: [SIG-IDtheft] Potential Liberty Alliance Deliverables Related to
Identity Theft
On an Identity Theft SIG call earlier this year, we discussed the Liberty
Identity Assurance Framework, and especially its potential as an enabler of
a large-scale authentication system that could help to prevent identity
theft. There was also a suggestion that maybe the Identity Theft SIG (and
other groups within Liberty) might have a role in putting together some
White Papers that could provide a more complete picture of how a
LIAF-enabled authentication system could help to prevent identity theft.
Although the "identity" that is stolen in identity theft could refer to the
identity of a business or even a government entity, identity theft is mainly
of interest to us and others as it refers to an individual consumer's
identity that is misused by imposters to gain various identity-related
services. For this reason, the ability of LIAF-enabled authentication
systems to prevent identity theft is closely tied to the viability of high
assurance identity trust services offered by Identity Providers for use by
individual consumers.
Here's a tentative list of possible White Papers and Specifications that
address ways in which Liberty products can help to prevent identity theft.
We are soliciting your opinion about the usefulness of these potential
deliverables, your comments and suggests for modifications or changes to
this list, as well as your interest in acting as a subject matter expert on
any of these potential deliverables if there is sufficient interest to
proceed.
White Papers
1. White Paper that compares identity proofing methods used by financial
institutions, motor vehicle bureaus, and REAL ID, to Liberty IAF identity
proofing requirements at the appropriate assurance levels.
2. White Paper describing the concept of a large-scale identity network /
authentication system consisting of Liberty-accredited Identity Providers,
and Relying Parties who agree to honor credentials/tokens issued by any
accredited Identity Provider. This network could enable any Relying Party
that is a member to authenticate the identity claim of anyone presenting
credentials/tokens (at the appropriate Assurance Level) issued by any
Liberty-accredited Identity Provider that is also a member. This identity
network / authentication system may result from the inter-federation of
different identity federations, so that Relying Parties and Identity
Providers belonging to different federations are able to trust each other.
3. White Paper describing possible business models that would make high
assurance trust services economically viable for use by consumers. One
potential model might require Relying Parties to pay Identity Providers for
identity assertions. This could be akin to credit grantors paying consumer
credit bureaus for information about a consumer's credit history. Such a
model might be viable in the context of allowing Relying Parties to satisfy
the recently-issued Red Flag Rules that require credit grantors to have
written identity theft prevention programs. Another possible business model
might focus on individual consumers themselves paying a fee to an Identity
Provider for identity theft protection, similar to what people pay today for
credit monitoring services and other identity theft prevention services
(based on fraud alerts or credit freezes) that have emerged recently.
4. White Paper describing how an identity network / authentication system
can be extended so that identity claims made to Relying Parties on the basis
of personally identifiable information can be authenticated, if the personal
information is associated with the identity of someone who has been issued
credentials/tokens as part of a high assurance trust service from an
accredited Identity Provider. This extension would involve a Discovery
Service that can discover the appropriate Identity Provider on the basis of
personally identifiable information.
Background: Even if a LIAF-enabled identity network / authentication system
were to exist, it is assumed that a person whose identity is to be
authenticated needs to present some sort of credentials or tokens to the
service provider / relying party. But many cases of identity theft result
when stolen personal information is used by an imposter to claim someone
else's identity. In that situation, the stolen personal information itself
acts as a "credential", and the service provider / relying party has no
corresponding token to authenticate the claim of identity. Is there any
way that someone who possesses Liberty-accredited credentials/tokens can
still be protected against identity theft, if the identity theft occurs by
means of stolen personal information?
5. White Paper that explores the usefulness and viability of a range of
potential LIAF-enabled high assurance trust services for consumers.
As one example, online banking and bill payment services pose high degrees
of risk to consumers if unauthorized persons can gain access to these
accounts, or are able to drain money from these accounts. Will Relying
Parties such as financial institutions and others be willing to accept high
assurance credentials for access to these accounts that have been issued by
other, Liberty-accredited Identity Providers? Would financial institutions
or other business entities be willing to act as Identity Providers for
authentication of their consumer customers to other entities?
