Frequently Asked Questions

Federal Identity, Credentialing, and Access Management

Overview

Q: Why has the Federal Government proposed the development of Open Trust Frameworks?

A: Pursuant to Congressional authority, the General Services Administration (GSA) Office of Governmentwide Policy (OGP) is responsible for government-wide coordination of a variety of activities aimed at improving Electronic government services internally, with other government partners, with business partners, and with the American Public. In pursuit of this mandate, OGP has pursued an interagency governance model that encourages agency innovation. The long-range vision is for Identity management in government that takes advantage of a broad spectrum of solutions embracing open private solutions that deliver high assurance and cybersecurity.¹

One outcome of this move has been a transition away from a Federation model to an open model that promotes multiple agency solutions to comply with Office of Management and Budget (OMB) M-04-04. It is in the government’s best interest to leverage open identity management standards and resources whenever possible. Federal Identity, Credentialing, and Access Management (ICAM) aims to leverage industry-based credentials that citizens already have for other purposes. Industry-based frameworks to assess the trustworthiness of electronic credentials already exist and can be leveraged by the government. This approach, which includes the establishment of Open Trust Frameworks, can enable a scalable model for extending identity assurance across a broad range of citizen and business needs.²

Q. What are the foundations’ roles in the open government initiative?

A. Open government requires a way for citizens to easily and safely engage with government websites. Open identity technologies—specifically OpenID and Information Cards—fit this bill. They make it easier and safer for citizens to register, login, and when necessary share personally identifiable information across different websites and services. To bring open identity technologies and open government together, the OpenID Foundation and the Information Card Foundation are working with the U.S. General Services Administration to create open trust frameworks for their respective communities.

Q. What are the benefits to OpenID and Information Card technologies?

A. Simplified login reduces the many confusing username/password options users navigate today to a few secure methods standardized across all sites.

Identity portability lets users “carry” the same identity credentials across different websites and services, just as people can now keep the same cell phone number across different wireless carriers.

Automatic data exchange lets users register at a website or fill out a web form as easily as they swipe a credit card to make a payment today.

Trust Frameworks

Q: What is a Trust Framework?

A: In digital identity systems, certification programs that enable a relying party to trust the identity, security, and privacy assurances from an identity provider are called identity assurance frameworks, or more generally trust frameworks.³

In order to ensure that the credentials used in a Trust Framework are trustworthy [for use by government websites], the government must require that Trust Framework Providers (TFP) comply with requirements for the credentials and their issuance, as well as for auditing qualifications and processes, based on OMB M-04-04 and NIST Special Publication (SP) 800-63.⁴

Q: What is a Trust Network Provider (TNP)?

A: A Trust Network Provider (TNP) is an organization that defines or adopts an on-line identity trust model and then, on behalf of ICAM, certifies identity providers compliant with that model. Adoption means that any identity provider certified by that TFP is qualified to provide identity assertions to Federal agencies, at a known level of assurance comparable to one of four OMB Levels of Assurance.⁵

Q: What is an Identity Scheme?

A: An identity scheme is a specific subset or profile of an open identity management standard. A SAML profile is an example of an Identity Scheme.

Q: How will ICAM adopt Identity Schemes?

A: Critical to the success of the ICAM Program is the assessment and adoption of identity schemes that best serve the interest of the Federal Government. Based on guidance from OMB, NIST, and review from private sector partners, ICAM has proposed an Identity Scheme Adoption Process (ISAP), set forth in the document of the same name. The ISAP provides a consistent, standard, structured means of identifying, vetting, and approving identity schemes that meet all ICAM requirements, as well as other Federal statutes, regulations, and policies.⁶

Q: How will ICAM assess TFPs and adopt Trust Frameworks?

A: ICAM has proposed a similar Trust Framework Provider Approval Process (TFPAP) whereby the government can assess the efficacy of the Trust Frameworks for Federal purposes so that an Agency online application or service can trust an electronic identity credential provided to it at a known level of assurance comparable to one of the four OMB Levels of Assurance (LOA). Trust Frameworks adopted through this process allow federal Relying Parties (RPs) to trust credential services from Trust Framework Providers that have been assessed and certified.⁷

Levels of Assurance

Q: What are the four OMB Levels of Assurance and how are they assessed?

A: Each of the four Levels of Assurance is assessed against the same five (5) trust categories:

• Registration and Issuance – how well does the credential service provider (Identity Provider) register and proof the identity of the credential applicant, and issue the credential to the approved applicant?
• Tokens – what is the Identity Provider’s token technology and how well does the technology intrinsically resist fraud, tampering, hacking, and other such attacks?
• Token and Credential Management – how well does the Identity Provider manage and protect tokens and credentials over their full life cycle?
• Authentication Process – how well does the Identity Provider secure its authentication protocol?
• Assertions – how well does the Identity Provider secure Assertions, if used, and how much information is provided in the Assertion?

Each Identity Provider and TFP must demonstrate comparable trust in each of the above categories for each LOA it wishes its credentials to be trusted by government applications (including physical access control systems). TFPs demonstrate comparability to the Identity, Credential, and Access Management Subcommittee (ICAMSC). Identity Providers demonstrate comparability to a TFP.⁸

Q: What Levels of Assurance are being discussed at this event?

