What prevents a Telecom Operator from being a full fledged Identity Provider?

Hello all

I am seeking feedback/ looking to interview someone for an ongoing blog/ paper article
This is a new class of blogs where I will start to work with key industry issues and seek feedback / interviews from experts as they evolve. Here is the first of these blogs ..

If you want to give me your views anonymously, please email me on ajit.jaokar at futuretext.com
Any comments welcome and also any more QUESTIONS welcome! I think the framework itself needs to be defined

Why cannot the Telecom Operator be an Identity Provider? i.e. What prevents a Telecom Operator from being a full fledged Identity Provider

Here are some more top level questions and thoughts

1) What is an Identity provider? and for that matter what is Identity?

2) How do you decide who becomes an identity provider? (using basics of trust levels http://www.pgpi.org/doc/pgpintro/)

In principle, Anyone can become an OpenID provider. That is why OIX exists. A service provider can use the OIX framework to determine the level of trust you can put in an IdP. So, why would an Operator not become an Identity provider?

3) What is lacking for Telcos to be full Identity providers(what are the limitations?)

4) Who governs regulations in Europe, UK and USA?

5) What is the role of the client for end to end Identity provision?

6) When it comes to Telco, what elements are relevant to be a true Identity provider? (end to end)

7) Relationship between Identity and authentication Is Identity the thing as authentication?

Authentication is the provision of a set of credentials issue an identity token. if so are there general requirements regardin the strength and of the authenication presumed when an identiity token is issued are there requirements about how it can be used.

What is an identity token – is it a virtual representation of yourself – which can then be provided to other services – and those services can use that token as a proxy of yourself – (meaning you do not need to be re-authenticated)

Are there standard implied “things” that can be inferred/implied by a token

Is a token unique over time. – and if not unique, for it to have any use between independent peer entities – then there must he a common convention understanding of what the qualities of the token are – or each token just sees a random number…..

8 ) Can telcos provide tools for others to be Identity providers? (to be a platform)

9 ) Standing on the shoulders of giants .. How can a stack be built from existing technology?
What is already existing and how can that be leveraged?

In the OpenID sense, identity is just a URL, which someone makes a claim about.

The role of an identity provider (IdP) is quite well defined. Looking at OpenID, anyone can be an IdP, but in order for resource providers to know the level of trust they can put in an IdP, the Open Identity Exchange (OIX) was created, which can certify IdPs claim to different trust levels. Thus OIX provide the trust framework, not only for OpenID IdPs, but for any identity provider.

10 ) PDS – Personal data stores – What roles do they have to play? I have covered Private planet and Mydex on this blog before

11) What are the gaps? – in the stack, the telco and the legal framework

12) Understand the evolution of internet privacy and federated social networks.

13) Software signing and authentication of web servers are well known and deployed technologies. If by certification mean an audit process of apps, similar to what Apple and Brew does, this is object level authentication and could tie to a person level authentication

14) Identity of an individual vs Identity of an object

15) OIX From the OIX FAQ:

What Open Identity Trust Frameworks are OIX now servicing?

The US General Services Administration (GSA) and the Identity, Credential, and Access Management Committee (ICAM) has approved OIX as the first trust framework provider to the US government. This permits OIX to issue certifications for the US ICAM LOA 1 trust framework to identity providers who are assessed to meet its identity, security, and privacy requirements. The National Institute of Health (NIH) is the first US federal agency to move into production status to accept OpenID and Information Card credential issued by OIX-certified identity providers.

Are there any identity providers certified for US ICAM? what is the telco role in this space?

16) Are other governments adopting the trust framework model?

17) What about Minimum disclosure as an Identity Solution

So, any comments welcome and also any more QUESTIONS welcome!

Happy to reference you if you want
kind rgds
Ajit

Image source: http://online-identity-theft.net/

Comments

  1. Wow, good question. I think that the main reason telcos haven’t gone this route is because of the regulatory mess they’d encounter from various govs. Its not like they already don’t deal with user ID management, its just not a transparent and openly-public service offering.

    I do think that they are moving to this. The act of doing mobile transactions/mobile wallet offerings pretty much ensures that they are going this route.

    Are the tools that they have to view/manage IDs transparent to the user? Will there be a dashboard given to users to let them know what information is being collected and who might be tapping that information for other services/means? Could a telco stand the backlash when some groups see just how much info telcos have on them?