Posted at 3:57 pm on January 24, 2011 by Amanda Richardson
by Don Thibeau
There has been much discussion lately about the US National Strategy on Trusted Identity in Cyberspace, NSTIC. This is a summary of some key developments. Last week in Washington DC, a series of workshops addressed various aspects of the evolving US NIST. The first focused on use cases that fall under the NSTIC umbrella. The discussion of identity authentication, privacy and security in G2C applications engaged a wide range of viewpoints from the technologists, policy makers, lawyers and advocates present. The event was co-sponsored by the OpenID Foundation, the Open Identity Exchange and the Center for Democracy and Technology, New Urban Myth: The Internet ID Scare. Another workshop ”How Open Identity Frameworks Address Privacy, Security and Global Market Needs” discussed how user needs can be integrated with those of relying parties, identity providers and other data handlers. This was co Hosted by the American Bar Association’s Federated Identity Management Legal Task Force, Harvard’s Berkman Center for Law and the Internet, and the Open Identity Exchange.
It is important to be clear, the OpenID Foundation has no position with respect to the NSTIC. The OIDF’s focus is on technology “tools.”
As a technical standards development organization, the OIDF’s develops technology and promotes adoption of open identity protocols. As a practical matter, the US CIO, the GSA, the White House and many government agencies reach out to the OIDF because it is a neutral, non-profit organization with a membership of the leaders in search, enterprise and social media. Many in government and the OIDF share an interest in solving internet identity related issues increasingly important to government operations, outreach and standards. For example, the US GSA FICAM program requires the use of OpenID 2.0 for technical interoperability compliance with NIST level 1 assurance see: http://www.idmanagement. Last year at this time, the OpenID Foundation Board voted to respond to the US CIO’s “Open Identity for Open Government” initiative by providing a start up grant to a legally separate organization: the OIX. The OIDF Board made sure companies could opt into participation in OIX at a time and manner of their choosing. The goals of the OIDF grant were to; 1) meet industry needs for open identity interoperability along the lines of the public private partnership suggested by the US government with extensibility to other governments and organizations, 2) fill critical infrastructure gaps in open identity certification at internet scale, 3) develop policies and promote the adoption of open identity trust frameworks.
The Open Identity Exchange has been closely collaborating with the White House NSTIC team. The OIX’s focus is policy “rules.”
The Open Identity Exchange (OIX) is a non-profit, technology-agnostic, multi-tenant certification listing service for open trust frameworks in internet and telecommunications applications. While the OIX has been collaborating with TechAmerica, the CDT, the AMA, and the World Economic Forum, it is neither a lobbying organization, advocacy group nor a “think tank.” It’s focus is on building interoperability of trust frameworks for industry self regulation and market expansion. The openidentityexchange.org, was the first US GSA FICAM authorized trust framework provider. It is developing two products; a web based, meta data certification listing service to facilitate technical interoperability at internet scale. Second, it is developing the OIX “Risk Wiki” a open source legal reference tool to facilitate policy interoperability across multiple jurisdictions. OIX’s “Risk Wiki” helps resolve key identity authentication issues like liability and privacy by an ongoing aggregation of policy and best practices. The OIX now hosts a growing number of working groups developing interoperability certification requirements for telco and internet identity authentication at higher levels of data assurance, protection and control. OIX is collaborating with international legal, financial and standards organizations and plans to help launch a series of B2B and B2G trust frameworks in 2011.
Last week’s workshops helped shape the views of many attendees from industry, academic, public interest groups as well as NSTIC and other government participants and touched on several themes:
• Broad-based, clear and compelling G2C identity authentication or trusted transaction use cases have yet to be developed at higher levels of assurance.
- To be sure positive pilot projects like the NIH iTrust and the Online Constituent Identity project are underway.
• The “business case” for LoA 1 certification and drivers of cross government adoption have not yet been fully realized.
- This is resulting in a slower than hoped development of the FICAM public private partnership.
• Many in industry prefer a more integrated approach to fully consider recent technical and policy guidance from a variety of government agencies.
- These cross government applications and notably include the FTC, NIST, NSTIC and others.
• Many leading companies in the identity space find the current state of the NIST Levels of Assurance not yet fully actionable and need to be updated.
- Many believe the participation, interests and duties of relying parties have yet to be adequately considered and adequately articulated.
• Specifically there is an absence of relying party best practices and guidance for the assessors and has inhibited industry expectations and requirements.
- The coincidence of the pending finalization of the NSTIC, the announcement of the DOC program office and the accelerating development of B2B trust frameworks is an indicator of a rapidly evolving identity ecosystem.
• The media reaction to the preliminary announcement of NSTIC is mixed.
- This shows a need for more discussion and outreach. As a result, OIX is also now planning a series of follow up activities with Kantara, TechAmerica, the Center for Democracy and Technology and others.
