Users will want to use multiple providers' credentials.
Want a low-friction way for people to create links to new credentials
Institutional outsourcing to an external credential provider
Don't want to put all eggs in one basket.
Maybe the pattern should be that users are encouraged to have multiple credentials.
Criteria for providers
Stability of vendor / service
Stability of identifiers
Stability of attributes
Assurance in identifiers and attributes
Identity proofing
MFA
Certifications / audits
Privacy and security measures
Alignment of mission
Terms of service
EULA
Business model
Privacy assessment
User consent support
# subscribers
Discussion of stability of IDs and Google
@gmail.com are not reassigned, but Google Apps can be.
Mark and Bill will look into this.
Action Items
Eric will create a matrix outlining the criteria we discussed to use in evaluating potential External ID providers
Bill and Mark will investigate Gmail account policies, and specifically potential differences between policies around "personal" Gmail accounts and "GAE Domain" Gmail accounts, esp. relative to how it affects their potential usability as External IDs.
David will gather any existing lists of External ID providers from other InCommon working groups to seed the candidate list
Eric to contact LIGO and COManage folks (who already are relying on external IDs to some extent for access to their internal resources) to see if they have any documentation or guidance on how to address or mitigate issues around relying on external authentication sources.