CSDIP = Cross-Sector Digital Identity Program /NSTIC P.O.C. (W2F)
Session Topic: CSDIP Cross Sector Digital Identity Program (W2F)
Convener: John Biccum
Notes-taker(s):' Amanda Anganes
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
CSDIP session - John B. from Microsoft
Cross Sector Digital Identity Program
Goal: interoperability of state-issued identity credentials
started in VA - workers in northern VA (DC area) may not live in VA - maybe maryland, west vA, etc
started looking at private-sector issued credentials
States have said that even if there were no other RPs, it would still make budgetary sense to issue a good state ID that was interoperable between other state departments
CSDIP is wanting to do an initial build and test out issues, get social-political group feedback
idea: state wants to be able to transfer car title online. Currently, states loose lots of money on this transaction b/c fee is not high enough to cover costs of paper trail. CSDIP predicts that if they started trying to build this capability, they may run into state laws that need to change - law might say "must sign form X to transfer ownership". No form X if it's online.
CSDIP is group of companies, state workers, defense contractors
Microsoft, CA tech, Northrup Grumman, state of VA, a few others
Current goal is to build a small-scale model of a complete ID ecosystem (IDPs, RPs, attribute provider framework, trust framework, etc). Predict that it will fail and fail early - want to "assess the area of suckage" - if we build this, what breaks? legal issues, social policy issues, technology issues?
First use case - public sector ID provider provisioning a credential that is used for an edge service that would have RPs in other states. Need a schema for representing attributes on the user, at known levels of trust, that are of interest to RPs.
Federally funded but state-administered benefit programs: For example, a benefit program may require that the beneficiary prove lawful presence in a particular state. States may attempt to satisfy this req in different ways. State A may ask for self-assertion of "lawful presence". State B may request a passport for proof. State C scans passport, makes a web query to state department to verify accuracy of the passport. All of these checks are setting the same boolean to 1 - but each check means a totally different thing. Need an ontology, way of understanding the questions that RPs may ask about attributes.
CSDIP is asking state programs what attributes they're looking for to make authZ decisions. Hypothesize that different states will have similar but slightly different answers - state implementation of a federal program.
Meeting in Reston VA next week; hoping to produce an architecture that will be built for first version & chunk up work assignments.
Some open-source code exists for a similar problem at streetidentity.com. Uses OID connect, etc.
Hypothesize that they could probably pull off authN at a standard level; but that authZ development/standardization is in process, may not be ready yet?
Question - If using VA DMV to proof VA vita credential for public IDP - who is proofing DMV?
Don't want to force something weird by settling on only 1 trust framework/proofer - solution may require several or it may not, but don't want to decide on that prematurely.
But, challenge is figuring out liability. Liability is a big issue for private IDPs.
Work's goal is not to come up with answers, but the right questions.
CSDIP is working with "a certain national bank" that is very close to provisioning IDs to citizens at large, but is being held back by liability issues (vs low monetization opportunities).
Hypothesize that a way to move forward is to define what the IDP is doing, in plain English. Serve notice that the IDP is ONLY doing what it says - RPs need to look at that declaration and decide whether it's good enough for them or not.
International finance lease corporation idea:
Identity insurance body, with relationship to private sector entities - attach a financial risk model to individual entities, provide a scoring index.
Look at what we currently have:
FSSCC - bunch of bank under NIP - guidance given to banks regarding proofing ids of customers
AAMVA - guidance to states
NASCIO - RP, possibly trust framework?
NAPHSIS - public health (birth certificates, marriage, death, etc); also a trust framework
There are a lot of these organization already existing, but not working together and not being applied to the digital ID fronteir.
One way to deal with liability is insurance.
Another way is to somewhat ignore it - say that someone can sue us, but so what? We have a legal department and enough money.
Third way is to pass it on to someone else w/o a financial transfer (such as providing notice of what your product does; do not try to use it for seomthing else or it will break and you can't call us asking for recourse).