Tags: government, NSTIC
Posted at 9:00 am on August 13, 2009 by Chris Messina
Announce availability of joint white paper: “Open Trust Frameworks for Open Government“
Washington, D.C.—August 13, 2009–The OpenID Foundation (OIDF) and the Information Card Foundation (ICF) announced today they have published a white paper outlining their approach to open trust frameworks for certification under the U.S. General Services Administration’s Trust Framework Adoption Process (TFAP). Open trust frameworks provide a way for citizens to easily and safely engage with government websites: a key step in making open government a reality.
“Open trust frameworks are the way to bridge open identity technologies like OpenID and Information Cards with the trust requirements of large communities such as the U.S. Federal Government,” said Drummond Reed, executive director of the Information Card Foundation. “They are a practical solution to enabling government agency websites and applications to accept identities from non-governmental identity providers. This reduces friction and lowers costs while at the same time increases security and privacy.”
“The fact of the matter is you can’t have open government with broad citizen engagement without trust frameworks and open standards,” adds Don Thibeau, executive director of the OpenID Foundation. “OpenID and Information Cards offer an open standards approach for achieving this via the Internet and other public networks.”
The paper, “Open Trust Frameworks for Open Government” and coauthored by Thibeau and Reed, is available for download at the OpenID Foundation and The Information Card Foundation websites. More information on U.S. General Services Administration’s Trust Framework Adoption Process is available on the government’s IDManagement.gov website.
About the OpenID Foundation
OpenID Foundation (OIDF) is a non-profit open source community whose mission is to drive the broad adoption of OpenID technology. The Foundation fosters and promotes the development and adoption of OpenID as a framework for user-centric identity on the Internet. OpenID allows users to sign in to multiple websites without needing to create new passwords. OIDF is headquartered in San Ramon, Calif. www.openid.net
About the Information Card Foundation
The Information Card Foundation is an international non-profit whose mission is to advance simpler, more secure, and more portable digital identity on the Internet. Information Card technology gives users greater control over personal information while at the same time enabling more beneficial digital relationships with businesses. Steering members of the foundation include Deustche Telecom, Equifax, Google, Intel, Microsoft, Novell, Oracle, and PayPal. ICF is headquartered in Boston, MA. Visit the ICF website at www.informationcard.net.
Tags: Don Thibeau, drummond reed, government, information card foundation
Posted at 1:15 pm on August 10, 2009 by Chris Messina
This is an interview framed by Chris Messina, an OpenID board member and elected community representative with Don Thibeau, Executive Director of the OpenID Foundation.
So, how have your first months with the foundation been?
Fast paced—I am amazed at the level of activity, complexity of issues and the volume of opinions. The Foundation is evolving rapidly from within; the range of membership interest is increasing. While from the outside; the diversity of adoption and adopters is exploding. It’s a wild ride.
OpenID is surfing huge wave of mainstream interest in social media, in open government and in industry positioning for open web realities. I’ve kept a low profile for three reasons. One: there are much better evangelists in the community than me; two: I’ve been tending to legal, financial, “plumbing” issues. We needed to fix the “foundation of the foundation” to respond to legitimate demands from the community for more services and better tools at the same time as giving member companies the accountability they require. Lastly, the CIO of the government called the OpenID board to a meeting in Washington to ask for our help with the President’s “Open Government” initiative. It was a memorable meeting for two reasons; it took place at the White House Conference Center and I’ve never seen OpenID Foundation board members wearing suits and ties.
What kind of unexpected challenges and opportunities have you encountered?
I knew I had a cool job when a friend mentioned NASA was using OpenID to task satellites. Like many agencies, NASA Goddard has been experimenting with the use of various open standards (Geospatial and others) including OpenID and Information Cards. We are also hearing from state, local and foreign governments about their desire to use OpenID. Maybe because I live in DC, I see the OIDF participation in government standards or “sausage making” as common sense. GSA, NIST and other government forums are exactly where collaboration is expected and beneficial to OpenID. All the while, I’ve been playing catch-up to make the Foundation run smoother. I live in Washington D.C. and work with Board members on the East and West coasts, in Bangalore and Tokyo. These challenges come with the territory. So, I am long on opportunities and short on time.
How do you feel about the progress you and the rest of the board have made in the past months?
One clear consensus view is we want more done sooner. It’s a good problem. It reflects the dynamism of today’s identity ecosystem and the pressure we all feel to the have Foundation matter on issues we care about. For good reasons and bad, all too often the Foundation operated at a suboptimal level. Now we are working to improve the quality of membership services, specification processes and web tools. The engine of the OIDF remains its working groups and committees. We live and die by the level of community participation and the quality of Board leadership.
While there are boards with members with fancier titles, the OpenID Board is made up of people responsible for getting things done in their companies and among their peers. This Board is still new; a mash up of companies, personalities and passions. My job is to be an honest broker of ideas and build an environment so we can stay focused on a protocol specific agenda and add value in this rapidly evolving identity ecosystem.
Let’s get in to some specifics: you mentioned that one of your top three priorities was to “build a foundation for growth” by making sure that the “Foundations’ finances and governance issues are solid”. Can you elaborate on specific steps that you’ve taken so far and what kind of progress you’ve made?
