From IVP Wiki



National Strategy for Trusted Identities in Cyberspace

Privacy Workshop

June 27-28, 2011 / MIT Media Lab / Boston, Mass.

By Bill Densmore

Hash tags: #nstic.mit #nstic


Lead by Kellie Cosgrove Riley (Federal Trade Commission division of privacy and identification).



How do you implement Fair Information Practice Principles in a national identity infrastructure?

(In keeping with an open discussion, and because it’s difficult to do so, these comments are not attributed to specific individuals and are merely indicative of key points of the conversation in the room).

  • A "religious" debate about aspects of SAML starts off.
  • Now a discussion about how attributes may be used -- who controls? Are there default uses?

What do we want the identity provider to tell the relying party?

Should we say the relying party can only get what they need to let this person in.

Different schools of thought of how to turn high-level principles into solutions.


We cannot discuss the policy until we have figured out what the scope is.

Everyone talks about entitity but they mean different things.

It seems like the group hasn’t yet developed uses cases for tools for solving real problems.

See if we can establish a way for access with different levels of credentials, can be supported in a trustworthy way. For NSTIC concept is not to create one identifier but to create access to government and others – health, higher education – that offer online services in a way that would be standardized, allowing the concept of accreditation for identity providers. This discussion is about privacy requirements.

Microsoft rep says they have developed internal implementation of FIPPS concepts. They focus a lot on notice. Many products have been through compliance against the Microsoft standards. How do you meet privacy concepts and still have good usability.

If you want to talk about privacy, you have to talk about all the effects. Otherwise we are just talking about security and identity. That’s when consent comes into play. If you aren’t involved it talking with users about consent, you are nowhere.

What do we think about consent, about an individual who has a credential?

Want to be able to store the permissions for different relying parties with the service provider and have those be updatable.

NSTIC is about initiating a relationship or reconfirming a relationship. The ongoing relationship is between the relying party and the consumer.

Two scope issues have come up repetitively. One is consent. Other scope question is does that stuff apply to one kind of person or role or another?

Consent is transaction based and the transaction is either between the requestor and relying party, the requestor and the identity provider, or between the identity provider and the relying party.

There needs to e user responsibility in the whole equation. It’s a contract, you have agree with how our attributes are going to be used. We’re not doing this for you we are doing this with you and you have a role to play in this.

The issue of consent is raised.

The notion of minimum necessary – My credit card company basically says we’re concerned about your personal information and we are going to do whatever we want with it. You may not have much choice if you need that service, to agree to their terms. That aspect of minimm necessary and having some enforcement of that. Because without that the idea of user participation is not possible.

Minimum necessary has to do with what is collected.

In addition to talking about uses cases, should also talk about the threat issues. When information gets exposed, along with it you better make sure the policies for managing those go along with them. We need a model for how to provide metadata about use restrictions that flow with information.

If we are going to do anything else besides terms and conditions, is there a mechanism to enhance it, not necessarily replace it.

Commentator says he has a background is financial services and payment services and is naïve about most of what’s being discussed. Financial services has been a pr at obscuring things. If this session is about turning principals into operational and application I think you are really onto something with the consent. The cyberworld needs a new methodology and not the king’s English done 15 different ways from 15 different providers. He suggests some color codes or something about data usage. “That would to me be a huge step forward and would actually have some usability.”

Q: Are there some basic things that as a user I have to consent to in order to be able to participate in the ecosystem?

Identities are identities and attributes are attributes. They should be kept separate. But can they be kept separate?

If you have a choice to provide an attribute (like an email address) that makes it different. Some attributes could come from an attribute store, if you could be sure they were reliable.

Rules about use of attributes have to be recorded separately.

Two other issues NSTIC may want to say no to: Digital fingerprinting. At what point have I identified someone to that person. Other issue: Handling requests or warrants for privacy-protected information. If I am maligned online and I say I want to know who maligned me online. This person did something, tell me who it is? What are protections or processes under which I can or cannot get that information?

What is NSTIC’s purpose?

Do we want to revisit the term PII – is that commonly understood as to what it applies to. Is it broader than what we think of it now? What’s connected in a cooking for advertisers may not be PII, but it creates privacy concerns.

