Main Page/FTF June2015/Credentials

Goals of this session

• Clarify and gain shared understanding of payment use cases and capabilities with various identity / authentication / credential requirements.
• Discuss strategy of reviewing payments use cases with those from education, healthcare to determine whether joint effort or separate efforts most likely to succeed.

Identity / Authentication / Credential requirements from the use cases

Time Allocation: 2:30-2:35pm (5 minutes)

Spectrum of identity requirements explicit in use cases, including

• Version 1
  • Credentials (Agreement on Terms) [At Risk]
  • Registration-less (Agreement on Terms) [At Risk]
  • Payer Privacy (Selection of Payment Instruments)
  • Payee-initiated (Initiation of Processing)
  • Payer-initiated (Initiation of Processing) [At Risk]
  • Proofs (Authorization of Transfer)
• After Version 1
  • Pre-authorization (Discovery of Offer)
  • Machine Readability (Discovery of Offer)
  • Full Disclosure (Agreement on Terms)
  • Coupons (Application of Marketing Elements)
  • Loyalty Cards (Application of Marketing Elements)
  • Biometric (Authentication to Access Instruments)

Pain points

Time Allocation: 2:35-2:40pm (5 minutes)

KYC and AML

• Expensive, repetitive process (examples of fines include $2B in fines for JP Morgan Chase, $1.9B for HSBC, $15K-$50K in recurring costs for small correspondent banking clients)
• 2014 KPMG survey of AML challenges:
  • "differences in national legislation and data privacy standards make it challenging to implement globally consistent standards."
  • "AML practitioners as well as senior management do not anticipate the announcements of regulatory changes, nor the speed in which new regulations are expected to be implemented. "
  • "transaction monitoring has consistently been ranked the largest AML compliance cost driver."
  • "an area of even greater weakness has been identified with respect to the ability to share information from transaction monitoring across businesses and jurisdictions. Given that these may be crystallized risks, there is a need for a greater sharing than is the case today."
  • "In the current environment of increasing regulation and risk it is important to obtain information on who owns and controls your clients’ structures. Unpeeling the layers of ownership can be complex and time-consuming, but it is necessary to identify the ultimate beneficial owner, so we anticipate an increase in this practice over the next three years.
  • "Just over 49 percent of respondents think that electronic verification checks leave organizations further exposed to cybercrime. It appears that cybercrime concerns are reducing the use of automated online verification, which can have a significant long-term impact on financial institutions and their customer relationships. Specifically, by not embracing the automated technology in this area, financial institutions will forever be asking clients to produce passports or other forms of identification causing inconvenience to the customer and turning their backs on potentially large cost and time savings. While it is important to consider the risks posed by newer technologies, we believe that financial institutions should face these head on by assessing and mitigating the risks in order to take advantage of time and cost savings."
  • "Regulatory approach is fragmented and inconsistent..."
• Cost to regulators of tracking identity

User information provided to merchants

• Manual data entry (shipping address, billing address, entry of homeland security questions, etc.)
  • Evaluate privacy and liability issues.
• Merchants trusting (or not caring about) assertions from unknown parties ("Are you above the age of 21?")
  • Is the industry ok with this? Where does liability reside? What are the transactions where the industry demands more assurances?
• Users limiting sharing of sensitive data

Merchant adoption of new payment services

• Lowering the cost of establishing contract between merchant and payment service provider
  • Thus, we seek to lower cost of both technology integration and contractual relationships
  • Q. what is required in practice when (small) merchants set up new payment services

High-level Desirable Capabilities

Time Allocation: 2:40-3:05pm (25 minutes)

• Cryptographically provable and non-repudiable claims
  • Examples: recipient is over the age of 21, lives at address X in country Y, has a motor vehicle license with ID Q, is authorized to transfer >$10K amounts for account Z
  • See thread on provable anonymous credentials
• Composing multiple credentials together for an entity
• Portability (i.e., user can change identity provider without impact on the validity of the credential)
• Maximise privacy:
  • share only what is necessary to ensure regulatory compliance
  • having credentials signed against an Id specific to a particular context so that it becomes harder to track people across transactions in different contexts
• Minimize the risk of exposure from stolen credentials.

Technologies Needed / Relevant Groups

Time Allocation: 3:05pm-3:20pm (15 minutes)

• Existing Work
  • X9 Credential Tokenization
  • Credentials CG
    • Credentials CG Executive Summary
    • Credentials CG Use Cases
    • Credentials CG Specification
  • OpenID Connect
  • US Personal Identity Verification Program
  • Microsoft U-Prove
  • Idemix
  • SAML 2.0
• Relevant Groups
  • X9
  • OpenID
  • Internet Identity Workshop
  • FIDO Alliance
  • ID3 and Open Mustard Seed
  • PrimeLife
  • DIACC
• Questions
  • What other organizations are working on this problem that aren't listed here?
  • Are there any syntax needs driven by other standards?

Next Steps

Time Allocation: 3:20pm-3:30pm (15 minutes)

• Document Payment Credential Use Cases and Capabilities clearly
• Compare Payment Credential Use Cases and Capabilities with Relevant Groups
• Determine if a joint-effort with education, healthcare, finance would be more fruitful

Supporting Material (only use as needed

Potential benefits of credentials

• Reuse
  • Lower cost of account creation. Even if high cost and manual process to gather and analyze documentation, once authorized, reuse verified information for subsequent accounts or transactions.
• Easier compliance
  • Ecosystem of trusted credential issuers (government but also other parties)
• Usability
  • Faster account creation, easier and more secure interactions with merchants, potentially increasing privacy (e.g,. shipping information only available to shipper if unnecessary to merchant).

Questions and challenges with credentials

• What approaches have been tried previously? Which have succeeded (and why) and which have not (and why)?
• Regulator desire to track identity across transactions in tension with default Web security model of siloing identity across domains. How will we make it easier for regulator without raising risks to online privacy?
  • What are various approaches to creating domain-specific credentials (can credential issuer track user? Can user derive keys in a TEE?)
• What are the economics of a credentials ecosystem (compare with Certificate ecosystem)?

Planning questions

• Who would participate in the standardization work?
• Who are the implementers?

Definitions

• identity - the fact of being who or what a person or thing is.
• credential - a qualification, achievement, personal quality, or aspect of a person's background, typically when used to indicate that they are suitable for something. Credentials are often used to establish identity.
• issuer - an entity that issues a credential to a recipient.
  • Q. for Manu: Is the recipient the subject of the credential?
    • A. In almost every case, yes, the recipient is the subject of the credential. Where "subject" is defined as "the entity that the credential is making claims about".
• credential consumer (also, relying party) - an entity that accepts credentials for the purpose of granting access to particular services
• vault / credential curator (also, identity provider) - a 3rd party storage service for credentials