
Request for Comments: Privacy-Enhanced Identity Brokers - mazsa
https://nccoe.nist.gov/projects/building_blocks/privacy-enhanced-identity-brokers
======
mazsa
The deadline for comments is December 18, 2015.

Summary

As enterprises move more services online, many have given customers the option
to use third-party credentials to access their services, rather then asking
them to create and manage a new accounts. For example, you can use your social
media account login to access your fitness tracker account. In effect, the
social media company is vouching that the same person is logging in each time
they access the tracker website.

Allowing third-party credentials are beneficial to businesses because it saves
them time and resources in managing identities. For users, the benefit comes
from not having another username, password, or a second-factor credential to
manage and remember.

While these arrangements are becoming more common, organizations are finding
it a time-consuming task to manage each relationship, or third-party
integration. The dominant solution is a service called brokered identity
management in which “identity brokers” manage the integration relationships
between organizations and credential providers. Organizations can use an
identity broker to manage multiple third-party credentialing options instead
of having to manage each separately. However, for users, there is a concern
that these connections create the opportunity for a breach, or exposure of
personal information, as well as for the broker to track a user’s online
activity.

The “Privacy-Enhanced Identity Brokers” project will examine how privacy-
enhancing technologies, leveraging market-dominant standards, can be
integrated into identity broker solutions to meet the privacy objectives of
users and organizations. This project is a joint effort between the NCCoE and
the National Strategy for Trusted Identities in Cyberspace National Program
Office (NSTIC NPO).

Ultimately, this project will result in a NIST Cybersecurity Practice Guide, a
publicly available description of the practical steps needed to implement a
cybersecurity reference design.

