Claims Agent Teleconference 2011-03-07

A teleconference of the Claims Agent Working Group.

Logistics

 * 11AM ET

Attendees

 * 1) Ariel Gordon
 * 2) Bob Pinheiro
 * 3) Tom Jones
 * 4) Craig Wittenberg
 * 5) Mary Ruddy
 * 6) Paul Trevithick
 * 7) Peter Watkins
 * 8) Iain Henderson
 * 9) Colin Wallis
 * 10) Susan Morrow
 * 11) John Bradley
 * 12) Patricia Weibe
 * 13) Axel Nennker

(1) Overview U-Prove
Craig Wittenberg discussed http://microsoft.com/uprove - a summary of the R2 community preview:

"U-Prove agents" are a kind of "claims agent" Agents would be run by a variety of providers. We need to work on the governing rules & policies, but we already have a number of parties interested in running agents. Each country will probably want to have its own agents running within its borders Interoperability across a range of browsers and OSes is very important, so we've tested with about 10 combinations We've tested 4-5 browsers on Windows. 3 browsers on OSX. Android, iPhone and Windows Phone 7.

(2) Demos of U-Prove
Ariel Gordon shared his screen and did some demos of uProve. These demos are available from http://microsoft.com/uprove.

Demo #1: Contuso Auctions. Part One: verified car data (from seller)
Business goal was to improve the UX and decrease the fraud levels on a large scale auction site Demo contrasted manually filling in a form vs. retrieving verified car information from the registry of motor vehicles U-Prove agent shown was Azure-hosted (cloudapp.net) Silverlight app RP: wants Vehicle Year, VIN, Make & Model RP trusts several alternative claim providers Agent redirects to the user's choice of provider User logs in to provider and gets the claims The agent displays the values of the claims With this (Silverlight) version of the agent you can save the tokens locally on the user's computer

Demo #2: Contuso Auctions. Part Two: verified bidder
RP wants these claims: Given name, surnam,e street address, postal code Choice of commercial or governmental claims providers Bottom line: we are able to leverage real world trust online. We think that this online trust can actually increase real world trust as well

Demo #3: Unemployment Benefits Agency for the "Yellow" state
By using verified identity information the state can start putting high value transactions online. This is a real scenario that has been discussed with this "yellow" state organization Ariel showed the reuse of a previously saved U-Prove token with verified personal information

Q&A

 * SusanM: What format was the U-Prove token saved? Does it have a specific lifetime?
 * ArielG: In this CTP the information is stored inside of the Silverlight storage area. The format being used is the U-Prove token. As for expiration, the answer is that this is set by the issuer. There are methods to revoke tokens.
 * ArielG: In the demo any user that has access to my Windows logon has access to my tokens. We can increase the security to binding the tokens to a separate security device. This would also protect against malware that could steal tokens from Silverlight.
 * ArielG did a demo (using the "green" state claim provider) that uses a smartcard as a binding device. For the purposes of the demo we created a smartcard emulator (although at RSA Microsoft did a demo using a real Gemalto smartcard).
 * SusanM: does it work with HTML5 local storage
 * ArielG: We have investigated but didn't use this in the CTP we just released. There were two issues: (i) performance issues with implementing the crypto in JavaScript and (ii) ubiquity of HTML5
 * CraigW: We're not requiring Silverlight. All of these demos work with a plain HTML browser. There are differences of course. With Silverlight the private keys are stored locally only.
 * SandyP: I think there's another Mac/Silverlight bug.
 * ArielG: Please send me the specifics.
 * BobP: What's the different between the U-Prove agent and CardSpace?
 * CraigW: Many of the same themes are there. The core value of user-centric selections, choice, etc. One difference is that CardSpace didn't have U-Prove integrated. Another difference: there is no "introduction mechanism" There are no cards that you have to pre-install. We tried to make it super-easy to NOT require pre-loading of cards. Another difference: there is a cloud-only version (although Avoco and Higgins have done this too). Another difference: broader platform support.

(3) Microsoft R2 White paper

 * Craig highlighted the white paper available on http://microsoft.com/uprove
 * Starting on page 8 (section 3): we have a simple overview of the architectural elements.
 * Craig showed the level of detail in the white paper especially the swimlanes with and without the Silverlight components
 * Craig highlighted that in the RP security policy there are two completely separate lists: the set of claims vs. the set of trusted claim providers (different/better than CardSpace)
 * Craig walked through many other details

Q&A:
 * Peter: The demos are at the point were the value is obvious. Now we're looking at specific use cases and how the user-centric model is the only way to implement this. But my question is how we could get more collective action on describing and promoting the use cases.
 * Craig: I agree, but I'm less clear of how to do this.
 * Peter: If you've got some US states behind these demos.
 * Craig: I have been cautious to dive into too much detail. We have had extensive conversations with a number of US states. To your point of use cases, they have very specific use cases they wish to pursue. I have been having these conversations behind the scenes and get the permission of these parties to discuss this. My hope has been to combine the selection of a few use cases and to work on them and make sure that the UX is put into practice, that real users.