Docstoc

Global Identity Initiatives (PowerPoint)

Document Sample
Global Identity Initiatives (PowerPoint) Powered By Docstoc
					      Welcome
Open Identity Attribute
  Exchange Summit
        Sponsored by
                                   Day One
8:00-9:00   Registration and Continental Breakfast
9:00-9:15   Identity is a Wicked Problem and Goals for Today - Don Thibeau, Chairman, OIX
9:15-10:00 "Connecting you to your Digital Identity", Andrew Nash, Director of
            Products, Internet Identity, Google
10:00-10:45 "Internet Identity across Levels of Assurance", Paul Donfried, CTO - IAM,
             Verizon
10:45-11:00 Break/Beverage
11:00-11:45 Strong Authentication - The LMNOP Identity Ecosystem, Eric Sachs, Sr.
             Product Manager, Google
11:45-1:00 Luncheon Keynote: Government Perspectives: Jeremy Grant, Senior Executive
            Advisor for Identity Management, NIST, and Deb Gallagher of the US GSA
            FICAM program will discuss progress the US government is making on
            implementing an identity management for citizens.
1:00-1:45   Commercial Perspectives: A Panel Discussion of Trust Elevation in the Public
            and Private Sector and roadmap to assurance, Co Chaired by Abbie Barbir, Vice
            President Bank of America, Farhang Kassaei, Chief Architect, Managed
            Marketplaces, eBay, Inc., and Don Thibeau of OIX and OpenID Foundation
                                      Day One
1:45-:2:30 Legal/Policy Perspectives: "Doing well by doing good - the value proposition of
          online privacy and identity assurance" Chaired by Scott David OIX Counsel,
          Debra Diener, Privacy Consultant, Arron Bauer-Rieke, Analyst - Center for
          Democracy & Technology and Naomi Leftkovitz, Director of Privacy and Civil
          Liberties, Cybersecurity Directorae, National Security Staff, The White House
2:30-2:45 Break/Beverage
2:45-3:30 International Perspectives: A panel of experts on the UK government ID
          assurance program to implement 3rd party digital Identities to access online
          government services in the UK. Andre Boysen, Securekey, Mike Ozburn, Booz-
          Allen, Sandy Porter, Avoco, Jim Purves, Experian

3:30 - 4:15 Breakout 1 - Relying Party Feedback, Andrew Nash of Google and Paul Donfried, CTO -
            IAM, Verizon, Don Thibeau of OIX – Meeting Room 13
            Breakout 2- Business Challenges of Strong Authentication, Peter Graham, Verizon
            Business and Eric Sachs, Sr. Product Manager of Google – Meeting Room 14

4:15-5:00 Wrap Up and Q&A, Don Thibeau, President, OIX
5:00-6:30 Wine and Cheese Reception – Mt. Vernon Room
                                Day Two
Day 2 - Thursday, November 10, 2011
8:00-9:00          Registration / Continental Breakfast
8:30-8:45          Welcome/Overview - Don Thibeau
8:45-9:30          OpenIDConnect/AccountChooser Overview, Pam Dingle of Ping
                   Identity and Eric Sachs, Sr. Product Manager of Google
9:30-10:15         User and API flows for Attribute Providers, Charlie Reverte of
                   ID/DataWeb and Eric Sachs, Sr. Product Manager of Google
10:15-10:30        Break/Beverage
10:30-11:15        User and API flows for Mobile strong authentication, Eric Sachs, Sr.
                   Product Manager of Google

11:15-12:00        OIX Pilot Organizational Meeting, Don Thibeau of OIX, Andrew
                   Nash of Google, Paul Donfried CTO, IAM, Verizon
Identity is a Wicked Problem
      I really mean it…
Identity is a Wicked Problem
          because…
    No universally accepted definition of the
                    problem
• Is the problem that we have too many hard-to-
  remember passwords?
• That we have passwords at all?
• That passwords are too weak?
• That I cannot protect my identity and my anonymity?
• That I cannot easily describe the many facets of my
  life in a single online profile on Facebook?


•   Horst, and Melvin Webber; "Dilemmas in a General Theory of Planning," pp. 155–169, Policy Sciences, Vol.
    4, Elsevier Scientific Publishing Company, Inc., Amsterdam, 1973.
       There is no stopping rule
• How will we know when the online identity problem
  is solved?
Solutions are not true or false, but bad-or-
                   good
• We might describe client-side-certificates as "better"
  than passwords (or worse), but we certainly wouldn't
  describe one as true in the mathematical sense
  (although we could describe specific technical
  properties as true).
 There is no immediate test of a solution

• Did Google implementing two-factory authentication
  for login "solve" their identity problems?