Another example could involve the Identity Providers that issue managed
Information Cards. These managed Information Cards, unlike self-issued
cards, essentially provide high assurance trust services to Relying Parties
on behalf of the "owners" of these Information Cards, many of whom may be
individual consumers. The recently formed Information Card Foundation,
which is concerned with the use of electronic ID cards on the Internet, is
also a new Liberty Alliance member. Might the LIAF play a role in
establishing the trust relationships between the Relying Party users of
Information Cards, and the Information Providers that issue managed cards?
6. White Paper that discusses the characteristics of authentication tokens
most likely to be used in high assurance consumer authentication
applications, and compares these characteristics to authentication token
requirements defined by NIST 800-63 "Electronic Authentication Guideline",
at various assurance levels.
Specifications / Best-Practices
1. Specifications for a Discovery Service that identifies the specific
accredited Identity Provider that is able to authenticate an identity claim
using credentials/tokens issued by that Identity Provider, on the basis of
personally identifiable information presented to the Discovery Service that
is associated with the holder of those credentials/tokens. Such a Discovery
Service is necessary to prevent identity theft when stolen personal
information is used to make claims of identity.
Request for Comments / Call for Participation
We would greatly appreciate your comments on this list of potential White
Papers and Specifications. At this time, there is no commitment by Liberty
to produce any of these deliverables. We are interested in determining
whether there exists sufficient interest among various Liberty interest
groups (ID Theft SIG, IA-SIG, IAEG) to consider proceeding with any of
these. Do these seem appropriate and useful for Liberty to produce, given
that identity theft is a subject of sufficient importance to Liberty
Alliance that it has created an Identity Theft Prevention SIG? Would you
suggest any changes, modifications, or deletions to anything on the list?
Are there any other potential White Papers that you think might be useful
but that weren't included here? If you do not think that Liberty should be
pursuing any of this, that is also a useful piece of information as well.
Would it be useful to schedule an ID Theft SIG call to discuss these
potential deliverables further?
Would you be interested in acting as a subject matter expert in helping to
produce any of these deliverables, provided that someone else does most of
the work, with your role mainly confined to providing expertise and
guidance?
You can respond by replying back to the list from which you received this
(ID Theft SIG, IA-SIG, IAEG). Or if you prefer, you can respond to me
directly.
Thanks
Bob Pinheiro, Identity Theft Prevention SIG Chair
---------------------------------------------
Robert Pinheiro Consulting LLC
bob at bobpinheiro.com
(908) 654-1939
www.bobpinheiro.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080707/d750182d/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 2177 bytes
Desc: not available
Url : http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080707/d750182d/attachment-0001.jpe
From takahashi.kenji at lab.ntt.co.jp Mon Jul 14 23:29:02 2008
From: takahashi.kenji at lab.ntt.co.jp (Kenji Takahashi)
Date: Tue, 15 Jul 2008 15:29:02 +0900
Subject: [SIG-IDtheft] [Fwd: [technology] DNS vulnerability]
Message-ID: <487C43AE.8050809@lab.ntt.co.jp>
-------- Original Message --------
Subject: [technology] DNS vulnerability
Date: Tue, 15 Jul 2008 15:26:51 +0900
From: Kenji Takahashi
To: SIG-IDTheft at projectliberty.org, technology at projectliberty.org
Just an FYI. The below is a vulnerability with DNS, which recently attracts big ISP concerns. This and increasing DNS queries that overwhelm ISPs would be a big problem (to OpenID in particular).
http://news.cnet.com/8301-10789_3-9989292-57.htm
Regards,
Kenji
From Contact at IdentityTheft.org Tue Jul 15 10:10:22 2008
From: Contact at IdentityTheft.org (Mari Frank)
Date: Tue, 15 Jul 2008 10:10:22 -0700
Subject: [SIG-IDtheft] Potential Liberty Alliance Deliverables
Related to Identity Theft
In-Reply-To: <001801c8e04a$f447ff60$dcd7fe20$@com>
References: <001801c8e04a$f447ff60$dcd7fe20$@com>
Message-ID: <003b01c8e69d$abcd94d0$0368be70$@org>
Hi Eric and Bob-
I would be interested in # 2 and #1 in that order to help
with subject matter expertise.
