Ping Identity^®, the leader in Internet Identity Security, today announced it has joined the OpenID Foundation to help develop, promote and extend digital identity and choice on the Web.   Pam Dingle, a senior technical architect in Ping Identity’s Office of the CTO, will represent the company on the OpenID Foundation’s board of directors.

“The marketplace is increasingly looking for open, multi protocol identity solution sets that Ping and other members of the Foundation have innovated,” said Don Thibeau, Executive Director of the OpenID Foundation.  “Ping Identity’s decision to help shape the strategy of the OpenID Foundation signals a phase shift in the evolution of the open identity infrastructure.”

Ping Identity is committed to extending the functionality of Internet Single Sign-On across a growing number of critical corporate and consumer communication channels.  As a sustaining member of the OpenID Foundation’s board of directors, Ping Identity joins a distinct group of digital identity thought leaders to accelerate open options for securely managing digital identities.

“Protecting digital identities including securing user access is quickly becoming a business and personal imperative,” said Ping Identity CTO Patrick Harding.   “As an OpenID Foundation member, Ping Identity brings almost a decade of Internet SSO experience together with a broad range of security disciplines to help overcome the security and interoperability barriers to long term success.”

The OpenID Foundation represents the open community of developers, vendors, and users. The organization assists the community by providing needed infrastructure and help in promoting and supporting expanded adoption of OpenID. This entails managing intellectual property and brand marks as well as fostering viral growth and global participation in the proliferation of OpenID.

Ping Identity joins nine other OpenID Foundation corporate board members including Booz Allen Hamilton, Facebook, Google, IBM, Microsoft, PayPal, VeriSign, Yahoo! and LexisNexis.

22 companies including NTT docomo, KDDI, Sony, NEC, etc. have formed “ID Platform Federation Forum”. With JPY12 billion (approx. US$1.3M) in funding from the Ministry of Internal Affairs and Communication, the forum members will initiate the experiment, based largely on OpenID, by the end of the year. The forum itself is operated by Nomura Research Institute (NRI).

Mobile content and commerce has flourished in Japan after the deployment of mobile browser communication for the mobile phones in Japan. As of 2008, it amounts to JPY1,352,400,000,000 (approx. US$15M) and showing 17% growth even under stagnant market conditions [1]. It has become so important that it is often said that a service will not be viable without mobile web support.

One of the key factors of its success has been attributed to the ability to identify the user reliably in the mobile carrier network. This characteristic combined with the micropayments provided by the mobile carriers enable a zero-hassle login and payment user experience. However, these features have only been available via mobile browser and not on the PC and other internet-connected devices. The forum aims to expand the success of the identification and payment service capability from the mobile arena into the wider internet, using OpenID as the underlying technology. The forum will provide insights on the implementation and recommendations obtained from the experiment back to the international community through bodies such as the OpenID Foundation. Currently, the forum expects the feedback to impact the Mobile Profile of OpenID, the Attribute schema, and Level of Protection of the Relying Parties.

Chairman
Prof. Aida, Tokyo University

Vice-chair
Prof. Morikawa, Tokyo University

Secretariat
Nomura Research Institute, Ltd.

Members
Access Co. Ltd.
KDDI Corporation
Nextwave Co. Ltd.
NEC Corporation
Nihon Unisys Ltd.
Nomura Research Institute, Ltd.
NTT Comunications
NTT docomo Inc.
Fujitsu
Hitachi Ltd.
Softbank BB Corp.
Sony Corporation
Willcom Inc.

in addition, there are observers.

[1] Source: Ministry of Internal Affaires and Communication (http://www.soumu.go.jp/menu_news/s-news/02ryutsu04_000016.html)

In response to the newly enacted “Fund Transfer and Payment Services Act of Japan”, the OpenID Foundation Japan has announced the formation of the “Payment Working Group (WG)” on December 8, 2009. The Payment WG consists of 14 member companies and aims to create whitepapers on ”Guidelines for Secure Management of Information”, “Guidelines for Outsourcing” and “Guidelines for Identity Verification and Authentication” as well as the best practice and profiling document for implementing fund transfer and payment service built on OpenID.

Currently, only depository financial institutions such as banks are allowed to provide fund transfer service. The situation is going to change by this act taking effect in 2010. After that time, anybody who complies with certain conditions can start providing funds transfer service. The aim of this WG is to promote OpenID as the foundation for such services by establishing industry backed recommendations on profiles of OpenID.

