...
Problem statement: Trusted third parties like Identity and Attribute Providers tend to accumulate a lot of traffic data and 'RP graph' data about its user population. This might create some risk, in particular when identities are used across domains like professional and private context or different government agencies.
Requirements
(t.b.d. How can these requirements be deducted from FIPs? Is a Privacy Impact Assessment needed? Is there a requirement at all?)
Solutions
Discussion in Kantara eGov WG listed approaches to mitigate this risk in 5 categories:
...
Identity Escrow. The IdP/AP is taken out of the interaction with the RP, using cryptographic technologies like in Idemix and uProve. This provides an assertion to the RP without the IdP knowing to whom to provewhich RP they are asserting an identity for.
Pro: Technical control that satisfies the unobservability requirement
...