Where identity will be

The Digital Identification and Authentication Council of Canada (DIACC), a non-profit coalition of public and private sector leaders, recently released a strategy paper on Building Canada’s Digital Future which articulates a vision of the future of identity and secure online transactions in Canada.

The Canadian public sector identity digital services are among the most advanced in the world, and I was fascinated by the nature of the DIACC when it launched last year.

This strategy paper outlines a shared public and private sector vision with some interesting and important points:

• A clear articulation that an ecosystem utilizing a Federated Authentication and a Brokered Authorization Model is the viable and scalable path forward

• A recognition that the public sector is an essential participant in the digital identity ecosystem as the originator of identity information. This has been a point of ongoing frustration for me within the context of the U.S. public sector.

• The explicit identification of the regulations that need to be modified in order to deliver fully digital services:

  • Allow for the option of an “electronic confirmation of identity” that is sufficient in strength to meet two key identification requirements: identity validation and identity verification

  • A single set of rules across Canada governing what constitutes an electronic signature

All in all, it is an impressive articulation of a shared public and private sector view of where identity needs to be in order enable Canadians’ full and secure participation in the global digital economy.

Are you certifiable?

It appears that not everyone is happy in the land of OpenID Connect self-certification.

• As someone who used to manage a public sector certification program, I am mildly amused to see the ‘for the public good and equality for all’ argument here. OIDF is not a public sector organization accountable to the public. So giving its own membership a fast-pass to the front of the queue, before opening the queue to the general public, is not unexpected. I would have more of a concern if the general queue did not exist, but it certainly appears to exist in this case

• The actual tools for testing OAuth2/OpenID Connect standard compliance are in the public domain and available to everyone

User-Managed Access (UMA) Version 1.0 specifications have achieved the status of Kantara Initiative Recommendations. UMA is an OAuth-based protocol designed to give a web user a unified control point for authorizing who and what can get access to their online personal data

• Webcast on UMA on its roadmap for adoption and call for open implementations

cyberLinks: random and relevant

• Interesting user experience work from New Zealand on customer segmentation when it comes to digital service delivery

• PrivacyCheck is a free browser extension that scans privacy policies online and illustrates the risk of sharing personal data with any given company

• Harvard Business Review article on customer data. ‘…Resolving this tension will require companies and policy makers to move the data privacy discussion beyond advertising use and the simplistic notion that aggressive data collection is bad. We believe the answer is more nuanced guidance—specifically, guidelines that align the interests of companies and their customers, and ensure that both parties benefit from personal data collection

• Exploring the identity economy - Stories produced by Passcode for the ID360 conference hosted by the University of Texas at Austin’s Center for Identity