110 likes | 539 Views
ITU Workshop on “ ICT Security Standardization for Developing Countries ” (Geneva, Switzerland, 15-16 September 2014). Introduction of ISO/IEC 29003 Identity Proofing. Patrick Curry Director, British Business Federation Authority (& SC27 WG5) p atrick.curry@federatedbusiness.org.
E N D
ITU Workshop on “ICT Security Standardizationfor Developing Countries” (Geneva, Switzerland, 15-16 September 2014) Introduction of ISO/IEC 29003Identity Proofing Patrick Curry Director, British Business Federation Authority (& SC27 WG5) patrick.curry@federatedbusiness.org
Why is identity proofing so important? • Trust is globally, strategically essential • Authentication is key to trust • Strength of credential usuallydepends on strength of enrolment & registration • Core of enrolment is identity proofing and verification • Situation is evolving fast and becoming more complex • National eID • Employee credentials • Consumer credentials • Low and high maturities • Federation is key. Not to be confused with Mutual Recognition
Why is identity proofing so important? • Strength of credential usuallydepends on strength of enrolment & registration. But: • Anonymity • Partial anonymity • Pseudonymity • Depends on the use case
What is identity proofing? • Process from application to entry into a register = authoritative source • Questions • Does the identity exist? • Can it be bound to a real person? • Identity proofing • Checking the application & evidence of identity for Level of Assurance (LoA) • Checking binding to the subject • Verification • Examining corroborative sources of data • Looking for contra-indicators • No involvement with the subject
Identity vs PII Eligibility Capability Business Administration Service Delivery Identity proofing and verification Identity Identity – the minimum number of attributes that allow the person to be unique from all others in the context
Key points Identity is the minimum One identity proofing process will always rely on other previous processes – unless it is the first. Authentication is only the act of identifying a returning user.
The Key Entities • Person • Complicated • Much national variation • Organisation • Register(s) of Legal Organisations • 6 categories of attributes; 2 mandatory • Device • TPM best practice – where do FIDO and IBOPS fit? • Secure issuance • Software • To be confirmed
The fast changing international situation • National cyber strategies • Cyber control frameworks • Pressure for strong authentication • New regulations • EU eID Authentication & Signature Regulations • Emerging US ID Verification standard • Many national e-ID programmes • More authentication requirements in supply chains
The role of international standards • Enable interoperability = agility • Enable deployment and affordability • Reduces risks and costs • Standards bodies need to: • Engage with governments and industry • Establish better coordination • Move faster
Conclusions and Recommendations • Too slow • Spread the load • Avoid gaps • Broadening communities • Based on national policies • Become more proactive • Collaborate with ISO and ? • Framework approach • Communicate better • Governments need to participate