Difference between revisions of "Trusted First Party"

From MgmtWiki
Jump to: navigation, search
(Context)
(Context)
Line 5: Line 5:
 
* Identifying a [[Trusted First Party]] has traditionally been handled by the [[User Agent]] or browsers. in 2020 nearly all browsers insist that web sites have X509 SSL certificates unless the user decides to ignore the warnings that block easy access to the site.
 
* Identifying a [[Trusted First Party]] has traditionally been handled by the [[User Agent]] or browsers. in 2020 nearly all browsers insist that web sites have X509 SSL certificates unless the user decides to ignore the warnings that block easy access to the site.
 
* [[Single Sign-On]] providers have typically used commercial means to establish trust with users.
 
* [[Single Sign-On]] providers have typically used commercial means to establish trust with users.
 +
* With the arrival of [[Self-Issued ID]]s it is time to determine what measures need to be taken to assure the user of the identity of web sites that are requesting sign on information from the Identity [[Wallet]] on the user's device that provides the information on assurance of that user's [[Identifier]] to the [[Relying Party]].
  
 
==Problems==
 
==Problems==

Revision as of 17:27, 13 April 2021

Full Title or Meme

Any Web Site that the user trusts.

Context

  • Identifying a Trusted First Party has traditionally been handled by the User Agent or browsers. in 2020 nearly all browsers insist that web sites have X509 SSL certificates unless the user decides to ignore the warnings that block easy access to the site.
  • Single Sign-On providers have typically used commercial means to establish trust with users.
  • With the arrival of Self-Issued IDs it is time to determine what measures need to be taken to assure the user of the identity of web sites that are requesting sign on information from the Identity Wallet on the user's device that provides the information on assurance of that user's Identifier to the Relying Party.

Problems

Any party that holds User Information has the possibility of breach of trust that the information will not be released.

Solutions

Some types of Trusted Third Party include:

  • Privacy Enhancing Technology Providers (PETP) can protect user's privacy by anonymizing the User's Identifier. See Microsoft UProve.[1] or IBM Identity Mixer.[2]
  • Governmental agencies that hold data for legitimate purposes will typically have a legal mandate to protect the data. Unfortunately they also have sovereign immunity should a breach be discovered.

References

Other Material

  • A Trusted Third Party may be valuable in any use case where the user wants to be have some Assurance about privacy of data that does need to be shared in very limited circumstances.
  • Microsoft, U-Prove. https://www.microsoft.com/en-us/research/project/u-prove/
  • IBM. Identity Mixer. https://www.zurich.ibm.com/identity_mixer/eu_projects.html