Best,
Mari
Mari Frank, Esq., CIPP
Contact at identitytheft.org
28202 Cabot Road, Suite 300
Laguna Niguel, Ca. 92677
Phone :949-364-1511
Fax: 949-363-7561
www.identitytheft.org
www.MariFrank.com
www.kuci.org/privacypiracy
E-mail contact at identitytheft.org
To order Mari's books:
Call Porpoise Press 800-725-0807
This e-mail may be privileged and/or confidential, and the sender does not
waive any related rights and obligations. Any distribution, use or copying
of this e-mail or the information it contains by other than an intended
recipient is unauthorized. If you received this e-mail in error, please
advise me (by return e-mail or by phone at 949-364-1511) immediately. Thank
you.
From: sig-idtheft-bounces at lists.projectliberty.org
[mailto:sig-idtheft-bounces at lists.projectliberty.org] On Behalf Of Eric
Nelson
Sent: Monday, July 07, 2008 9:03 AM
To: 'Bob Pinheiro'; sig-idtheft at lists.projectliberty.org;
iaeg at projectliberty.org; sig-ia at lists.projectliberty.org
Subject: Re: [SIG-IDtheft] Potential Liberty Alliance Deliverables Related
to Identity Theft
I thought the link to a recent conference for proposed Internet policies and
recommendations by the OECD might be of interest to the group.
http://www.oecd.org/FutureInternet
The recommendations from the conference provide a good overview of the
global direction and requirements and tie into the need for the secure
applications and technologies mentioned below.
Best regards, Eric
Eric Nelson, CIPP
Principal - Privacy and Information Security
Logo176047
"Protecting your customer's information through people, processes and
policies"
www.SecurePrivacySolutions.com
949.721.5897 (office)
714.612.0367 (mobile)
From: sig-idtheft-bounces at lists.projectliberty.org
[mailto:sig-idtheft-bounces at lists.projectliberty.org] On Behalf Of Bob
Pinheiro
Sent: Wednesday, June 25, 2008 10:58 PM
To: sig-idtheft at lists.projectliberty.org; iaeg at projectliberty.org;
sig-ia at lists.projectliberty.org
Subject: [SIG-IDtheft] Potential Liberty Alliance Deliverables Related to
Identity Theft
On an Identity Theft SIG call earlier this year, we discussed the Liberty
Identity Assurance Framework, and especially its potential as an enabler of
a large-scale authentication system that could help to prevent identity
theft. There was also a suggestion that maybe the Identity Theft SIG (and
other groups within Liberty) might have a role in putting together some
White Papers that could provide a more complete picture of how a
LIAF-enabled authentication system could help to prevent identity theft.
Although the "identity" that is stolen in identity theft could refer to the
identity of a business or even a government entity, identity theft is mainly
of interest to us and others as it refers to an individual consumer's
identity that is misused by imposters to gain various identity-related
services. For this reason, the ability of LIAF-enabled authentication
systems to prevent identity theft is closely tied to the viability of high
assurance identity trust services offered by Identity Providers for use by
individual consumers.
Here's a tentative list of possible White Papers and Specifications that
address ways in which Liberty products can help to prevent identity theft.
We are soliciting your opinion about the usefulness of these potential
deliverables, your comments and suggests for modifications or changes to
this list, as well as your interest in acting as a subject matter expert on
any of these potential deliverables if there is sufficient interest to
proceed.
White Papers
1. White Paper that compares identity proofing methods used by financial
institutions, motor vehicle bureaus, and REAL ID, to Liberty IAF identity
proofing requirements at the appropriate assurance levels.
2. White Paper describing the concept of a large-scale identity network /
authentication system consisting of Liberty-accredited Identity Providers,
and Relying Parties who agree to honor credentials/tokens issued by any
accredited Identity Provider. This network could enable any Relying Party
that is a member to authenticate the identity claim of anyone presenting
credentials/tokens (at the appropriate Assurance Level) issued by any
Liberty-accredited Identity Provider that is also a member. This identity
network / authentication system may result from the inter-federation of
different identity federations, so that Relying Parties and Identity
Providers belonging to different federations are able to trust each other.
3. White Paper describing possible business models that would make high
assurance trust services economically viable for use by consumers. One
potential model might require Relying Parties to pay Identity Providers for
identity assertions. This could be akin to credit grantors paying consumer
credit bureaus for information about a consumer's credit history. Such a
model might be viable in the context of allowing Relying Parties to satisfy
the recently-issued Red Flag Rules that require credit grantors to have
written identity theft prevention programs. Another possible business model
might focus on individual consumers themselves paying a fee to an Identity
Provider for identity theft protection, similar to what people pay today for
credit monitoring services and other identity theft prevention services
(based on fraud alerts or credit freezes) that have emerged recently.
