What if a "credential" is simply a container of identifiers? (Andrew Hughes)
The way how identity changes are evolving is getting very interesting.
We are trying to notice what is exactly changing over the time.
In the future 5-10 years from now the way that everyone gets access to service providers is that they have a large number of identifiers or attributes and the service provider says give me 5 out of 100 from the sources I trust.
What if you have an infinite number of authorities you can choose from?
They can't trust every possible authority that is out there.
What if you can say as a service provider show me Q,R,S from any 2 of AA
For example finger prints, time of day, possession of stuff (devices, etc.)
For example Netflix, you don't need to prove that you have a Netflix account you just need to prove that you are coming from the right geological position.
In most cases this is being proven by just logging in (from a single event of occurrence) which is not good enough for today's standards.
What do we need to do to get there?
It does not the only different thing is that there are unlimited number of authorities which you can chose from.
Similar to ABC Trust.
For example time of day is just an observable attribute.
This is basically an extension of the existing technology, it is based in today's world but what if we have thousands of observable attributes, what if we have thousands of authorities?Identity oracle.
User managed access.
User submitted terms (it means that I can negotiate these kind of things)
Vendor Relationship ManagementIf you can have people looking at it with just specific attributes you cannot have user data (Vendor Relationship Management).
It is a risk based view of things.
It is a post federal world.
If this ever comes to be there is no more federal management access (you don't need to have the federal agreement).
You don't have to federate authentication anymore.
Extension of DNS lookups.
The LOA was contextual based.
Levels of assurance.
What are the milestones needed to reach this?
Risk based access control - this exists as today.
Attribute based access control (where we don't need to have a federal agreement) - that's the missing part.
2005 Identity Oracle
2004 User Managed Access
Federation is going away in this plan.
This means when we today click ok on a website nobody thinks of it as a contract but it is a contract. In this scenario the contract and ok will be replaced with the User Submitted terms / Vendor Relationship Management.