The US “NSTIC” and the “Open Identity for Open Government” Initiative

by Don Thibeau

There has been much discussion lately about the US National Strategy on Trusted Identity in Cyberspace, NSTIC.  This is a summary of some key developments.  Last week in Washington DC, a series of workshops addressed various aspects of the evolving US NIST. The first focused on use cases that fall under the NSTIC umbrella.  The discussion of identity authentication, privacy and security in G2C applications engaged a wide range of viewpoints from the technologists, policy makers, lawyers and advocates present. The event was co-sponsored by the OpenID Foundation, the Open Identity Exchange and the Center for Democracy and Technology,  New Urban Myth: The Internet ID Scare.  Another workshop  “How Open Identity Frameworks Address Privacy, Security and Global Market Needs” discussed how user needs can be integrated with those of relying parties, identity providers and other data handlers.  This was co Hosted by the American Bar Association’s Federated Identity Management Legal Task Force, Harvard’s Berkman Center for Law and the Internet, and the Open Identity Exchange.

It is important to be clear, the OpenID Foundation has no position with respect to the NSTIC.  The OIDF’s focus is on technology “tools.”

As a technical standards development organization, the OIDF’s develops technology and promotes adoption of open identity protocols.  As a practical matter, the US CIO, the GSA, the White House and many government agencies reach out to the OIDF because it is a neutral, non-profit organization with a membership of the leaders in search, enterprise and social media.  Many in government and the OIDF share an interest in solving internet identity related issues increasingly important to government operations, outreach and standards.  For example, the US GSA FICAM program requires the use of OpenID 2.0 for technical interoperability compliance with NIST level 1 assurance see: http://www.idmanagement.  Last year at this time, the OpenID Foundation Board voted to respond to the US CIO’s “Open Identity for Open Government” initiative by providing a start up grant to a legally separate organization: the OIX.  The OIDF Board made sure companies could opt into participation in OIX at a time and manner of their choosing.  The goals of the OIDF grant were to; 1) meet industry needs for open identity interoperability along the lines of the public private partnership suggested by the US government with extensibility to other governments and organizations, 2) fill critical infrastructure gaps in open identity certification at internet scale, 3) develop policies and promote the adoption of open identity trust frameworks.

The Open Identity Exchange has been closely collaborating with the White House NSTIC team.  The OIX’s focus is policy “rules.”

The Open Identity Exchange (OIX) is a non-profit, technology-agnostic, multi-tenant certification listing service for open trust frameworks in internet and telecommunications applications.  While the OIX has been collaborating with TechAmerica, the CDT, the AMA, and the World Economic Forum, it is neither a lobbying organization, advocacy group nor a “think tank.” It’s focus is on building interoperability of trust frameworks for industry self regulation and market expansion.  The, was the first US GSA FICAM authorized trust framework provider. It is developing two products; a web based, meta data certification listing service to facilitate technical interoperability at internet scale.  Second, it is developing the OIX “Risk Wiki” a open source legal reference tool to facilitate policy interoperability across multiple jurisdictions. OIX’s “Risk Wiki” helps resolve key identity authentication issues like liability and privacy by an ongoing aggregation of policy and best practices.  The OIX now hosts a growing number of working groups developing interoperability certification requirements for telco and internet identity authentication at higher levels of data assurance, protection and control. OIX is collaborating with international legal, financial and standards organizations and plans to help launch a series of B2B and B2G trust frameworks in 2011.

Last week’s workshops helped shape the views of many attendees from industry, academic, public interest groups as well as NSTIC and other government participants and touched on several themes:

• Broad-based, clear and compelling G2C identity authentication or trusted transaction use cases have yet to be developed at higher levels of assurance.

– To be sure positive pilot projects like the NIH iTrust and the Online Constituent Identity project are underway.

• The “business case” for LoA 1 certification and drivers of cross government adoption have not yet been fully realized.

– This is resulting in a slower than hoped development of the FICAM public private partnership.

• Many in industry prefer a more integrated approach to fully consider recent technical and policy guidance from a variety of government agencies.

– These cross government applications and notably include the FTC, NIST, NSTIC and others.

• Many leading companies in the identity space find the current state of the NIST Levels of Assurance not yet fully actionable and need to be updated.

– Many believe the participation, interests and duties of relying parties have yet to be adequately considered and adequately articulated.

• Specifically there is an absence of relying party best practices and guidance for the assessors and has inhibited industry expectations and requirements.

– The coincidence of the pending finalization of the NSTIC, the announcement of the DOC program office and the accelerating development of B2B trust frameworks is an indicator of a rapidly evolving identity ecosystem.

• The media reaction to the preliminary announcement of NSTIC is mixed.

– This shows a need for more discussion and outreach. As a result, OIX is also now planning a series of follow up activities with Kantara, TechAmerica, the Center for Democracy and Technology and others.