• Only time will tell. Perhaps we will see the problem
  shift to malware and compromised clients.
  Every solution to a wicked problem is a
           "one-shot operation”
• An initial mistake about how the social graph was
  created from contacts in our email accounts
  effectively dealt Google Buzz a blow from which it
  has so far been unable to recover.
      Wicked problems do not have an
        enumerable set of solutions

• Clearly we've been trying to figure out how to do
  identity management on the net for 15+ years, and
  yet we still see new ideas every other week.
            Every wicked problem is
               essentially unique
• Identity on the web is not like identity in the real
  world; there is no physical confirmation of a person
  that we can use, and every interaction is mediated by
  a (usually possibly compromised) client.
• It is not like identity on a single computer.
• It is not even like identity on a corporate intranet.
• The hard-won lessons weve learned in other
  situations don’t apply as often as they do apply.
 Every wicked problem can be considered to
     be a symptom of another problem
• Perhaps password problems and phishing exist
  because we don't have a PKI infrastructure.
• Perhaps we don't have a PKI infrastructure because
  we don't know how to establish highly available trust
  zones amongst mutually distrusting parties.
• How do we stop moving the problem around?
                What do we do?
• Rittel's hypothesis (and Conklin's):
   – Build shared understanding
   – Build shared memory

• NSTIC/tScheme/etc.
   – A Private sector led public/private partnership

• You limit things to explore them more thoroughly
   – The “DNA” of Identity
                   What do we do?
• Rittel's hypothesis (and Conklin's):
   – Build shared understanding
   – Build shared memory

• Redefine the problem/ : “Un-pack” identity
   – “Identity is a bag of attributes with a name on it”
   – “The Tao of Attributes”

• We test/pilot new hypothesis
   – Seek disconfirming evidence

• Limit things to explore them more thoroughly
   – The “DNA” of Identity
                What do we do?

•Redefine the problem/ : “Un-pack” identity
   – “Identity is a bag of attributes with a name on it”
   – “The Tao of Attributes”

•We test/pilot new hypothesis
   – Seek disconfirming evidence

•Limit things to explore them more thoroughly
   – The “DNA” of Identity
The Identity of DNA
The DNA of Identity



       Name    Address




       Email   Phone
The DNA of Identity


    Name    Address




    Email   Phone
The DNA of Identity

    Name                   Address




            Key Identity
             Attributes


    Email                  Phone
The DNA of Identity

          SSA                     USPS

          Name                   Address




                  Key Identity
                   Attributes


          Email                  Phone


   ISPs                               Telcos
           “Love Symbol”
                Prince
       Prince Rogers Nelson
The Artist Formerly Known as Prince
             Mr. Nelson
               Skipper
             Jamie Starr
              Joey Coco
             Paisley Park
       Alexander Nevermind
             Christopher
                      The DNA of Identity

                  Most,          SSA                       USPS
but not all provided by                                                       USPS Delivery Point
SSA but only via SSN                                                          Validation file (DPV),
    and then only in a           Name                     Address             LACS, NCOA,
      highly restricted                                                       DSF2, etc.
           environment
                                                                    MSAG
                                                                  (Telcos)
                                         Major Identity
                                          Attributes

     Major ISP’s now                                                         Telco’s keep a
            discussing           Email                    Phone              regulated subscriber
    providing account                                                        info file. Some but not
    validation to each                                                       all allow external
                          ISPs                                 Telcos        verification.
       other (via OIX)
    Enterprise vs. Consumer Identity
1     Enterprise Centric   2


                                            Open
                                   Social Government
                                  Networks
                                                   Web 2.0

                               Mashups


      3
                               Tagging               e-commerce
                                           Finance




     Federated Partners                  User Centric
     Technology can’t do it alone

Relying on technology tools to control data/identity
systems, while ignoring legal rules, is like rowing with
one oar in the water
Reliable data systems depend on coordination
          of technology and people
Consensus-based rules systems
         build trust
Trusted Systems Reduce Risks &
           Save Costs
           Experiment in Identity
•   Technical: use open standards like OpenID Connect
•   Legal: user-assertion and permissioning
•   Policy: impact of user consent on regulations
•   User Experience: user managed access
•   Economics: new business and pricing models


• Trust:
        Attribute Binding Pilots
• User Asserted
  – Built on open interoperable protocols and attribute-based
    architecture
  – Integrates with authentication and authorization spanning
    servers, cloud hosting environments, private clouds,
    extranets and clients
  – Enable coordinated, cross-system authorization policies
• User Permissioned
  – Policy impact, e.g. regulatory compliance
  – Legal impact, e.g. liability
  – Brand impact, e.g. building trust with customers
            A Basic “Trust Triangle”
Looking at it in context:




The user has a direct trust relationship with both the identity service
provider and the relying party.

Trust Frameworks 101: An Introduction
            A Basic “Trust Triangle”
Looking at it in context:

How can the identity service provider and relying party trust each other?




Trust Frameworks 101: An Introduction
Open Identity Trust Frameworks
  Open Identity Trust Framework

• Open: participation is opt-in,
  market driven, and transparent
• Identity: authentication is a
  critical requirement for market
  growth and new web services
• Trust: results from reliable and
  repeatable transactions
• Frameworks: are systems for
  technical and policy
  interoperability
                                         Components of
                                      Trust Frameworks


 Rules


                        Assurance



Policy “Rules” are    Assurance           Technology “Tools”
specific legal        includes            are specific
duties like privacy   assessment &        protocols like the
protection.           certification       OpenID 2.O
                      procedures          standard.
                                            Leading the Charge

• Helps Build Trust Frameworks
   – “Telecom Data Working Group”
   – “Email Attribute Working Group”
• Offers Valuable Resources
   – OIX Knowledge Center for best practices learning and discussion
   – OIX Technology Center for technical interoperability
   – Thought Leadership
• Certifies Compliance
   – Directly for “US Government ICAM Framework”
   – And with others like Kantara, tScheme. etc
Enables the Building
     of Online Trust

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:2/11/2012
language:
pages:38