Skip to end of metadata
  • Created by Former user, last modified by Former user on Jun 04, 2009
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

DRAFT CHARTER SUBJECT TO FURTHER REVISION AND APPROVAL

(1) WG NAME (and any acronym or abbreviation of the name): The WG name, acronym and abbreviation must not include trademarks not owned by the Organization, or content that is infringing, harmful, or inappropriate.

Consumer Identity WG

(2) PURPOSE: Please provide a clear statement of purpose and justification why the proposed WG is necessary.

The purpose of the Consumer Identity WG is to foster the development of a user-centric "identity layer" for the internet that enables consumers to fully exploit the potential of the internet without fear of identity theft. The WG addresses this goal by proposing technical and policy solutions that address current threats to privacy and identity, and socializes these solutions with appropriate parties to help foster their implementation. Specifically, the WG will create several whitepapers, and possibly other requirements or technical specifications, to specify how emerging identity technologies, protocols, frameworks, laws and regulations, etc., can be leveraged to: (a) enable businesses to know, with high confidence, the identities of individual consumers with whom it engages in high-value online transactions, without jeopardizing the privacy of the consumer's Personally Identifiable Information (PII); and (b) enable individual consumers to prevent others from impersonating them in online transactions. By championing the use of these high assurance, privacy-protecting identity solutions, the WG seeks to help bring about an environment in which the identities of consumers engaged in high value, online transactions can be known with the same degree of confidence as the identities of parties engaging in various types of sensitive online business-to-business transactions.

(3) SCOPE: Explain the scope and definition of the planned work.

Online identity fraud results from the misuse of personally identifying information such as names, Social Security Numbers, and birthdates, as well as misuse of shared secrets such as passwords, credit card information, answers to "challenge questions", mother's maiden name, etc. Misuse of this PII enables fraudsters to impersonate individual consumers online because identity-related claims are often based on nothing more than knowledge of this information. Identity fraud has an obvious negative impact on consumers, who may experience damaged credit scores, drained bank accounts, fraudulent credit card charges and other bills resulting from unauthorized purchases, falsified medical histories, privacy breaches of sensitive medical records and information, etc. The negative impact on businesses that provide identity-related products or services includes damage to their operations, reputations, and bottom line, as well as loss of trust that is difficult and costly to regain. As well, identity fraud creates distrust and fear between businesses and consumers that imperils achieving the full range of economic benefits promised by the internet itself.

While a number of initiatives, frameworks, and technologies currently exist that can support the purpose of this WG, today there is no large-scale, practical way to verify online identity-related claims as they pertain to individual consumers. Initiatives, technologies, frameworks, etc. that currently contribute to this goal include the Liberty Alliance Web Services Framework, the Liberty Alliance Identity Assurance Framework, Initiative for Open Authentication (OATH), the US government's e-Authentication initiative, OpenID, Information Cards, public key infrastructures (PKI), and others.

With this as a background, the Consumer Identity WG seeks to propose solutions to the problem of online consumer identity assurance that

  • facilitates trust of consumers by services providers
  • facilitates trust of service providers by consumers
  • reduces the amount of PII required to conduct transactions
  • enhances the protection of PII at rest and in transaction

More specifically, the WG proposes to undertake the following activities (subject to available resources):

  • Using a number of sources (see Section 10) as background, together with new insights derived from participation and interaction with industry groups and other identity-related initiatives, the WG will produce one or more whitepaper(s) that defines the concept of an authentication network comprised of Identity Providers that verify consumer identities and issue "strong" identity credentials, Service Providers / Relying Parties who rely on identity services from these Identity Providers, and individual consumers whose identities have been verified by these Identity Providers, and who have been issued credentials by these Identity Providers. The whitepaper(s) will specifically address the needs of individual consumers to control the use of their online identities for obtaining services from these service providers, as well as the needs of these service providers to rely on credentials issued by these Identity Providers for authentication of relevant identity claims.
  • Much identity theft occurs because identity claims made on the basis of personally identifiable information are unverified.  So unless all or most Service Providers / Relying Parties require rigorous identity verification prior to establishing new identity-related services, it may still be possible for the identity of someone who has been issued "strong" credentials to have his/her identity "stolen."  The WG will produce a whitepaper that explores the feasibility of enabling a Relying Party to discover a trusted Identity Provider that can verify an identity claim made on the basis of PII, provided the claimed identity has been initially verified by that Identity Provider.
  • Information cards, in particular, may act as online "identity cards" that can help prevent identity fraud in two ways: managed information cards issued by trusted third party Identity Providers can provide verified identity claims on behalf of consumers, and self-issued information cards implementing cryptographic authentication protocols can be bound to existing online resources or accounts to provide strong, two factor authentication for accessing these existing resources or accounts. The WG will produce a whitepaper outlining how Information Cards, and in particular managed Information Cards, can help to prevent consumer identity theft.  The whitepaper may also address how the Liberty Identity Assurance Framework can be applied to establish trust between Relying Parties who consume identity claims contained in secure tokens generated by Identity Providers, and those Identity Providers who issue managed Information Cards and identity claims transmitted via secure tokens.

