ITAC contribution on the Identity Management Primmer DSTI/ICCP/REG(2008)10/REV1

March 25, 2009

Contact: Trent Adams, adams@isoc.org

ITAC supports the objective is this document that is to provide policymakers a broad-brush understanding of the various dimensions of Identity Management (IdM). We find very useful that it introduces in non-technical terms the basic concepts and issues raised by IdM, and points to additional sources where policymakers may gain a deeper understanding of the topic. This valuable work will undoubtedly benefit policy makers as they wrestle with the complicated issues related to identity management.  It is clear that the work has been carefully constructed to present a balanced overview of the landscape.

During the WPISP volunteer group meeting ITAC was asked to provide input to

paragraph 8. Specifically, we were tasked with offering a reworded bullet point on “Improving user convenience” as well as adding a new bullet point on the topic of “Minimizing security risks.”  Following are the suggested modifications:

i) Improving user convenience: When used across multiple systems, effective IdM reduces the inconveniences caused by the need to keep track of multiple accounts, passwords and authentication requirements. Further, simplifying the user experience can improve the convenience for users, increasing their use of online services

ii) Minimizing security risk profile: Security is increased by minimizing the flow of data during transactions, only requesting, transferring, and storing what is required. Effective IdM can minimize the transactional data required for users of multiple systems and thus decrease security risk.

Another section on which ITAC was asked to comment was Diagram 1 in Annex 1.  Specifically, the “Silo Model” section appeared to be missing a “Claims Provider” block as is displayed within the other three sections.  Upon review, it is clear that there is no need for a “Claims Provider” within a “Silo Model” since the silo itself, as the sole holder of data, has no need to provide any claims or assertions as are required in the other models.  If this remains a stumbling point for readers, it is suggested that an annotation be added to the “Silo Model” with a clarifying statement.

We would also propose the following modifications in the view a clarifying certain points of the document:

a)      It’s possible that a reader of Annex 1 may view Table 1 and incorrectly read the columns from left-to-right as being from “bad-to-good”.  This is most apparent in the “Trust Characteristics” row where the language indicates the highest trust is in a “User-Centric” solution.  Perhaps, if time allows, it would be worth another pass at this table in an effort to balance the language.

b)      There appears to be a mis-application of the term “De-Facto Standards” as the title above paragraph 56.  The term generally refers to standards that emerge out of continual use or convention, while the paragraph itself talks about standards-setting bodies.  It’s likely this paragraph has been modified over a few iterations such that it has lost its original discussion of “de-facto standards”, in which case the paragraph title should probably be updated to something more generic such as “Other IdM Standards Bodies”.