- From: Erik Anderson <eanders@pobox.com>
- Date: Fri, 06 Nov 2015 15:31:35 -0500
- To: Web Payments IG <public-webpayments-ig@w3.org>
- Cc: macaroons@googlegroups.com
enter privacy and consumer protections. Regulation and privacy enforcement will becomes more costly than its benefit of adopting a credential standard. As was discussed at TPAC - Open Badges - SAML 1.0/2.0 - OpenID Connect - OAuth 1.0/2.0 - HubID (http://www.slideshare.net/stanstalnaker/hub-culture-hubid-digital-identity) - http://macaroons.io/ - IBake (Identity-Based Authenticated Key Exchange): https://tools.ietf.org/html/rfc6539 - etc.... List goes on and on. I feel we are reinventing too much of the wheel here. We need to work on interoperability with the above, not write a standard in competition with all of the above. I think we are trying to solve a standard problem by inventing our own competition to all of the above existing standards or technology. Some of these technologies are integrated into firewalls, routers, etc and dont even let you through the perimeter unless you are successfully identified. Additional legal/regulatory/privacy concerns: - Data compliance, data protection are already deeply regulated fields. - http://venturebeat.com/2015/10/11/the-real-impact-of-the-safe-harbor-ruling/ - http://www.bna.com/urgency-postsafe-harbor-n57982062988/ - http://fortune.com/2015/06/19/russia-data-law-billions/ - Privacy laws and regulations require strong security measures over credentials and other personally identifiable information. Any credential standard that W3C tries to drive/back had better handle legal, privacy, and regulatory issues with the movement of users identifiable information. - Theft of sensitive data and private keys are the key factor enabling many methods of payment fraud. These thefts enable misrepresentation of authority, counterfeit cards/checks, and take over or create new payment accounts. - JSON-LD, XML, ANS.1, are not the problem's to solve with sharing credentials. The problem to solve is privacy and strong authorization controls on this information sharing mechanisms. IMO, a limited time-window based access to information is important. - What Privacy Regulations Apply if the sharing includes of information crosses international barriers? Pharmaceuticals? - Regulations are already forming around privacy risks. - There are many tiers of privacy, protection, and regulation so each potential layer must have its own security permissioning on the information. In short access controls on the very identity elements. - End users can now sue non-government account and information holders who's data has been breached. - Several state have now redefined of "personal information" beyond the general definition. This new definition now includes: - finger prints & biometric data - account numbers - Personal security questions like maiden name, mothers name, pet name - Geolocation information of the user. - All data is regulated or considered private at one international authority or another. As an attorney already told me, a poorly written identity spec will likely bring liabilities to the authors. Publicly note all concerns and provide written concerns for early adopters of said standards. ALL the negatives said: - I think this effort is possible - I think it would be better to standardize an Identity Service Provider interface that includes strong authorization and credential sharing. That will force us to deal with the above technologies&compatibilities that are "somehow" inadequate to solve current credential needs. - Lot work work in/around the US Feds to come up with a "standard security framework" that a good credential/identity standard can reference to avoid privacy & regulatory liability issues. Information sharing has been around a long time so I am skeptical that prior personally-identifiable information sharing efforts were inadequate. Erik Anderson Bloomberg On 2015-11-06 01:59, Tony Arcieri wrote: > I feel Macaroons are applicable to this problem domain as well, albeit > not yet standardized: > > http://macaroons.io/ [1] > > http://research.google.com/pubs/pub41892.html [2] > > https://air.mozilla.org/macaroons-cookies-with-contextual-caveats-for-decentralized-authorization-in-the-cloud/ > [3] > > https://github.com/ecordell/macaroon-compatibility [4] > > > Links: > ------ > [1] http://macaroons.io/ > [2] http://research.google.com/pubs/pub41892.html > [3] > https://air.mozilla.org/macaroons-cookies-with-contextual-caveats-for-decentralized-authorization-in-the-cloud/ > [4] https://github.com/ecordell/macaroon-compatibility
Received on Friday, 6 November 2015 20:36:37 UTC