In addition, the WG will act as a source of expertise on consumer identity issues for other Kantara needs, and will strive to interact with (and participate in) relevant industry consortia.

(4) DRAFT TECHNICAL SPECIFICATIONS: List Working Titles of draft Technical Specifications to be produced _(if any), projected completion dates, and the Standards Setting Organization(s) to which they will be submitted upon approval by the Membership.

At this time, no Technical Specifications are planned.  Any draft Technical Specifications issued by the WG will be based on the whitepapers and/or requirements outlined in Section 3.

(5) OTHER DRAFT RECOMMENDATIONS: Other Draft Recommendations and projected completion dates for submission for All Member Ballot.

See Section 3 for proposed Deliverables (which may or may not take the form of Draft Recommendations).

(6) LEADERSHIP: Proposed WG Chair and Editor(s) (if any) subject to confirmation by a vote of the WG Participants.

Bob Pinheiro, Robert Pinheiro Consulting LLC

(7) AUDIENCE: Anticipated audience or users of the work.

Organizations involved with online identity fraud, credit card companies and others involved with online payments, non-profit identity and privacy groups, vendors of authentication and identity services and technologies, government consumer groups (e.g., FTC), credit reporting agencies, think tanks involved with identity issues (ie, Center for Strategic and International Studies, Center for American Progress, National Research Council, Center for Applied Identity Management Research, etc.)

(8) DURATION: Objective criteria for determining when the work of the WG has been completed (or a statement that the WG is intended to be a standing WG to address work that is expected to be ongoing).

The Kantara Leadership Council charters the Consumer Identity Work Group for five years. It may be amended from time to time, with changes approved by the Leadership Council. This charter will expire on <INSERT DATE>.

(9) IPR POLICY: The Organization approved Intellectual Property Rights Policy under which the WG will operate.

Kantara Initiative IPR Policy - Liberty Option

(10) RELATED WORK AND LIAISONS: Related work being done in other WGs or other organizations and any proposed liaison with those other WGs or organizations._

Previous work related to the efforts of the WG includes: (a) "_Authentication 2.0: New Opportunities for Online Identification", by Center for Strategic and International Studies; (b) "Online Identity Theft: Changing the Game", Microsoft Whitepaper; (c) "Connecting Americans to their Healthcare: Consumer Authentication for Networked Personal Health Information", by the Connecting For Health Initiative of the Markle Foundation; (d) "The ID Divide: Addressing the Challenges of Identification and Authentication in American Society", by the Center for American Progress; (e) "Securing Cyberspace for the 44th Presidency", by the Center for Strategic and International Studies.

The WG may have liaisons with other WGs, including Identity Assurance & Accreditation WG, Health Identity & Assurance WG, eGovernment WG.

Other organizations that the WG may interact with include the Information Card Foundation, ANSI Identity Theft Standards Panel, Center for Strategic and International Studies, Center for American Progress, Internet Society, Center for Applied Identity Management Research.

(11) CONTRIBUTIONS (optional): A list of contributions that the proposers anticipate will be made to the WG.

(12) PROPOSERS: Names, email addresses, and any constituent affiliations of at least the minimum set of proposers required to support forming the WG.

  • Bob Pinheiro, Robert Pinheiro Consulting LLC
  • Pak Mark, Independent Business Investor
  • Ron Carpinella, Equifax
  • Alex Popowycz, Fidelity Investments
  • No labels