Monday, November 26, 2007

Hey, can I get that $1m you owe me?

James McGovern asks me
I wonder if Paul has any thoughts on how to hold identity providers liable if you are a relying party?

With the caveat that I am not a lawyer and nor do I play one on the Web ....

Indemnification MAY be an important issue, but ultimately what the RP wants is to transfer risk such that whatever amount remains is acceptable. If the existence of an indemnity from the IDP to the RP helps to this end, then it could be relevant.

Note: I think James conflates indemnification & 'IDP liability'. If the IDP screws up, it may indeed be held liable, but this is likely irrespective of whether the RP & IdP have an indemnity clause in their agreement. Additionally, there is no requirement that any indemnity the RP receives for harm it suffers need come from the IdP - there already exists quite a large business for 3rd-party indemnification.

But indemnification is not the only mechanism by which the RP can mitigate risk. Nor is it always appropriate.

With respect to James' assertion that the conversation on liability hasn't yet occurred, I draw his and the reader's attention to the work of the Liberty Alliance's Identity Assurance Expert Group.

From the recently released 'Identity Assurance Framework':

A CSP may be liable solely under the terms of an existing agreement with a relying party for losses suffered by the relying party where the cause is attributable to conduct by the CSP that was carried out in material non-compliance with these business rules or with certification requirements. Conflict resolution will be directed to the appropriate Federation Operator. A CSP may offer credentials at a band of monetary recourse set independently from levels of assurance. A CSP shall disclose the monetary recourse it will or will not make available with respect to IAEG credentials and any applicable terms or limitations governing the recourse according to Table 5.1

Band Amount
No recourse Zero monetary recourse
By agreement By agreement of the parties


By coincidence, there is a webinar on the Identity Assurance Framework this Thursday. Register here.

No comments: