5th European eGovernment Conference'

1
eID Identity Management in an Online World

• Jerry Fishenden
• National Technology Officer
• Microsoft UK

2
agenda

• identity and electronic identity
• towards an eID framework
• online identity verification and management
• federated identity and federated trust
• privacy
• future developments

3
identity and electronic identity

• existing online identity systems apply within a
  restricted identity relationship
• many are a convenience (eg. for e-commerce) not
  an identity solution
• identity relationships include
• individual identity
• role-based identity
• group identities
• object / resource identities

4
some of our multiple government
identity-relationships
5
online identity verification

• an example Knowledge Based Authentication (KBA)
• the claimant does not need a previously
  established relationship with the relying party
• verification of an identity is based on
  information associated with and provided by the
  identity claimant
• the result depends on an acceptable level of
  consistency with information held by the
  authentication verifier

6
Camerons Laws of Identity
see www.identityblog.com
7
The 7 laws

• 1 the Law of Control. Technical identity
  systems MUST only reveal information identifying
  a user with the users consent
• 2 the Law of Minimal Disclosure. The solution
  which discloses the least identifying information
  is the most stable, long-term solution
• 3 the Law of Fewest Parties. Technical identity
  systems MUST be designed so the disclosure of
  identifying information is limited to parties
  having a necessary and justifiable place in a
  given identity relationship
• 4 the Law of Directed Identity. A universal
  identity MUST support both omnidirectional
  identifiers for use by public entities and
  unidirectional identifiers for use by private
  entities, thus facilitating discovery while
  preventing unnecessary release of correlation
  handles
• 5 the Law of Pluralism. A universal identity
  system MUST channel and enable the interworking
  of multiple identity technologies run by multiple
  identity providers
• 6 the Law of Human Integration. The universal
  identity system MUST define the human user to be
  a component of the distributed system, integrated
  through unambiguous human-machine mechanisms
  offering protection against identity attacks
• 7 The Law of Contexts. The unifying identity
  metasystem MUST facilitate negotiation between a
  relying party and user of a specific identity
  presenting a harmonious human and technical
  interface while permitting the autonomy of
  identity in different contexts

8
Government eID Projects

• Belgium

9
Government eID Projects

• United Kingdom National ID Card

Photo Source BBC Online
10
Government eID Projects

• UK Government Gateway

11
modelling identity relationships
12
federated identity and trust
13
privacy

• it must be possible to demonstrate that identity
  providers or maintainers cannot violate privacy
• BUT
• how do we accommodate legitimate investigations,
  anti-fraud measures, parental controls etc?

14
wider ID consensusbalancing security and privacy

• example parental controls
• MUST provide parents with the ability to block
  childrens access to other online users unless
  expressly permitted by them
• MUST provide parents with audit trails of
  childrens use of online and communications
  technologies, people interacted with, etc
• we need additional principles/laws/tenets to
  accommodate these scenarios not based on
  technology, but laws

15
future developments?
16
future developments?
17
summary

• identity and electronic identity
• historically lacks clear consensus on principles
• towards an eID framework
• Kim Camerons 7 laws provide a good starting
  point for evolving a model that works
• future developments
• agreed framework to accommodate different
  perspectives on the laws

18
Links

• Copy of paper
• http//ntouk.com/papers/eid.doc
• NTO UK blog
• http//ntouk.com
• Kim Camerons blog
• http//identityblog.com