I just learned about the Liberty Identity Assurance Framework project. It seems that there are thoughts about the problem that I described earlier, see my remarks about a trust model for identity providers. The framework consists of an XML schema, that (in fact) describes several standard claims about the use of identity information. You might say, my proposed 'authlevel' and 'authmethod' claims. And the framework states that there is the need for a certification method for websites that deliver identity services.
Problem solved. Or is it? As far as I can see Liberty does mention the certification requirements for identity assurance functions, but I feel that this is not exactly what I wanted, IAF looks like a heavy, perhaps even overweight solution. Pity that there is so little expertise in The Netherlands, or I might have known earlier and perhaps reviewed stuff.
Mike Jones mentions a verified age certification service. This too looks like a promising development. But it demonstrates the problem that I described: who is IDology and what kind of assurance do they provide? Please don't see this as an attack on them, but their verification process is based on accessing public verification information, like name and address. But they don't know me, only the information that I provide, like an address. Unless I'm wrong, this is not enough. The idea of providing assurance for just a limited claimset seems ok, though.
Besides, why should I trust such a third party? It would mean that a service provider/relying party registers IDology on their own 'white list'.
I will look into both developments (there's a lot of information) and report my findings.
Geen opmerkingen:
Een reactie posten