So, considering the level of security of all the places that contain my SSN is
worrisome at best. At the very least, the simplest solution for these organizations
is to store a one-way hash (a hash function takes data of any length as input and
produces a ?¬?xed-length output, with no way to recover the original data from
318 Identity Consumers
Reaching an Agreement with the Identity Provider
When negotiating the agreement between an RP and an IP,
many different metrics should be considered: service levels (uptime,
responsiveness, failure contingencies), data accuracy and
ownership, and privacy concerns. The content of the claims
should provide the RP the data it needs, and we would be well
served if the claims were standardized in the industry. Although
an IP might want to de?¬?ne the claims and maintain control, this
would lead to lock-in with that particular IP. This is unlikely to
be successful in a system when other standardized choices become
available.
the output) of the information. Then, when the organization loses my data, it
doesn??™t contain the one thing the thief needs to access my credit: the SSN.
This same technique can work for the reporting case, too.
Pages:
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458