Lots of information out there. If you test it at the use level, that’s important. Data is going to flow. Information is different from data. Data plus meaning equals information. You need an obsrever to have information. When you have a user you can apply rules to the use of the information. A set of standardized duties across populations. You don’t take users out of it. That way it takes the original data collection out of it. When you have a recognition event, then you have a use case to apply.

What needs to be improved in FIPPS -- notion of clarity, need some kind of colors or symbols or privacy icons (as Mozilla has). Problems with how to convey all these kinds of information across extremely diverse network.

WRAPUP by the notetaker:

  • Consent should be transaction based.



Discussion about auditing of levels of assurance

What about metrics for privacy enforcement. How do you quantify privacy protection?

There are things that can be learned from PKI’s failures. It was helpful in SSL, but it has been very hard to get it traction in terms of tokens for people. In privacy, how to we enforce or make it real.

Who comes up with those metrics?

“An integrated set of multiple agreements” is a trust framework, according to the ABA. The system has to have 1,000 eyes. Who determines constitutionality? Supreme Court. Statutory – legislative. Distributed enforcement mechanism. “We shouldn’t try to plow this all into one enforcement mechanism.”

There’s a tiered structure of trust frameworks so it is everybody’s responsibility.

If you construct the ruleset correction then it will be subject to both individual and institutional enforcement.

Assessment: Resiliency and recovery. When everbody is responsible and it comes apartment, what is the recovery and resiliency plan. That’s got to be part of assessing for risk and accountability for getting it back up again.

One technical solution is the ability track information flows across the network. The idea of an HTTP header that traces the data as it flows through – something Tim Berners-Lee is working on. Auditing is an expensive solution, tracking is not.

How do you audit the use of attributes. Use is by the relying parties. You need the technical means to audit that at will. There is also an issue of conflicts of identities, or personas for different purposes.

Maybe the IDPs would evaluate the relying parties.

(Densmore observation: Expecting each identity provider to audit relying parties is an N2 problem. It would be a crushing borden on the IDP; nobody would want to be an IDP. What’s needed is a trusted fourth party to maintain the framework by audit, sampling or census. )

Who has the accountability, the enforcement mechanism?

If there doesn’t have to be uniformity then who checks on that. Is it the steering groups role to check on the privacy protections and censor someone for not following them. What is the consequence?

The steering group is going to have to say I am going to allow or certify certain trust frameworks. Auditing rules are managed by the trust framework, a set of rules based on what the steering group has said they ought to be?

The steering committee will decide whether a trust framework provider isn’t following the rules of the game.

Karen Sollins, MIT: WE don’t live in an isolated world. Other countries are already doing things and they are not going to buy into “our” model. Steering committee doesn’t get to decide what the EU is going to do. “The steering group has to coordinate at a minimum with other international organizations which are doing the same thing . . . it is not something that comes out of NIST, I can tell you – not globally.”

The power should be if you are not following the rules as an identify provider, we will not accept your credentials.

Leading by example can be a really good thing, if the U.S. government could be leading in terms of privacy instead of being compared unfavorably with other parts of the world. “There needs to be a governance body, where you can go to and discuss and come to understandings.”

Is NSTIC steering group enough or is something else needed? Does there neeed to be a sub-steering group. Is there a privacy subgroup? It is OK for the steering committee to hear proposals. Working groups that are set up to decided things never decide. It is best to have a decision-making body.

AT most of these meetings, very few hands go up as relying parties. Lots of hands go u p as identity providers and a few go up as representing users.

When should there be a governing structure?

U..S. private sector has always valued self-regulation. That is the route we will probably go. Is self regulation where it should go? Or should there be regulation? Commentator thinks there should be some penalties for non-compliance.

Sequence: Decided if this body should be involved, and then decided what it should be.

Discussion about ICANN and how it works and it is seen worldwide as a quasi-US thing.


  • Defined as assessment implementation and enforcement
  • Vendor oversight, or U.S. steering committee?
  • Adjudicatory – can you sue a trust framework?
  • Certification model to operate internationally
  • U.S. government model – create standard enforced by purchasing power