Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
Some claims are more verified than others (20070613)
Eric Norman writes yesterday in "What does an IdP do?"
"Here's what I think an IdP does. An IdP provides testimony regarding the accuracy of claims. An IdP does not function as some sort of repository where users create, store, and manage information about themselves."
and
"One of the consequences of Law 3 is that it makes most sense for an IdP to provide testimony regarding the accuracy of claims if it's already their business to know."
I agree with Eric that an IdP should focus on making claims that the IdP is in the business of knowing, and that the user might not be able to directly update many of these kinds of claims about them (a university IdP providing a student's grade point average, a credit bureau providing a cardholder's credit rating, an auction site providing a participant's reputation).
Where I am most concerned is scenarios in which the IdP and the RP have a trust relationship, and the IdP, in order to help out its RP customers/partners, provides additional attributes about the user. Authentication services and attribute services are often combined. Kim Cameron in "The Laws of Identity" uses as an example
"A set of claims might convey personally identifying information - name, address, date of birth and citizenship, for example."
For example, if eBay were to operate as an identity provider for its registered users (buyers and sellers), its merchant community might be relying parties that trust eBay as an identity provider. Suppose a merchant has its own web site for browsing inventory or order processing, and a buyer visits the relying party web site. The user selects their eBay managed card, and relying party accepts claims from the eBay identity provider. The eBay privacy policy states
"We may collect and store the following personal information:
- ...shipping, billing and other information you provide to purchase or ship an item;
We may also share your personal information with:
- ...Other third parties to whom you explicitly ask us to send your information (or about whom you are otherwise explicitly notified and consent to when using a specific service)."
It would be non-controversial that eBay provides a claim with the user's eBay userid, and a claim with the user's eBay reputation score (or a signed reputation value, or an address of a web service where the RP can get the user's latest reputation). Those claim values might have additional metadata information attached to them by which eBay asserts its belief that this information is accurate, as eBay is authoritative.
Furthermore, I'd expect that eBay would also provide additional information that its merchants expect to know about a buyer. I'm not an expert on eBay, but I suspect that "shipping address postal code", "shipping address country", "preferred shipping method", "preferred method of payment" are claims about a buyer that a relying party might expect eBay to provide, in order for the relying party to offer the buyer a good user experience. eBay, however, is not authoritative about the shipping location of the buyer, for it has never shipped something to the buyer. eBay might have gotten the value of the "shipping adress postal code" directly from the user when the user registered, or from other merchants who have shipped information to that buyer in the past. eBay might attach metadata information to them by which eBay asserts that it is not authoritative for these values.