NSTIC How do we bring relying parties to the table?

From IIW

NSTIC How do we bring relying parties to the table? (W2F)

Convener: Jim Sheire

Notes-taker(s): Willian Lowe

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

How to bring a wider variety of stakeholders to the table. Get more relying parties.

NSTIC ball is rolling. Bringing government to the table as relying party. Online communities, people, governments: We need more Entities at the table.

NSTIC pilot funding: short term addressing chicken/egg problem of universalized identity. How do we market the business model and value proposition?

Who is not at table yet and how do we approach them?

Where are venues that NSTIC can engage in community building? Retailer shows, banking shows, nonprofits, etc.?

NSTIC wants to Generate excitement, increase engagement. Possibly social media.

Target rp’s? Developing top 100 target list. What would constitute critical mass in addition to government that would be sufficient adoption to have snowball effect?

List of target 100 RP’s will be publicized. Please send your own top 10 RP’s to James Sheire. Individual contacts appreciated.

The problem of successfully attracting rp’s: at the moment, a good bit of business value is tied up in the internal relationship between rp identity and idp. Everyone wants to be an IdP.

We’re going to have trouble getting major RP’s on board until solutions are clarified and are ready for implementation.



What are the generic drivers (influencing factors) for big RP’s to get involved? It would be helpful to catalog influencing factors.

The current value proposition problem from enterprise standpoint: you’re asking me to change and from my perspective this is a solved problem.

Are there communities of interest that already have shared values (like InCommon)? The way any federation has grown well = shared mission in value.

Lack of awareness for NSTIC. Companies are going to come to table when their customers see value in it as well. Just because they have a cumbersome process for identity doesn’t mean they’re ready to change. Often it is simply chalked up as a “Cost of doing business.”

Possibly a theoretical strategy to get RP”s to the table: Start putting out stuff they hate.

Marketing to big companies: 3 things they care about: revenue generation, cost savings, risk mitigation.

We want to target senior technical advisors (i.e. “principal architect”, “technical fellow”): these are the people we want to influence so they can take our pitches back to executives.

Rough List of Communities of Interest: HIM’s RPG’s (games) SXSW Consumer Electronics Boyscouts/Girlscouts MochaMoms

Maybe better off bootstrapping the solution because big companies aren’t nimble enough to quickly adopt and implement new frameworks.

The leading edge of the problems we face are exemplified in a small sector: Porn. Very nimble, creative, and always changing. One step below is the gaming community.

Most of general public doesn’t know there’s a solution to the identity problem. The more aware they are the the more demand there will be on RP’s to adopt.

Nobody is communicating the problem to a broad base, possibly because we don’t have a set solution yet.

Nobody who does x number of banking transaction / mo. perceives there’s any problem with what they’re doing. Everybody hates 100’s of usernames and passwords. But they hate it because convenience, not security.

If we can address some of the risk issues, etc. COPA compliance, safeharbor, that would equal another audience of people getting engaged.

Focus on Reputational Risk. Identify the harms.

Ongoing Efforts: Better communication from NSTIC. What is it about. Why is it important.

Communicate to the general public.

OnguardOnline.gov is currently best government internet security website. NSTIC should be more visible.

Simplified approach