The voting results are in for the 2010 Board.  In addition to a strong group of returning members, we’re glad to see four new members who will bring tremendous value and new perspectives.

The new design brings in a slew of new features to their blog with the most important being a “usable” commenting system courtesy of Disqus. That means you can use your Twitter or OpenID login to comment on their site.

It’s been an exciting year. A number of initiatives that were started in 2008 had a direct impact on the success of the platform in the past year, so many thanks to all the organizations and individuals who have contributed.  Here’s a quick summary of the state of OpenID.

• There are over 1 billion OpenID enabled accounts from the following providers worldwide: 
  • US: AOL, Blogger, Flickr, Google, LiveJournal, MySpace, Verisign, WordPress, and Yahoo
  • Europe: France Telecom, GMX/Web.DE, Hyves, Netlog, and Telecom Italia
  • Japan: Livedoor, mixi, NEC Biglobe, Rakuten, and Yahoo! Japan

• There are over 9 million websites utilizing OpenID for registration and login on some portion of their websites across a wide range of organizations including Sears, Kmart, Universal Music Group (200+ Interscope, Geffen, A&M labels and artists), FoxNews, EMI, TwitterFeed, RedPlum, Savings.com, DC Shoes, CitySearch, Zappos, Nike, Microsoft, Mint, Nokia, Random House, Sony BMG, Café Press, TweetDeck, ViewPoints, Qype, Scout24 (Deutsche Telecom), Avro, Associated Northcliffe Digital, Smart.fm, Hokkaido Television Broadcasting, OnGen, 2-han.net, Nikko Hotels, ClipCast, Facebook etc.

• Microsoft, NTT Docomo, PBS, and PayPal have also announced plans to OpenID-enable their users adding hundreds of millions of additional OpenID enabled accounts

• Several organizations are using OpenID internally for federated ID management: Amazon, Japan Airlines International, National 4-H, SAP, Sun Microsystems, and PBS

• The US federal government has announced its intention to deploy OpenID on federal websites.  During two separate meetings with Vivek Kundra, the Federal CIO, he explained that a major priority for the federal government is transparency and “citizen engagement.” Accordingly, the government is aggressively pursuing open standard technologies that enable and support these objectives.  At the Gov 2.0 Summit in Washington DC, the General Services Administration and several government agencies announced their plans to adopt OpenID as part of the White House’s Open Government Initiative.  This announcement followed several months of research and discussion between the OpenID Foundation, OIDF member companies, the GSA, NIST, OMB, the InfoCard Foundation, and various government agencies.  The Identity, Credential, and Access Management (ICAM) committee of the GSA published its Identity Scheme Adoption Process, Trust Framework Provider Adoption Process, and OpenID 2.0 Government Profile documents over the last several months.  Initial identity providers include Yahoo, Google, AOL, Verisign, and PayPal who are undergoing certification processes defined in the TFPAP.  The first wave of federal websites to accept these identity providers will include the Center for Information Technology (CIT), National Institutes of Health (NIH), U.S. Department of Health and Human Services (HHS), and related agencies.

• A large number of market leading web platform providers have also integrated OpenID including Disqus, Drupal, GetSatisfaction, Joomla, JS-Kit, Kickapps, Movable Type, Plone, Pluck, TypePad, UserVoice, Viewpoints, WetPaint, WordPress, and Zend.

• Shibboleth, an identity management system used by thousands of research institutions has announced that Shibboleth V2.X will integrate OpenID support.  The U.S. deployment of Shibboleth, InCommon, is a community of more than 4 million researchers, students, staff, and faculty across more than 180 institutions.  The OpenID Foundation worked closely with InCommon/ Shibboleth in developing trust frameworks for the US Government OpenID deployment.  Another example of how the OpenID Foundation and members are collaborating with a number of identity initiatives.

• The OpenID Foundation and member organizations continue to collaborate closely with other user managed identity open standards including OAuth, Portable Contacts, and Activity Streams to provide website operators and end users with even richer and mutually beneficial web experiences.  We believe that this decentralized, open-standards-based approach is ultimately in the best interest of website operators and end users alike, where both collaboration and competition can drive innovation, choice, and widespread adoption across multiple geographies/nationalities, application areas, and demographic segments.

