Eve,
I agree with your viewpoint. In general, we find in our customer interactions that there are at least five key tradeoffs to consider in broker identity federation:
1. Security
2. Privacy
3. User Experience
4. Cost
5. Liability
In math terms, these constraints could be considered the boundaries of a non-linear solution space where a relying party may want adjust each tradeoff to "optimize" their transaction process. And, depending upon the purpose of the relying party web site/service and the target user constituency, the optimization of these tradeoffs can vary significantly. For example, consumer facing web sites for purposes of information exposure may want to allow a social credential login with little or no requirements for attribute verification. However a B2B supply chain application for partner employees, vendors and suppliers may require strong multi-factor authentication plus contextual attribute verification (e.g., active employment status, clearance, etc.).
In the case of FCCX, the desire for stronger privacy controls may challenge the security policy and risk mitigation requirements of participating relying parties, and can thereby result in a liability distribution model that does not scale and is untenable in the market. As such, a business model cannot thrive that recognizes the diverse needs of each relying party service provider to deliver services with fungible contract mechanisms in a competitive environment. This will drive away interest and participation from key service providers due to non-compliance with their operating and insurance policies.
As privacy policy continues to evolve into legislative requirements, the tradeoffs listed above will likely be some of the key components of the debate. The argument of "one size fits all" will not likely prevail given the diversity of requirements and stakeholders. A more reasonable approach might be for identity broker services to enable relying party choice with tools that allow trust framework communities to define the rules for how the tools are deployed. The combination of privacy enhancing capabilities (tools), consumer trends, legislative pressures, technology evolution, and competitive market forces will likely be the key drivers of change and ultimately drive continuous evolution of the optimal solution set for any relying party.
Regards,
Dave
David Coxe, CEO
ID/DataWeb, Inc.
DCoxe@IDDataWeb.commailto:DCoxe@IDDataWeb.com
571-332-2740 cell
703-942-5800, ext 315 office
From: wg-uma-bounces@kantarainitiative.org [mailto:wg-uma-bounces@kantarainitiative.org] On Behalf Of Eve Maler
Sent: Thursday, October 29, 2015 2:24 AM
To: Mark Dobrinic
Cc: wg-uma@kantarainitiative.org UMA
Subject: Re: [WG-UMA] NIST Seeks Comments on New Project Aimed at Protecting Privacy Online
Okay, I'll be the contrarian, just for fun.
As I commented to a couple of people regarding the relatively recent academic paper Toward Mending Two Nation-Scale Brokered Identification Systemshttp://www0.cs.ucl.ac.uk/staff/G.Danezis/papers/popets15-brokid.pdf, everything is tradeoffs. And it's arguable that the governments in those cases made the operationally and more citizen-acceptable tradeoff for privacy vs. what the researchers recommended.
Quoting/paraphrasing myself from previous threads on this topic:
I suspected from a brief articlehttp://www.computing.co.uk/ctg/news/2414194/govuk-verify-identity-management... on the subject that the reporter probably had trouble divining exactly what the problem with the FCCX and UK.Govhttp://uk.gov Verify systems actually was, since it wasn't explained at all, nor what the proposed solution was... and it's all extremely subtle. And I'm not even seeing a huge outcry or even all that much gov followup/panicked defense after.
The researchers found a limitation in the tradeoff choice that the FCCX and UK.Govhttp://uk.gov Verify system designers made. This tradeoff prizes the ability for the user to use an online service ("relying party") and an identity provider, free from worrying that the two will discover who the other is, over the perfect ability for a pseudonymous identifier and attributes representing the user to pass unseen through the broker in the middle (the broker makes this "service blinding" possible). The researchers propose some clever encryption tricks to guard against the broker seeing things, and go further and propose a new user-chosen "identity integration" service that could handle the tricks. Given that brokered systems, and the "older" protocols such as SAML already in use, and the encryption tricks they suggest, and user interfaces that force users to choose services, are all considered extremely heavyweight and expensive in various ways, I give the researchers' suggestions a nil chance of succeeding in the current environment. And given that users have a variety of incentives to share enough attributes in everyday circumstances to routinely become identifiable (Latanya Sweeney's research in particular is famous for discovering these properties), it's very questionable whether the researchers' preference for tradeoffs vs. the nations' preference is the correct one.
On 25 Oct 2015, at 7:49 AM, Mark Dobrinic