Use Cases for Identity Brokers

From IIW

Conference IIW8 Room/Time: 12/G

Convener: Ben Sapiro/Ashish Jain

Notes-taker: Ben Sapiro

Attendees: Alan K, Bob P, Alavilli P, Vittorio B, Ray V, Ashish J

Technology Discussed/Considered: Identity Broker Uses Cases

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

IP needs to have some sort of accreditation

why would the RP pay?

Alcohol sellers online

  • verification that you're a child by accessing a school database
  • Red flag automation for

you do not have correct control of the data collection

An industry based IP -

  • all the banks want to have one single phase
  • all the attorneys have one single issue

you become a very attractive target if an attacker can get onboard and generate identities via you

the more datasources you aggregate, the more useful you are - but the more risk you will be faced with

not unlike OpenID OP vs IdP debate - but unless you actually issues Identities, you're just an Identity Owner (not a provider)

An IP can perform correlations across multiple data sources

This is done in federation. Example – citizen of EU --> Italian IdP (using on behalf-of)

the main value is providing access to the data, not in aggregation (that is clearly secondary)

some of these are claims, some of these are too close to be background checks

  • Is sex offender
  • is criminal
  • education history
  • employment history
  • DOB/Age/Over18
  • Address verification
  • Credit Check
  • valid insurance
  • reputation
  • driving record
  • frequent flyer miles
    1. of linkedin connections
  • citizenship
  • property ownership
  • marital status
  • connections to a group
  • affiliations/membership
  • professional status
  • email ownership

(these have to be actively consumed by a third party, otherwise it's just information)

(if the information is about the requestor, it's a claim, otherwise not)

would require in-place access to data (no copies)

would require strong legal contracts forbiding mix and match to achieve information leakage

need to expose which sources you queried but not what the answers were

pricing could be comensurate with assurance level (did I ask gold level or silver level information sources)

pricing could be commensurate with granularity of information exposed (boolean versus scored)

Identity Broker is actually a claims broker (strict definition)

would need a process to feed in annotation/corrections and handle disputes

how do we resolve inconsistent data (database does A does not match B and C)?

Left Side of Board

Right Side of Board