1) The document discusses cidSafe, a Dutch initiative to create a solution for a safe consumer identity in the Netherlands. 2) cidSafe aims to establish a high-trust consumer identity through a collaborative project between stakeholders and a focus on the financial sector. 3) The initiative will explore how a feasible solution can be achieved in the short-term through a trust framework approach and jointly working on reducing the need to trust the identity provider.

1. cid Safe
creating a solution for a safe
consumer identity in the Netherlands
Maarten Wegdam, Novay
EEMA Benelux RIG “e-Identity as a business”
23rd September 2010 @ Everett

2. Novay?
• Dutch ICT research institute
• Formerly Telematica Instituut
• Innovation projects
• Networked innovation
• Independent, not-for-profit
• ~55 researchers, multi-disciplinary
• Customers include financial sector,
government and semi-government
2

3. Example identity related projects
• STORK project – lead for WP2 that defined the Levels
of Assurance
• SURFfederation – 700k+ identity federation for higher
education in the Netherlands
• Identity-as-a-Service for B2B – for RDW
• ePassport for online authentication – for NLNet
• eRecognition review – for B2G identity, EZ/ICTU
• Mobile PKI –technology scouting / assessment for
SURFnet/Kennisnet
3

4. The consumer identity problem
An old problem
The user Service provider
• High trust is too expensive
• People forget passwords
• Lack of (validated) attributes
• Low conversion
An old (?) solution
externalize the identity with an identity provider
4
(authentication + attributes)

5. Why not (really) here yet?
Three big reasons
market lack of privacy
entry trust in issues
issues IdP
5

6. Market entry issue
100% coverage of consumers
Chicken-egg
• Identity-providers vs relying parties
• Not any more for basic trust (?)
Unclear value chain
6

7. Trust and privacy issues
Do you trust all identity providers?
• Security risk
• Business continuity risk
• Privacy risk
Our approach: Reduce the need to trust
the identity provider
Through technical means, when possible …
By making the identity provider ‘behave’
• Through laws
• Through competition
7 • By agreeing on a set of rules

8. Making the IdP behave and the
role of government
Decreasing regulation:
Government issued
Government regulated
Trust framework
Free market (tech standard)
Note: models 1 to 3 require some form of
monopoly or regulator
8

9. A trust framework
A set of rules that all players agree upon
To have more trust and a healthy ecosystem
• New identity providers can join
• Easy assess for RPs (scalability)
• Balancing interests between IdPs, RPs and users
• Privacy assurances
• Governance / audits
9

10. Trustworthiness of an identity
Authentication Identity Level of
mean binding Assurance
10

11. Consumer & citizen identity in NL
• There is a citizen identity solution: DigiD
• Issued by snail mail to home address
• Two-factor: username/password + SMS OTP
• BUT: cannot be used in the private sector
• Except healthcare & pension
11

12. cidSafe initiative
a safe consumer identity
• High-trust consumer identity
• Collaborative project by stakeholders
• Goal: breakthrough for high-trust consumer
identity in the Netherlands
• Short-term goal: if and how this is feasible,
with a focus on financial sector
12

13. Who
Partners
Sounding • Achmea, Aegon, Adfiz,
Nationale Nederlanden,
board OHRA,SNS Reaal
13

14. cidSafe trust framework:
starting points for our solution
1. General usage
2. High trust
3. Easy to use
4. Cost efficiënt for service providers
5. Privacy consious
14

15. Some cidSafe challenges
Evangelizing with relying parties
Openness vs trust
Business Model
Role of government
15

16. Take aways on cidSafe
• cidSafe is market initiative for high-trust
consumer identity in NL
• Trust framework approach
• Breakthrough by jointly working on trust
framework
More information:
http://cidsafe.novay.nl
http://maarten.wegdam.name
16