Your idea of extending the audit process is a great thought.

I do share your fear that a viable business model that addresses both the complex functionality some of us techies want while addressing the much less complex needs of the majority may be hard to come by.

Happy Holidays!

Mark

I like the idea of the PIPS as you’ve described it, but as somewhat of a data nerd, there’s a further piece of functionality I’d like to see.

It’s an extension of your audit point, where you’re focused inwards on use of the PIPS itself – instead I’d like to see which SPs have my data, and whether they took a one-off copy from the PIPS IdP or if they have ongoing access.

Additionally, Ideally some kind of contract between the PIPS and the various SPs using my identity data that allows me – within the PIPS – to define how they can use my data.

Alas I fear the trouble with this utopian service is that typical consumers just don’t care enough to make it a viable business proposition.

Yes, it appears that your Kantara Group is focused directly on the issues that I bring up in my post. And I agree that the business issues, such as how IdP’s make money and how RP’s can be properly incented to work with the IdP’s are the biggest factors delaying implementation of such a system.

I look forward to seeing monitoring your work with Kanatara and reading the white papers you are producing. I’d be happy to discuss my ideas and views in more detail if you would like.

Thanks,

Mark

The idea of a bank (or anyone else) acting as your identity provider presents at least two problems. The first is liability. What if a mistake is made, and an imposter is able to claim your identity? Is the bank liable in any way? Which gets to the second problem: What is the business model for the bank to act as your IdP? Can they make any money by doing it? Why should they accept any liability if something goes wrong? I think banks would need to really push something like this, and educate the public about why this would be beneficial, to get sufficient uptake.

Then there are the Service Providers / Relying Parties who will rely on an identity assertion from your bank. Are there sufficient incentives in place to motivate these SPs/RPs to care enough about who they are dealing with in high value transactions? Many SPs/RPs don’t want to scare off customers by requiring stronger forms of authentication, but someone eventually has to pay when fraud occurs. And payment may not always be monetary; there may be "payment" in terms of a damaged reputation.

I’m hoping the US government’s Open Identity Initiative, which is starting out with low assurance applications in which a person’s true identity doesn’t matter, will eventually spur progress towards greater deployments of high assurance consumer identity services.

Thanks for your feedback. I’m working on a piece for healthcare. I’d like to get your feedback when it’s done.

I agree that too many choices can complicate things. A good system needs to be flexible enough to accommodate the "power user" but simple enough for non-techies to master easily.

Mark

I particularly like the focus on ease of use, but think you have too many choices still for ave user. After all we only have one true identity, and it should be ours to control — no exceptions, whether banking, healthcare, or anything else.

I prefer encrypted finger print combined with password protection. .02- MM