Comments on: Holy grail or another false start for identity http://thebankwatch.com/2010/03/04/holy-grail-or-another-false-start-for-identity/ Tracking the evolution of financial institutions Mon, 13 Feb 2012 00:48:52 +0000 hourly 1 http://wordpress.com/ By: Colin Henderson http://thebankwatch.com/2010/03/04/holy-grail-or-another-false-start-for-identity/#comment-29078 Fri, 05 Mar 2010 04:50:58 +0000 http://bankwatch.wordpress.com/2010/03/04/holy-grail-or-another-false-start-for-identity/#comment-29078 Chris … thanks so much for stopping by. The LOA -n point resonates and settles the direction for me actually. I am still working through the white paper, and did not pick up on the significance of the LOA concept, but following your comment here and searching for LOA, now makes sense of it all for me, and goes some way to answering my questions.

As you note, this is where it all begins, and something this large has to begin somewhere.

As a side-note, I am impressed by your steadfast adherence for an open identity model, and seeing Google as part of this partnership makes me appreciate that you are personally moving Google strategy. I commend you for that. That is not inconsequential.

Best wishes and good luck.

]]> By: 15Mb: yet another blog from Dave Birch » Blog Archive » My tweets on 2010-03-04 http://thebankwatch.com/2010/03/04/holy-grail-or-another-false-start-for-identity/#comment-29076 Fri, 05 Mar 2010 00:06:52 +0000 http://bankwatch.wordpress.com/2010/03/04/holy-grail-or-another-false-start-for-identity/#comment-29076 [...] @petervan More OIX http://thebankwatch.com/2010/03/04/holy-grail-or-another-false-start-for-identity/ (another step forward for openid?) [...]

]]> By: Chris Messina http://thebankwatch.com/2010/03/04/holy-grail-or-another-false-start-for-identity/#comment-29073 Thu, 04 Mar 2010 15:57:53 +0000 http://bankwatch.wordpress.com/2010/03/04/holy-grail-or-another-false-start-for-identity/#comment-29073 It’s worth pointing out that this is really just the first step down this path, and it take a lot of work to build federated trust models — which are really necessary if we’re ever going to see transactions of any value be carried over OpenID and related technologies.

As for your point about Google not knowing who you are — there are two responses. First, this trust framework really only deals with what’s called “LOA 1″, which is the first of NIST’s four “levels of assurance”:

http://www.cio.wisc.edu/security/initiatives/levels.aspx

Therefore if you use your OpenID at LOA-1, your IDP doesn’t need to have verifiable proof that you are whoever you say you are. In fact, they really have no way to know who’s on the other end of the connection — this is essentially self-asserted identity. If I said my name was “Fred”, you’d say, “Nice to meet you Fred” and treat me as though I were a stranger.

The more interesting cases show up in LOA-2, 3, and 4. But this is where it all begins.

]]>