Beyond these broad market developments and milestones, the following summarizes some specfic accomplishments in various categories:

• OpenID Foundation Organizational Developments.  As we mentioned at the end of 2008 and in early 2009, a lot of attention was required to develop an organizational capability commensurate with the growing role and needs of the Foundation.
  • At the end of 2008 we completed our first open board elections for 2009 and subsequently elected an executive committee.
  • We were fortunate to be able to hire Don Thibeau as our new Executive Director.  Don was formerly VP Business Development at TransUnion and Executive Vice President at Qsent
  • We retained Global Inventures as our Foundation platform infrastructure partner.  Global Inventures manages the back office operations of over 20 organizations including HDMI, HomePlug Network, Open Grid Network, PC Gaming Alliance, SD Card Association, and the ZigBee Alliance
  • We established a 2009 operational and financial plan, balanced costs and income even with the unplanned costs for US Government OpenID pilot programs
  • We added Nat Sakimura as International Liaison to OpenID Foundation Board Executive Committee
  • The bylaws and IPR agreements were updated
  • We added three new sustaining members: PayPal, Facebook, and Booz Allen Hamilton
  • We established the User Interface, OpenID/OAuth Hybrid, and Contract Exchange working groups
  • The board developed a list of key priorities for 2010

• Market Outreach.  A key goal for 2009 was to increase awareness, adoption and usage of OpenID.
  • OIDF’s Executive Director and several board members represented OpenID with analysts like Gartner and led a new industry collaboration with key identity ecosystems organizations like InCommon, Kantara, Oasis, and others at key public and private sector events.
  • We participated in several industry events including Internet Identity Workshops, RSA Conference, Transparency Camp, Government 2.0, and others
  • Yahoo and Facebook each hosted and led User Experience Summits at their respective facilities
  • Yahoo held an OpenID Summit just before Internet Identity Workshop
  • BBC and JanRain hosted a Content Provider Committee meeting in NYC and several members participated in an Online Retailer Advisory Committee session
  • Sears, Yahoo, and JanRain are scheduling the next UX Summit at Sears Usability Lab in February in Chicago
  • We executed two significant updates to the OIDF website led by Chris Messina with support from Global Inventures and JanRain
  • Several individual community candidates for the 2010 board elections represent experience with broader industry and geographic coverage – Media (NY Times, NPR, PBS), Commerce (Sears), International (Deutsche Telekom, Switzerland, Estonia, Netherlands, India, etc.)

• Federal Government.  While this opportunity wasn’t on our roadmap at the beginning of the year, the Foundation responded quickly and aggressively to requests from the government to adopt OpenID for use on federal government websites.
  • OIDF’s Board of Directors responded to the invitation of the US CIO, Vivek Kundra, and significantly influenced the government’s plans for technical and policy interoperability of internet identity.
  • We worked with GSA, NIST, OMB, NIH, HHA, CIT, and ICF to deploy pilots for three federal government agencies
  • 5 industry leading identity providers are supporting the OIDF’s training and technical assistance for testing a government-wide technology profile for OpenID in pilot applications in support of the US NIH iTrust Program: Google, Yahoo, AOL, Verisign, and PayPal
  • OIDF’s Chairman, Executive Director and outreach committee members were quoted in numerous trade, government and mainstream press regarding the US GSA’s “Open Identity for Open Government Initiative”  
  • The OIDF is evaluating mechanisms to deliver the organizational capability required to provide ongoing OP certification services for the federal government and eventually other commercial applications

• OP Progress.  All the major OpenID Providers have significantly improved the richness and usability of their offerings (OP capability summary to be published shortly)
  • MySpace became an OpenID provider
  • Facebook became an OpenID relying party
  • PayPal became and OP for the federal government pilot
  • Google converted over 1 million Google Apps clients into OpenID providers
  • Microsoft committed to becoming an OpenID Provider in 2010
  • AOL committed to migrating to OpenID 2.X in 2010

• Security Progress. Monitoring and continuous improvement in safety and security of the OpenID platform continues to be an area of emphasis for the Foundation.  The following summarizes some important developments during the period. 
  • Andrew Nash of PayPal was selected to head the Security Committee.  Other members include: Eric Sachs, Nat Sakimura, Tony Nadalin, David Recordon, Eddy Nigg, John Bradley, Nate Klingenstein, and Philip Hallam-Baker
  • Working groups were formed and specification development has progressed for both the PAPE and Contract Exchange OpenID extensions
  • Per the Federal Government section above, the OpenID Foundation and Information Card Foundation have been working with the GSA, NIST, and others on trust and security frameworks for federal government deployment pilots.  It is expected that the trust frameworks and certification programs developed for this application will be extensible to other commercial and private sector applications where enhanced security requirements are relevant.

