Best Practices and Example for RP System

From IDESG Wiki
Revision as of 21:55, 6 December 2016 by Mary Hodder (talk | contribs) (added ideas)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


Brainstorm from Tom:

Set up goals and start to build a use case for an example idp that we could promote to the industry.

1. Now that the IDESG has established a self assessment, work on enabling the id ecosystem.
2. Promote a Trustmark with UX collateral, images of various sizes for web sites.
3. The IDESG web site itself should be an example of Guidelines.
4. There is an IdP which shows the Guidelines for that industry.
5. The various IDESG web sites become example of RP Guidelines.
6. The UXC work on suggestions for the look and feel of a Guidelines RP.
7. The UXC work on a use case for an IdP.
8. Preliminary work on the IdP begins.

Questions:

Necessitated by the issues with the existing rolls and the need for a new membership plan IDESG will put in place:

1. A modern individual respectful enrollment and registration system for identities as well as identity services.
2. IDESG will then use this as the authoritative source for member and registrant services.
3. As part of the IDESG membership plan we will issue credentials that adhere to our own principle
4. Provide not only member credentials for IDESG resources but also options for credentials that would be externally accepted.
5. Separation of identifier and attributes, for example the indicator of acceptance of the IDESG IPR should not be a condition of the identifier, but a separate field bound to the identifier.
6. Single sign-on would mean only one password/credential with a single complexity requirement, which is not the case today.
7. IDESG will provide options for authentication and other services from members of the IDEF Registry
a. In which case IDESG (or organizations certified by IDESG) will act as the independent 3rd party to assess their services.


Will need to build for best practices:

  • Privacy policy (PP)
  • Terms of use (ToU)
  • Are there specific ToU and PP provisions that demonstrate how the IDEAL RP might deal with Identities in their policies.

Other issues to look at:

  • Some method for creating a strong web site identity, e.g. AV Certs
  • Generating example code for an RP that can be used by any aspiring web site author to follow the IDESG guidelines.
  • Can the IDESG publish a PP that web sites can include as their own by explicit reference or as a result of using the IDESG TrustMark?
  • Support for two factor identifiers.
  • Does the identifier used by the IDESG require verification to an email address?
  • Partnering with a company, later who implements the RP or is a provider to the RP (IdP), to write up our plans as a use case