I gave two presentation recently that I’ll share in this post. They were for quite different audiences, and in different countries, but both in the area of identity federation, user centric identity and mobile centric identity.
The first presentation was at the Dutch Identity 2009 event, which was co-located with ISSE 2009 this year. This took place in Schevingen (The Hague), on 6-7 October 2009. I presented my views on trend in identity federation, and user centric identity. Among others, I argued that SAML is just as user centric than OpenID, or at least, can and should be…
Highlights on Identity/ISSE 2009 for me were the presentations by Don Schmidt (Microsoft), who talked about claim-based identity, and a presentation on the Norwegian BankID, which discussed the status of the Norwegian collaboration between banks to provide identity services to public and private sector.
The second presentation was at the National eID & ePassport conference, which is taking place as I type this (22-23 October 2009), in Lisbon. It was organized by among others Multicert, who invited me to talk about and discuss mobile centric identity. It was an audience not very familiar with user centric identity, so I first introduced this. I then argued that this implies mobile centric identity, and that using the mobile phone is only the first step towards mobile centric identity.
There are three things I believe will continue to gain importance in the coming years: identity federation, user centric identity and mobile applications. I can combine them in what we refer to as mobile centric identity. When considering mobile centric identity, we do not only refer to an identity solution that works for mobile applications, but also consider the mobile phone to be a good (or best) way to control your identity when using ‘old fashioned’ PC-like applications (including web browsers). I’ll focus in this post on a specific way to implement mobile centric identity: using InfoCards on a mobile phone. I’ll leave the more general mobile centric identity subject, including how to use mobile phones for authentication (Mobile PKI etc), for another time.
With all its promise, InfoCard has so far been mostly a desktop-only way to implement user centric identity. I looked around for a student to work with me on the subject of making InfoCards mobile, and found Florian van Keulen. He also found the subject interesting, and did his BSc Telematics graduation assignment with me (and Marten van Sinderen). He dived into the status of the different implementations, and analyzed what the issues are to make InfoCard mobile. The good news is that we did not find any reason why InfoCard could not become mobile, and that there are even some first implementations coming. The main issue when porting the InfoCard identity selector appears to be that then needed libraries are not there, making it a lot of work. Making InfoCard mobile is however more than porting the identity selector, the more challenging part is how to (securely) roam once’s identities between the different fixed and mobile devices. This means that a user can use the same identities on his or her mobile phone, as on other (fixed or mobile) devices the user may be using. Of course without having to manually import/export InfoCards… The main contribution of Florian’s work is comparing the different architectures to do this. One way to do this is to store the cards ‘in the cloud’, as Azigo seems to be doing (but they do not have a mobile identity selector as far as I’m aware). The architecture we decided to detail is however a different one: we put the InfoCards and the identity selector in the mobile phone’s SIM card, and connect this via BlueTooth to a fixed PC. It’s more complicated to implement, but we believe it is also more secure. I’ve put Florian’s thesis online so you can read it for yourself: http://www.novay.nl/okb/publicaties/mobile-user-centric-identity-through-information-cards/7248 (titled: “Mobile User Centric Identity through Information Cards, Architectures to use same identities on mobile phones and computers”). Unfortunately, implementing it was too much work for a BSc assignment, but I may find another student or some project to continue working on making InfoCards mobile.
In both EU and US there is a lot happening on how citizens identify themselves for e-government services, especially the STORK project in the EU, and the ICAM work in the states. Their approaches to e-government identity are drastically different, but I’ll focus in this post with what they share: levels of assurance. Basically level of assurance refers to how certain an identity provider is w.r.t. the identity of the user, which depends on both the used authentication means and the identity binding process (see, e.g., here for an informal explanation) . Both sides of the ocean use (more or less) the same four levels that originate from NIST:
Level 1: Little or no confidence in the asserted identity’s validity.
Level 2: Some confidence in the asserted identity’s validity.
Level 3: High confidence in the asserted identity’s validity.
Level 4: Very high confidence in the asserted identity’s validity.
Looking at the US profiles for OpenID and InfoCard, what got my attention right away is that OpenID is only permitted for level 1 (i.e., no confidence), and that InfoCard is permitted for levels 1 to 3 (I couldn’t find the levels for SAML). This seems to me a good decision, OpenID is much less secure than InfoCard, and (in it’s current version) should IMHO only be used for low security e-services. I had a brief discussion with my colleague Bob Hulsebosch, who was the main author of STORK D2.3 deliverable (Quality Authenticator Scheme) that describes the mapping of the different national authentication levels to the STORK (NIST based) levels. My conclusion from this discussion is that I’m not convinced of the need for an assurance level 1 solution for e-government, and, as a consequence, of the usefullness of OpenID for e-government. Most e-government services I expect are level 2 and up. This is also confirmed by the fact that many EU countries (including the Netherlands) do not have a level 1. Also the examples in the US document “E-Authentication guidance for federal agencies” for level 1 seem somewhat far fetched IMHO. And even if there are some significant e-government services for which level 1 would be ok, then still InfoCard would be much preferred because of it support for higher levels as well.
Of course, I only follow the US e-government identity discussion from a distance, and maybe there are excellent reasons for supporting a level-1-only scheme. Anyone who has a pointer to an explanation for this, please send this to me. Also a motivation for the Levels of Assurance decisions for OpenID, InfoCard and SAML is very welcome.
Posted by Maarten Wegdam 
There are three things I believe will continue to gain importance in the coming years: identity federation, user centric identity and mobile applications. I can combine them in what we refer to as mobile centric identity. When considering mobile centric identity, we do not only refer to an identity solution that works for mobile applications, but also consider the mobile phone to be a good (or best) way to control your identity when using ‘old fashioned’ PC-like applications (including web browsers). I’ll focus in this post on a specific way to implement mobile centric identity: using InfoCards on a mobile phone. I’ll leave the more general mobile centric identity subject, including how to use mobile phones for authentication (Mobile PKI etc), for another time.