As you can see, the rate of progress has accelerated in 2009 and we expect it to continue in 2010.  We thank member organizations and individuals for their input and contributions, and look forward to even more support in the coming year.   Remember you can contribute via mailing lists, technical working groups, and standing committees so please stay or get involved to help us realize the full potential of the OpenID platform.

Best wishes for a great holiday season and new year.

Brian Kissel

Chairman, OpenID Foundation

On 12/9, the OIDF sent our comments to the FCC on “Data Portability and its relationship to broadband“.  Below is a copy of the PDF we submitted.

TITLE: Comments – NBP Public Notice #21
Docket: GN Docket Nos. 09-47, 09-51, and 09-137
Submit to: http://www.fcc.gov/cgb/ecfs/
Deadline: Wednesday December 9, 2009

Contributors
Organization: OpenID Foundation — www.openid.net
1. Brian Kissel; Chairman, OpenID Foundation; CEO, JanRain (bkissel@janrain.com)
2. Brady Brim-DeForest, OpenID Foundation Member
3. Don Thibeau, Executive Director OpenID Foundation
4. Chris Messina, OpenID Foundation community board member; CEO, Citizen Agency

Comments from the FCC
“In the course of compiling the record for the Commission’s development of the National Broadband Plan,1 the Commission has invited comment on “how digital technologies … can improve civic engagement, government at all levels, and the lives and welfare of residents and businesses.” The Commission now seeks tailored comment on broadband and portability of data and their relation to cloud computing, transparency, identity, and privacy. We strongly encourage parties to develop responses to this Notice that adhere to the organization and structure of the questions in this Notice.”

Resources:
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DA-09-2433A1.pdf
http://blog.broadband.gov/?entryId=16259
——————————————————————————————–

1. Government data transparency. Data transparency refers to making data public and easily accessible over the Internet. There are many pieces of legislation requiring the publication of Federal government information. This legislation typically requires the publication of data on an agency’s website. One recent initiative seeks to establish a central repository of government data. We seek comment on the potential benefits and pitfalls of increased data transparency.

a. What efficiencies can be gained through easing accessibility to public government information?

As Vivek Kundra, the federal CIO, has mentioned in many public forums including the recent Government 2.0 Conference, a priority of the federal government is transparency and citizen engagement. By allowing citizens to access data and interact more easily across all the federal government websites, government agencies, legislators, and executives will have a greater understanding of the needs of their citizens, and citizens will be able to serve themselves more effectively and efficiently.

Specifically, by providing the private citizen a way to engage with the government without having to create one or more accounts strictly for use on government websites, the barrier to participation is greatly reduced. With this barrier out of the way, the focus can turn to convenience, ongoing interaction across sessions, and a higher degree of personalization that typifies most successful Web 2.0 properties.

b. Are there examples of innovative products or services provided by the private sector that rely upon the use of easily accessible government information?

One example is GPS and map-based navigation systems for vehicles. A great deal of the primary data for these applications come from government sources. There are a multitude of commercial services that utilize US census data.

Everyblock is an open source initiative that leverages government data at the city and state level to facilitate citizen-awareness of their surroundings and an understanding of their environment at the block and neighborhood levels. Everyblock synthesizes data from several agencies and does the hard work of providing a compelling user interface coupled with visualizations that help citizens consume broad amounts of information quickly and easily. While the Everyblock website is a popular destination, their iPhone application demonstrates how relevant, useful, and beautiful! mashed up government data can be!

c. Federal government data are available in many formats. In what formats should this data be made available over the Internet? How should open data standards inform policy for data transparency?

The role of standards in technology development cannot be underestimated. Standards form the basic underpinnings of interoperability between networked applications, and at base, provide a means for heterogeneous applications to communicate with one another.

In other words, if I speak English, but you speak Chinese, there is no standard by which we communicate — and therefore, there is no market of interchange between us. I would have little interest if you wanted to sell me a book in Chinese, and likewise, you would have little interest in a recording made in English. If we agree on a common language, however, we are able to communicate and exchange information — and more importantly — focus on higher order collaboration and interaction.

Computer programs are very similar, though in place of verbal language, we have data formats and APIs.