First, we’ve outsourced all non-essential functions like accounting, administration, etc. to companies that do that for a living for other open standards groups. This gives member companies the accountability they require to contribute financially and the community the confidence they need to contribute expertise. Second, we’ve put our money where our mouth is. The budget invested scarce resources in only those plans that protect IP, promotes adoption and evolves OpenID. As Raj Mata, our treasurer said; “We will not have a “feed the beast” budget.” The Board agreed to fund only those things a Foundation like ours can and must do.
The investment in “plumbing” will result in easier “on ramps” for individual members and corporate sponsors. Memberships will be processed faster, budgeting standardized. Better tools for committees and working groups are some of our success metrics. I need to demonstrate the OIDF’s capacity to provide thought leadership and tangible participation benefits. Chris Messina is leading a volunteer effort with Michael Olson (of JanRain) and “Content Wrangler Extraordinaire” Amanda Richardson to update our web workplace and community participation.
Now let’s cover some specific areas of emphasis for OpenID. What can you tell us about the progress with improving OpenID’s usability?
This is a key concern throughout the community. We have to do better. We are planning a series of usability events in the fall. These will focus on usability in government adoption as well as in new areas of adoption. We are planning open use case workshops with the National Institutes of Health, the National Library of Medicine and the National Cancer Institute to refine interoperability and look at usability through the eyes of scientists collaborating worldwide. Luke Shepard of Facebook and Alan Tom of Yahoo, our usability committee co-chairs, are looking at several options in the Bay Area to bring new energy and approaches to OpenID usability. Google has long standing and deep domain expertise in usability and our efforts can now include new players like Sears and Kmart. I know the developers in “My-Sears” usability labs in Chicago are looking forward to meeting their peers in the Bay Area and throughout the community.
OpenID’s growth has been exponential, but its adoption has been asymmetrical. Usability is the key to a more balanced evolution. We need more relying parties involved in this adoption dynamic than we’ve seen to date. But as with security, I believe the more platforms are built where OpenID can be used, the more value gets created. It will be fascinating to see how this “network effect” plays out.
What’s new with OpenID, security and privacy?
With the growing mainstream interest in OpenID comes good and bad. We are open to misunderstanding from non-technical audiences and increased scrutiny by privacy advocates and interest groups. I think OpenID can benefit from the mainstream media’s excited embrace of social web tools and therefore be enriched by mainstream adoption. I am a fan of Facebook’s Tim Sparapani, a former civil liberties attorney. He is one of the most articulate voices in the community on privacy. In many ways, privacy has become a commodity. Travelers exchange it for safety; celebrities exchange it for well, celebrity, and we all exchange it for a few cents off at the checkout aisle in the Safeway. We know that the social web is, by definition, interactive, that it takes information about what I’m typing in order to send things to me.
Privacy is an issue. It is not a crisis. The industry has done the right thing by getting ahead of this curve and saying, we have to be able to be part of a coordinated effort to address the public and address people in Washington DC, especially those interested in “open government.” One of the principles the Board wants to embed is a self-regulatory, self-certifying system. We’re committing to collaborating with the entire identity ecosystem in order to educate the public continuously about both benefits and risk mitigation.
Security is another issue the Board has invested in. The government interest in OpenID forces a deep dive into these issues. I am reminded daily about OpenID’s security challenges. I welcome the worries. It’s understandable given the denial of service attacks we’ve seen recently. My response is an invitation to join the effort to shape our standard. OpenID is a new protocol it is undergoing a rigorous real time shakedown. Andrew Nash, a board member of both the OpenID and Information Card Foundations, put together a team at PayPal to help OpenID get traction in of our toughest challenges. That’s the kind of leadership that will help get traction on one of the Foundation’s highest priorities.
Lastly, what should we be looking forward to over the next three to four months?
Some call government adoption the “mother of all use cases.” We been collaborating with ICF and other groups on a theme we call “Open Trust Frameworks for Open Government.” Our working hypothesis is the US Government’s pilot adoption of OpenID protocols is a “forcing function” and will yield benefits throughout the open identity community. As a forcing function, the government’s technical “profile” for OpenID and accompanying certification requirements (Trust Framework Adoption Program) are, in effect, use case constraints. I believe the size, influence and market value of a government wide adoption offers timely, material and strategic benefits to member companies and the community at large. OpenID OPs who want to participate in adoption of OpenID “are forced” ( no one forces Google to do anything…) to complete a set of tasks based on the GSA’s limited, paired down set of technology features, certification requirements and privacy controls.
The OpenID Foundation and other identity protocol organizations have invested significant resources in this public/private collaboration. These industry leading groups have clear expectations of significant positive returns in several areas. Vivek Kundra, US CIO told the OIDF that the government intends to leverage the large and growing OpenID installed base and corporate sponsorship to further its open government goals. So the OIDF believes this forcing function will further its mission by accelerating adoption and improving and streamlining how government agencies, contractors and citizens use OpenID.
But only time will tell, this public/private industry initiative will be successful if the current collaboration expands to meet the increased challenges of the next phase: a public-facing launch of our open trust framework and pilot programs at the NIH and other agencies.
Tags: Don Thibeau, government, interview