Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

TIIME 2013 Tuesday Session 2: Binding LoA attributes to social ids (non-technical-strategy)

Convenor: Niels van Dijk

2 cases:

  • ni doesn't want to be idp
  • Virtual organ

Why bind? Why not rely on authorization instead? Accountability. Certainty that it is the users data you are displaying.

Why social network provider id? As social id is lower LoA. Usability.

Permanent binding or temporal? Niels interested in permanent.

Need to somehow do account linking.

2 aspects -

  • of user
  • Trust

Level of trust in provider is such that people agree that Facebook does a good job of letting a person consistently log in to their account. Confidence in same identity returned to us every time is high but certainty of who that user is is low.

Assuming we get same user each time. How does LoA binding occur? Country specific, some countries insist telcos see photo id before getting a mobile no. In this case you can link id with sms code.

Could link multiple AuthN sources to increase likelihood it is the same person
Verification service can check longevity of Facebook account

Insurance company knows your address Facebook knows your friends. Could friends on Facebook vouch for you (or classmates) PGP model

Post service is just another back channel but more expensive

Sweden building an IdP for prospective students. Don't want them to all come to uni so looking at using Post office. Not good for foreign students...

Trust and privacy. If you bind social network provider x to other ids, what other services can social network provider x see?

social network provider apis are unstable. Terms of use prohibit using as a proxy. No service level agreements so it is a risk to use.
social network providers aren't interested in being IdPs

Would be useful to discuss this with social network providers in the room.

Most academic federations have a base level LoA. Dutch post office has requested attributes from Surfnet as knowledge of who is a student is useful.

Leif Johansson is working on a registry of LoA to help mapping between different federations, sectors, countries (RFC 6711).

Is social network provider an attribute provider rather than an IdP? Or are we more interested in valid authentication?
Getting required attributes is hampered by data protection. Easier to get required attributes from social network provider?

Enrollment for virtual organizations is horrible unless you do the PGP model.
social network provider id is very LoA.

All social network provider can do is state this authentication is correct and same as previous authentication. If on top of social network provider log in you can present certificate or PGP then that is how you increase LoA.
1. Don't do this
2. Don't assume it will work forever but can assume same user
3. Find additional channel to do step up authentication. A cheap way would be PGP.

Devil is in LoA
There are many privacy and other issues.

All identity claims are self asserted if you go back far enough...