The role of the government in both settings standards and deciding on formats for the kind of interchange I’ve described above should not be underestimated. In terms of identifying opportunities and their common baselines, and amplifying the work of the broader web community, the government can act as convener, facilitator, and promoter.

In terms of specific recommendations, every type of content produced by the government that has any aspect of timeliness should be offered as a typical RSS or ATOM feed. These formats are widely supported by both popular feed aggregators like Google Reader and have broad support in web browsers. In some ways, these formats have become the lingua franca of Web 2.0, at their base allowing data interchange between countless unaffiliated vendors from Microsoft to Facebook to the smallest web shop.

It’s worth pointing out that these formats are text-based, and though they may be somewhat arcane, are readable in any standard text editor, and can be parsed and read by a wide number of applications, including open source and free software. Binary formats are generally to be discouraged — especially those which require special plugins, viewers, or software licenses. While there is of course much more to say on this topic, it is equally important the government consume as well as produce content in these formats.

While on the one hand consuming information in these formats plays an important leadership role in showing others how it’s done, it also makes good on the promise of government-as-platform, where the same effort that I expend to interoperate with a commercial vendor can be used to interoperate and transact data with the government.

In that respect, open standards based identity data services would seem to be of most value to citizens and the government. OpenID Attribute Exchange and SREG, OAuth, Portable Contacts, and Activity Streams represent the kinds of platforms that the federal government should adopt as they endeavor to establish bidirectional connectivity with citizens.

d. How does data transparency relate to application development? Are there potential efficiencies to be gained through an increase in government data transparency?

e. To what extent would increased data transparency affect intra-agency processes, intergovernmental coordination, and civic participation?

f. To what extent do existing regulations inhibit or promote government data transparency?

g. What impact do developments in data transparency have with respect to broadband
deployment, adoption, and use?

h. What are the potential benefits to making data more accessible?

i. What potential pitfalls exist when increasing data transparency?

j. What privacy and confidentiality concerns might arise due to an increase in data
transparency and what, if any, privacy safeguards are needed to protect against the
misuse of personal information?

k. What types of personal information should be protected from disclosure?

Individual data points that when combined can expose the unique identity of a user (i.e. a combination of birth date, zip code and gender) should be protected unless explicitly released by the user.

Cloud computing. When considering the portability of data, we also consider the processes through which data are moved. In this context, we seek comment on how to identify and understand cloud computing as a model for technology provisioning.

a. The National Institute of Standards and Technology defines cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Does this definition accurately capture the concept of cloud computing?

b. What types of cloud computing exist (e.g., public, hybrid, and internal) and what are the legal and regulatory implications of their use?

c. Can present broadband network configurations handle a large-scale shift in bandwidth usage that a rapid adoption of cloud computing might cause?

d. How does cloud computing affect the reliability, scalability, security, and sustainability of information and data?

e. To what extent can the federal government leverage cloud solutions to improve intra- agency processes, intergovernmental coordination, and civic participation?

f. What impact do developments in cloud computing have with respect to broadband deployment, adoption, and use?

g. How can various parties leverage cloud computing to obtain economic or social efficiencies? Is it possible to quantify the efficiencies gained?

h. To what extent are consumers protected by industry self-regulation (e.g., the Cloud Computing Manifesto), and to what extent might additional protections be needed?

i. What specific privacy concerns are there with user data and cloud computing?

j. What precautions should government agencies take to prevent disclosure of personal
information when providing data?

k. Is the use of cloud computing a net positive to the environment? Are there specific
studies that quantify the environmental impact of cloud computing?

3. Identity Management and Government Service Delivery. Data held by the government may be personally sensitive or confidential. In this context, we seek comment on identity management as it relates to the provision of services where individuals either provide data to the government or access data that are personally sensitive or confidential.

a. What is the current state of identity management in the federal, state, local and Tribal government?

At the federal level, identity management is governed NIST Special Publication 800-63-1

http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63-Rev1_Dec2008.pdf (Draft Dec 2008) in support of the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections.

b. What is the spectrum of online identity credentialing required for access to online services from the government and non-governmental entities?