4. White Paper describing how an identity network / authentication system
can be extended so that identity claims made to Relying Parties on the basis
of personally identifiable information can be authenticated, if the personal
information is associated with the identity of someone who has been issued
credentials/tokens as part of a high assurance trust service from an
accredited Identity Provider. This extension would involve a Discovery
Service that can discover the appropriate Identity Provider on the basis of
personally identifiable information.
Background: Even if a LIAF-enabled identity network / authentication system
were to exist, it is assumed that a person whose identity is to be
authenticated needs to present some sort of credentials or tokens to the
service provider / relying party. But many cases of identity theft result
when stolen personal information is used by an imposter to claim someone
else's identity. In that situation, the stolen personal information itself
acts as a "credential", and the service provider / relying party has no
corresponding token to authenticate the claim of identity. Is there any
way that someone who possesses Liberty-accredited credentials/tokens can
still be protected against identity theft, if the identity theft occurs by
means of stolen personal information?
5. White Paper that explores the usefulness and viability of a range of
potential LIAF-enabled high assurance trust services for consumers.
As one example, online banking and bill payment services pose high degrees
of risk to consumers if unauthorized persons can gain access to these
accounts, or are able to drain money from these accounts. Will Relying
Parties such as financial institutions and others be willing to accept high
assurance credentials for access to these accounts that have been issued by
other, Liberty-accredited Identity Providers? Would financial institutions
or other business entities be willing to act as Identity Providers for
authentication of their consumer customers to other entities?
Another example could involve the Identity Providers that issue managed
Information Cards. These managed Information Cards, unlike self-issued
cards, essentially provide high assurance trust services to Relying Parties
on behalf of the "owners" of these Information Cards, many of whom may be
individual consumers. The recently formed Information Card Foundation,
which is concerned with the use of electronic ID cards on the Internet, is
also a new Liberty Alliance member. Might the LIAF play a role in
establishing the trust relationships between the Relying Party users of
Information Cards, and the Information Providers that issue managed cards?
6. White Paper that discusses the characteristics of authentication tokens
most likely to be used in high assurance consumer authentication
applications, and compares these characteristics to authentication token
requirements defined by NIST 800-63 "Electronic Authentication Guideline",
at various assurance levels.
Specifications / Best-Practices
1. Specifications for a Discovery Service that identifies the specific
accredited Identity Provider that is able to authenticate an identity claim
using credentials/tokens issued by that Identity Provider, on the basis of
personally identifiable information presented to the Discovery Service that
is associated with the holder of those credentials/tokens. Such a Discovery
Service is necessary to prevent identity theft when stolen personal
information is used to make claims of identity.
Request for Comments / Call for Participation
We would greatly appreciate your comments on this list of potential White
Papers and Specifications. At this time, there is no commitment by Liberty
to produce any of these deliverables. We are interested in determining
whether there exists sufficient interest among various Liberty interest
groups (ID Theft SIG, IA-SIG, IAEG) to consider proceeding with any of
these. Do these seem appropriate and useful for Liberty to produce, given
that identity theft is a subject of sufficient importance to Liberty
Alliance that it has created an Identity Theft Prevention SIG? Would you
suggest any changes, modifications, or deletions to anything on the list?
Are there any other potential White Papers that you think might be useful
but that weren't included here? If you do not think that Liberty should be
pursuing any of this, that is also a useful piece of information as well.
Would it be useful to schedule an ID Theft SIG call to discuss these
potential deliverables further?
Would you be interested in acting as a subject matter expert in helping to
produce any of these deliverables, provided that someone else does most of
the work, with your role mainly confined to providing expertise and
guidance?
You can respond by replying back to the list from which you received this
(ID Theft SIG, IA-SIG, IAEG). Or if you prefer, you can respond to me
directly.
Thanks
Bob Pinheiro, Identity Theft Prevention SIG Chair
---------------------------------------------
Robert Pinheiro Consulting LLC
bob at bobpinheiro.com
(908) 654-1939
www.bobpinheiro.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080715/4f03c9d7/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 2177 bytes
Desc: not available
Url : http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080715/4f03c9d7/attachment-0001.jpe