A Public Comment on NCCoE's White Paper on Privacy-Enhancing Identity Brokers
This addresses privacy and security issues in identity brokering for citizens accessing online services, but it is incremental as it builds on existing research.
The authors responded to a U.S. government white paper on privacy-enhancing identity brokers by raising key concerns and recommendations for designing such systems, based on a prior research paper about nation-scale brokered identification systems.
The National Cybersecurity Center of Excellence (NCCoE) (in the United States) has published on October 19, 2015, a white paper on "privacy-enhanced identity brokers." We present here a reply to their request for public comments. We enumerate concerns whose consideration we find paramount for the design of a privacy-enhancing identity brokering solution, for identification and authentication of citizens into myriad online services, and we recommend how to incorporate them into a revised white paper. Our observations, focused on privacy, security, auditability and forensics, are mostly based on a recently published research paper (PETS 2015) about two nation-scale brokered identification systems.