OMB guidance, E-Authentication Guidance for Federal Agencies, [OMB M-04-04] defines four levels of authentication, Levels 1 to 4. These levels are defined in terms of the consequences of the authentication errors and misuse of credentials. Level 1 is the lowest assurance and Level 4 is the highest. The OMB guidance defines the required level of authentication assurance in terms of the likely consequences of an authentication error. As the consequences of an authentication error become more serious, the required level of assurance increases. The OMB guidance provides agencies with the criteria for determining the level of E-authentication assurance required for specific applications and transactions, based on the risks and their likelihood of occurrence of each application or transaction.

c. What identity management technologies currently exist and what are their applications?

Username/Password – http://en.wikipedia.org/wiki/Password.

This is the most common approach used in private sector applications. It is well understood by most demographic segments of the population and is relatively easy to deploy. However, it has a couple of key limitations. First, it’s not practically scalable. While a given individual may be willing to manage a handful of username/passwords, it becomes increasingly difficult when individuals need to manage hundreds or even thousands of passwords. Secondly, and party as a result of the first challenge, passwords can become less secure when the same username/password is used across multiple websites (password reuse). In this scenario, a password that is compromised at the least secure site is then potentially compromised across all sites where that password has been used. Also, since this approach is decentralized, the end user would need to manually reset their password at each and every site where the password was compromised. And in many cases the end user may not even remember all the websites where the password was used.

OpenID – http://www.openid.net and http://en.wikipedia.org/wiki/Openid.

OpenID is an open standard that addresses the challenges of username/password mentioned above, by entrusting an identity provider to manage user authentication at each OpenID enabled website. Today some of the major OpenID providers include Google, Yahoo, AOL, MySpace, France Telecom, Telecom Italia, Verisign and a number of dedicated providers. A more comprehensive list of OpenID providers is available at the OpenID Foundation website at http://openid.net/get-an-openid/

Additionally, PayPal has recently announced an OpenID Service specifically designed for federal government applications. The OpenID Foundation and InfoCard Foundation are collaborating with the GSA, NIST, OMB, NIH, HHA, and CIT to develop and deploy OpenID and InfoCard authentication across federal government websites. OpenID providers participating in the initial pilot include Google, Yahoo, AOL, Verisign, and PayPal.

In additional to authentication, OpenID Simple Registration and Attribute Exchange extensions as well as the OpenID/OAuth hybrid allow end users to transfer, only with their explicit consent, personal information including data elements such as email address, gender, age, time zone, zip code, preferred language, nickname, etc.

An additional advantage of OpenID is that a citizen can update their profiles and/or revoke access to websites from a central service with their identity provider. If a citizen changes their email address, their ID provider can update all the websites that are utilizing that ID service. Also, if a user wants to disable access to one, many, or all websites using the ID service, they can do that from one point of interaction, they won’t have to go to each website individually to make the change.

Finally, OpenID is entirely web-based, so end users don’t need to download, install, or configure any software. That means utilization levels will be higher and support costs will be lower than approaches that may require client-side software installation.

InfoCard – http://en.wikipedia.org/wiki/Infocard and http://informationcard.net/foundation

Security Assertion Markup Language (SAML) – http://en.wikipedia.org/wiki/Saml

d. How have HSPD-12 implementation efforts affected the efficiency of the federal
government?11

HSPD-12 has played an important role in the Open Identity Initiative and the establishment of the subsequent Trust Framework Provider Adoption Process, of which the OpenID Foundation has a draft submission under review.

e. What identity management technologies are available in the private sector? What are
their applications?

f. What impact do developments in identity management, such as Open ID, have with
respect to broadband deployment, adoption, and use?

OpenID is potentially well suited to facilitate and accelerate the utilization and citizen benefits of broadband deployment. As lower cost broadband services reach a higher percentage of our population, government and private sector service providers will increasingly leverage this channel to offer richer, more personalized, and more cost effective offerings to their citizens and customers respectively.

However, in order to provide the best services, citizens and customers will need to authenticate themselves for many applications to set preferences, to customize their experiences, and for more interactive transactions. As more organizations drive to engage their stakeholders through the internet, and as consumers respond by utilizing faster, better, and cheaper services over the internet, the scalability of username/password authentication will become a constraint. This is exactly the use case that OpenID was designed to address – more scalable, convenient, and secure authentication across the open internet.

g. What are the potential benefits of a coordinated nationwide identity management
schema?

If you mean a government run identity management schema and/or service, we think there are very limited benefits. If you mean having the federal government adopt and deploy open standards such as OpenID and OAuth across federal websites, we think that
there are many benefits.

