Re: Credentials Task Force proposal from Erik Anderson on 2015-11-06 (public-webpayments-ig@w3.org from November 2015)

From: Erik Anderson <eanders@pobox.com>
Date: Fri, 06 Nov 2015 15:31:35 -0500
To: Web Payments IG <public-webpayments-ig@w3.org>
Cc: macaroons@googlegroups.com
Message-ID: <4a4dd83789860e6851587dbee12cfd74@pobox.com>
enter privacy and consumer protections.

Regulation and privacy enforcement will becomes more costly than its 
benefit of adopting a credential standard.

As was discussed at TPAC

  - Open Badges
  - SAML 1.0/2.0
  - OpenID Connect
  - OAuth 1.0/2.0
  - HubID 
(http://www.slideshare.net/stanstalnaker/hub-culture-hubid-digital-identity)
  - http://macaroons.io/
  - IBake (Identity-Based Authenticated Key Exchange):  
https://tools.ietf.org/html/rfc6539
  - etc....

List goes on and on. I feel we are reinventing too much of the wheel 
here.

We need to work on interoperability with the above, not write a standard 
in competition with all of the above. I think we are trying to solve a 
standard problem by inventing our own competition to all of the above 
existing standards or technology.

Some of these technologies are integrated into firewalls, routers, etc 
and dont even let you through the perimeter unless you are successfully 
identified.

Additional legal/regulatory/privacy concerns:
   - Data compliance, data protection are already deeply regulated 
fields.
   - 
http://venturebeat.com/2015/10/11/the-real-impact-of-the-safe-harbor-ruling/
   - http://www.bna.com/urgency-postsafe-harbor-n57982062988/
   - http://fortune.com/2015/06/19/russia-data-law-billions/
   - Privacy laws and regulations require strong security measures over 
credentials and other personally identifiable information. Any 
credential standard that W3C tries to drive/back had better handle 
legal, privacy, and regulatory issues with the movement of users 
identifiable information.
   - Theft of sensitive data and private keys are the key factor enabling 
many methods of payment fraud. These thefts enable misrepresentation of 
authority, counterfeit cards/checks, and take over or create new payment 
accounts.
   - JSON-LD, XML, ANS.1, are not the problem's to solve with sharing 
credentials. The problem to solve is privacy and strong authorization 
controls on this information sharing mechanisms. IMO, a limited 
time-window based access to information is important.
   - What Privacy Regulations Apply if the sharing includes of 
information crosses international barriers? Pharmaceuticals?
   - Regulations are already forming around privacy risks.
   - There are many tiers of privacy, protection, and regulation so each 
potential layer must have its own security permissioning on the 
information. In short access controls on the very identity elements.
   - End users can now sue non-government account and information holders 
who's data has been breached.
     - Several state have now redefined of "personal information" beyond 
the general definition. This new definition now
       includes:
        - finger prints & biometric data
        - account numbers
        - Personal security questions like maiden name, mothers name, pet 
name
        - Geolocation information of the user.
   - All data is regulated or considered private at one international 
authority or another.

As an attorney already told me, a poorly written identity spec will 
likely bring liabilities to the authors. Publicly note all concerns and 
provide written concerns for early adopters of said standards.

ALL the negatives said:
   - I think this effort is possible
   - I think it would be better to standardize an Identity Service 
Provider interface that includes strong authorization and credential 
sharing. That will force us to deal with the above 
technologies&compatibilities that are "somehow" inadequate to solve 
current credential needs.
   - Lot work work in/around the US Feds to come up with a "standard 
security framework" that a good credential/identity standard can 
reference to avoid privacy & regulatory liability issues.

Information sharing has been around a long time so I am skeptical that 
prior personally-identifiable information sharing efforts were 
inadequate.

Erik Anderson
Bloomberg

On 2015-11-06 01:59, Tony Arcieri wrote:
> I feel Macaroons are applicable to this problem domain as well, albeit
> not yet standardized:
> 
> http://macaroons.io/ [1]
> 
> http://research.google.com/pubs/pub41892.html [2]
> 
> https://air.mozilla.org/macaroons-cookies-with-contextual-caveats-for-decentralized-authorization-in-the-cloud/
> [3]
> 
> https://github.com/ecordell/macaroon-compatibility [4]
> 
> 
> Links:
> ------
> [1] http://macaroons.io/
> [2] http://research.google.com/pubs/pub41892.html
> [3]
> https://air.mozilla.org/macaroons-cookies-with-contextual-caveats-for-decentralized-authorization-in-the-cloud/
> [4] https://github.com/ecordell/macaroon-compatibility
Received on Friday, 6 November 2015 20:36:37 UTC