Consumer Identity:

a Dutch Perspective on Benefits,

Issues and Next Steps

Maarten Wegdam, Novay

European Identity Conference 2010

6 May 2010, Munich

Novay?

• Dutch ICT research institute

• Formerly Telematica Instituut

• Innovation projects

• Networked innovation

• Independent, not-for-profit

• ~55 researchers, multi-disciplinary

• Customers include financial sector,

government and semi-government

2

The consumer identity problem

An old problem

3

The user Service provider

• High trust is too expensive

• People forget passwords

• Lack of (validated) attributes

• Low conversion

An old (?) solutionexternalize the identity with an identity provider

(authentication + attributes)

Why not (really) here yet?

4

Three big reasons

market

entry

issues

lack of

trust in

IdP

privacy

issues

Market entry issue

5

100% coverage of consumers

Chicken-egg

• Identity-providers vs relying parties

• Not any more for basic trust (?)

Unclear value chain

Trust and privacy issues

Don’t trust your identity provider!

• Security risk

• Business continuity risk

• Privacy risk

Reduce the need to trust the identity provider

• Through technical means, when possible …

• By making the identity provider ‘behave’

• Through laws

• Through competition

• By agreeing on a set of rules

6

7

Making the IdP behave and the

role of government

Decreasing regulation:

Note: models 1 to 3 require some form of

monopoly or regulator

Government issued

Government regulated

Trust framework

Free market (tech standard)

A trust framework

A set of rules that all players agree upon

To have more trust and a healthy ecosystem

• New identity providers can join

• Easy assess for RPs (scalability)

• Balancing interests between IdPs, RPs and users

• Privacy assurances

• Governance / audits

8

A Dutch perspective

• E-government solution (DigiD) cannot be

used in the private sector

• A basic-trust initiative: OpenIDplus.nl

• A high-trust initiative: cidSafe

9

+

OpenIDplus.nl trust framework

• Basic trust consumer-2-business identity

• Based on OpenID

• Subgoals

• Improve interoperability, security & privacy (somewhat)

• Set of rules for IdPs, and RPs, to increase trust

• Governance

• Standardize per-attribute validate methods

• Create critical mass (IdPs and especially RPs)

10

market

entry

OpenIDplus.nl

Per-attribute validation methods

• Standardization trust levels is needed for RP

• To interoperate with different IdPs (scalability)

• Common approach: levels of assurance for an identity

• NIST / STORK levels 1 to 4

• Combines authentication, identity binding etc

• BUT: existing IdPs support different sets of attributes,

validated in different ways

• Scalability compromise:

per-attribute standardized validation methods

11

OpenIDplus.nl

Status

• Draft specification and (very) draft rules

• Successful proof-of-concept with the specification

• Starting next phase: larger scale testing, setting up

governance, finalize spec & rules

• Go ‘live’ end of the year (?)

• Ongoing debate: how ‘big’ is the plus?

Non-exchaustive list of involved companies:

Wehkamp, SURFnet, ANWB, Hyves, Unive, TMG,

DigiNotar, NPO, Holder, ECP-EPN, Evidos, Novay

12

cidSafe initiativea safe consumer identity

• High-trust consumer identity

• Collaborative project by stakeholders

• Goal: breakthrough for high-trust consumer

identity in the Netherlands

• Short-term goal: if and how this is feasible,

with a focus on financial sector

13

cidSafe status

• Started in February 2010 …

• Studying Dutch and foreign successes and

failures; business case for relying parties;

business modeling; outline of trust

framework; evangelism …

• http://cidsafe.novay.nl

• Partners:

14

Why (now) two Dutch consumer identity

initiatives?

Too big (?) difference in

• needed trust

• value chain

• timeframes

• user perception (and context)

• possible role of government

A basic-trust solution will help a high-trust

solution!

15

Take aways

• Breakthrough in consumer identity by jointly

working on trust frameworks

• Balance openness with trust

• Role of government important and varies

between countries

In Netherlands:

• A basic-trust initiative: OpenIDplus.nl

• A high-trust initiative: cidSafe

16More information: http://maarten.wegdam.name