By agreeing to adopt various identity standards, the government can help to advance the state of interoperability and the portability of identity between heterogeneous networks, increasing convenience for individual citizen-participants, and reducing complexity for service providers and organizations.

As identity acts as a core building block of the social web, the future health and competitive nature of the web requires that digital identities be as portable as phone numbers, and that users — from the citizen perspective — have viable alternatives for managing and representing their identities online.

Additionally, a universal identity system that is as robust and distributed as the internet would greatly enhance and encourage citizen engagement and participation from the lowest levels of civic administration to the highest levels of the federal government. By promoting choice through interoperability, the government can create an entirely new competitive marketplace for innovation and service, founded on a basis of open technology.

h. What are the potential pitfalls of a coordinated nationwide identity management strategy?

For a government specified and run solution, the pitfalls are single-point of failure, threats to privacy, rapid obsolescence, and security. Many segments of the population are unlikely to trust a federal government run identity management system. Additionally, a government run system is likely to cost more than an open market approach that leverages open standards such as OpenID and OAuth. Further, a government run system is unlikely to innovate and evolve at the rate of the open market, limiting the government’s ability to leverage the innovations of commercial providers competing for mindshare and marketshare of end users and website operators.

i. What specific privacy concerns are there with identity management strategies?

There are always concerns about privacy, security, and anonymity when it comes to identity and digital profiles. Indeed, there have been abuses and cases where people’s expectations were not met by various entrusted parties’ action. However, on the whole, the next generation of digital natives demand a greater degree of functionality, access, and convenience and on the surface, appear willing to exchange some personal data for these benefits. Appropriate implementation and enforcement of terms of service (TOS) and privacy policies are critical to protecting user privacy regardless of the identity management technology.

With proper data protection, encryption, disclosure of practices, and the ability to opt-out from personalization features, many potential privacy concerns can be addressed.

Moreover to the point, providing this kind of opt-in participation model (presumably with functionally reasonable defaults) can actually increase participation, because people feel a greater sense of control and agency over the way that their data is used and accessed. In this case, transparency in how data is collected, used, and can be audited is paramount.

One of the greatest privacy concerns that seems to exist (and is not restricted to digital privacy) is how access to one’s personal data is limited, or restricted, to a set of known parties. That is, if an individual provides data to someone, there is an implicit belief that that data will be protected, and not released to third parties without the owner’s consent. While this is not always the case in practice, it would seem that many concerns about threats to privacy derive primary from the case where some unknown third party gains an information advantage over an individual who did not expect them to have access.

Once again, protecting and preserving privacy, and setting honest and clear expectations about the use of personal data is an effective way to increase the trust and use in a system, and should be strongly considered in the design of any federally supported identity scheme.

j. What types of personal information should be protected from disclosure

Etelos, Inc. a developer and operator of private-labeled marketplaces for Web-based business applications, announced support for OpenID for user authentication and Single Sign On (SSO) within the Etelos Platform Suite (more)

I am pleased to announce the opening of the 2010 OpenID Foundation Board nomination and election process.  The information below shares some context for the election and is intended for you – the person out there considering running, nominating or voting in the upcoming OpenID Foundation election.

This election will hit the refresh button on OIDF for 2010. I am pleased to report the “foundation” of the foundation is solid. New financial, administrative and legal measures are in place. Our budget was carefully mapped and still able to respond to the government’s open identity initiative. Because of all that and more, the newly elected community representatives will have a major influence on 2010 plans, priorities and budget. The focus on security and usability at last week’s OpenID Summit at Yahoo! and follow up discussions at the IIW reflected the key concerns of the current board. The “state of OpenID security” work Jeff Hodges, Ashish Jain and others did inventoried the security challenges we still face. Allan Tom, Breno de Medeiros and others laid out key issues in presentations on the “state of usability.”  New “product” improvement initiatives like those discussed in Dick Hart and David Recordon’s IIW session on V.Next and new “cloud” and active “client” selector demos all point to renewed energy for building on core OpenID technology.

Just as OpenID technology is evolving, how the board works must change.  Organizations that have transitioned from specification development to market adoption (the space we entered this year) have evolved their governance and membership programs to meet operational and financial objectives.  In order to improve the core technology “product”, drive RP adoption and increase member services, we need to find ways to offer more membership value and create diversified sources of income.  2010’s board members will consider how best to balance competing priorities with still unfolding value in the trust framework and certification work to do with the US government and others.  We’ve been told by experts that demand for certification is a leading indicator of the growth and maturity of a technology standard.  How we do certification will, in part, shape our future. Our discussions have us looking beyond the US government requirements to broader market adoption dynamics. The IIW community’s “acid test” greatly improved the working hypothesis that RP adoption can be best served by a synchronized and phased focus on both technology interoperability and policy certification.

In an organization like ours, leadership must come from all quarters.  As an essentially volunteer run organization, change – whether to a website page or working group – is in the hands of those motivated to act. The OpenID foundation remains a unique mash up of democracy, meritocracy and technology.  A few months ago, I took great pride in introducing the OpenID Board to Vivek Kundra, the US CIO at the White House.  I made sure Vivek knew the people he was meeting were not the usual suspects of lawyers and lobbyists, but the engineers and computer scientists who wrestled daily with the most challenging problems of internet identity.  The government adoption provided a forcing function for OpenID technology, community collaboration, and a bit of history making.

Over a glass of wine, Nat Sakimura, Andrew Nash and I were riffing on the OpenID Foundation’s “mission.” We kept pushing beyond: “stewardship of intellectual property.” “Enabling trust” wasn’t good enough but the Japanese translation of “trust” into “a feeling of safety” and being “at ease” began to capture what OpenID might someday bring to users. It hints at how important our work can be. For myself, I believe an “open” reliable, “trusted” identity standard can be the next key operational piece of Internet infrastructure. It can be to the identity layer what DNS is to the Web layer and IP is to the packet layer. In that way, the mission of the OpenID foundation and the leadership of its board can build something sustainable and important on behalf of internet users.

The contribution of your leadership on our board and active engagement as members of our foundation is highly encouraged.  Employment in any company is not a barrier. Please carefully consider your nomination and those of others.  A FAQ with specific details on the election process is available at http://openid.net/wordpress-content/uploads/2009/11/OpenID-Foundation-2010-Election-Procedures-FAQ-Final.pdf

Thanks for your support. 2009 has been an extraordinary year, 2010 promises much more.

Don Thibeau
Executive Director

The OpenID Foundation is holding its second election of community board members starting Monday, November 23. For this election, six community board seats are open for election. An FAQ has been posted on http://openid.net/wordpress-content/uploads/2009/11/OpenID-Foundation-2010-Election-Procedures-FAQ-Final.pdf

Of the current community directors, Mr. Kveton has indicated he will not serve another term. Mr. Kissel, Mr. Smarr and Mr. Tom have indicated their interest in continuing to serve. Mr. Messina and Mr. Sakimura were elected to longer terms as community representatives. On behalf of the foundation, I would like to thank Scott Kveton for his important service to the Foundation and wish him well in his new endeavors.

All members of the OpenID Foundation are eligible to nominate themselves, second the nominations of others who self-nominated, and vote for candidates.  If you’re not already a member of the OpenID Foundation, we encourage you to join at https://openid.net/foundation/members/registration.

Board participation requires a substantial ongoing investment of time and energy.  It is a commitment that should not be undertaken lightly. Rather, should you be elected, expect to be called upon to serve both on the board and on its committees where the work of the foundation is conducted, and To actively contribute.  That being said however, if you’re passionate about OpenID and advancing digital identity, have the time to devote to Community service in this manner, and are a person who gets things done and works well with others, we welcome your candidacy for the OpenID board of directors. We welcome your candidacy for community board seats regardless of current or past company affiliation or employment.

When the elections process begins on the 23th of this month, voting and nominations will be conducted using the OpenID you registered when you joined the Foundation.  Log in at https://openid.net/foundation/members/ with that OpenID to participate in the election. If you are already a member you will receive an email from membership@openid.org  advising you the election is open and how to participate. If you experience problems participating in the election or joining the foundation, please send a note to help@oidf.org

Again six community directors are being elected to the board.  The three candidates receiving the most votes will serve 2 year terms and the Three candidates receiving the next numbers of votes will serve 1 year terms. In order to be eligible for election, your candidacy must have been seconded by at least three other members.

The election will be conducted on the following schedule:
Nominations open:  Monday, November 23
Nominations close:  Monday, December 7
Election begins:  Wednesday, December 9
Election ends:  Wednesday, December 23
Results announced by:  Wednesday, December 30
New board terms start:  Friday, January 1 Times on all dates are Noon, U.S. Pacific Time.

Thank you for participating in advancing OpenID.

Don Thibeau
Executive Director