A: This event is about Level of Assurance 1 (LOA-1) services.

Q: What about Higher levels of Assurance?

A: Today’s event is focused on Level of Assurance 1 (LOA-1). There are also many government systems accessed by the public that require higher levels of Assurance. There are identity schemes (profiles of open identity management standards) which could achieve these higher levels. SAML is an existing example.

Q: How will the ICAM Assessment Teams ensure that TFPs require adequate comparability by an Identity Provider in the assessment process?

A: The ICAM Assessment Team will determine whether criteria applied by the TFP to its member Identity Providers (referred to variously as IdPs for Information Cards or SAML, or OPs for OpenID Providers) are comparable to ICAM criteria through a process that includes:

1. Technical and policy comparability review based upon the criteria set forth in Appendix A of the TFPAP; and
2. Privacy policy comparability using the following criteria:
   • Opt In – Identity Provider must obtain positive confirmation from the End User before any End User information is transmitted to any government applications. The End User must be able to see each attribute that is to be transmitted as part of the Opt In process. Identity Provider should allow End Users to opt out of individual attributes for each transaction.
   • Minimalism – Identity Provider must transmit only those attributes that were explicitly requested by the RP application or required by the Federal profile. RP Application attribute requests must be consistent with the data contemplated in their Privacy Impact Assessment (PIA) as required by the E-Government Act of 2002.
   • Activity Tracking – Commercial Identity Provider must not disclose information on End User activities with the government to any party, or use the information for any purpose other than federated authentication. RP Application use of PII must be consistent with RP PIA as required by the E-Government Act of 2002.
   • Adequate Notice – Identity Provider must provide End Users with adequate notice regarding federated authentication. Adequate Notice includes a general description of the authentication event, any transaction(s) with the RP, the purpose of the transaction(s), and a description of any disclosure or transmission of PII to any party. Adequate Notice should be incorporated into the Opt In process.
   • Non Compulsory – As an alternative to 3rd-party identity providers, agencies should provide alternative access such that the disclosure of End User PII to commercial partners must not be a condition of access to any Federal service.
   • Termination – In the event an Identity Provider ceases to provide this service, the Provider shall continue to protect any sensitive data including PII.
   • Stability – Determination of whether the Applicant sufficiently reviews member identity provider bona fides to ensure member identity provider organizational maturity, legitimacy, stability, and reputation.

Q: How does the government define Privacy?

A: Privacy is defined to mean “the right to be let alone and to control the conditions under which information pertaining to you is collected, used and disseminated.”

Other Departments and Governments

Q: What about DoD use?

A: This event is focused on providing secure, privacy protecting access to government systems by the public, which is not subject to HSPD-12.

Q: Are other governments adopting these open standards?

A: There is a subcommittee on international initiatives that can better address this question.

Q: What about credentials for the non-US public?

A: It is the intention that persons residing outside the US may qualify for some credentials issued under this program.

Q: How is this related to the “Red Flag Rule“?

A: Under this proposal, IdPs that are subject to the “Red Flag Rule” (financial institutions or creditors) who wished to become certified IdP, would also have to meet the criteria specified by their Trust Framework Provider (TFP).

Q: Why are multiple TFP’s and multiple Identity Schemas being supported?

A: It is important to offer the public and government RP’s choice.

Key Players

Q: What is the Information Card Foundation?

A: The Information Card Foundation (ICF) is non-profit community of individuals and companies working together to evolve the Information Card ecosystem. Information Cards are a new approach to Internet-scale digital identity in which all of a user’s identities, whether self-created or from third party identity providers are uniformly represented as visual “cards” in a software application called a card selector. The cards themselves may be stored on the same computer as the card selector, or on a mobile device, or “in the cloud”. Cards may be exchanged with websites using a variety of protocols and formats. All card selectors support at least the IMI protocol developed by the OASIS IMI TC, however Information Cards are now being adapted to other protocols as well (including OpenID).

Q: What is the OpenID Foundation?

A: The OpenID Foundation (OIDF) was formed in June 2007 to help promote, protect and enable the OpenID technologies and community. The OIDF does not dictate the technical direction of OpenID; instead it will help enable and protect whatever is created by the community. OpenID is a Web registration and single sign-on protocol that lets users register and login to OpenID-enabled websites using their own choice of OpenID identifier. With OpenID, a user can operate their own OpenID service (such as on their blog), or they can use the services of a third-party OpenID provider (for example, most major Web portals, such as AOL, Google, and Yahoo, now offer OpenID service).

Q: What is the InCommon Federation?

A: The InCommon Federation creates and supports a common framework for trustworthy shared management of access to on-line resources in support of education and research in the United States. InCommon facilitates development of a community-based common trust fabric sufficient to enable participants to make appropriate decisions about the release of identity information and the control of access to protected online resources. InCommon is intended to enable production-level end-user access to a wide variety of protected resources.

Q: What is the Kantara Initiative?

A: The Kantara Initiative is an open identity community formed by Concordia Project, DataPortablity Project, Information Card Foundation, Internet Society, Liberty Alliance, OpenLiberty.org and XDI.org to collaboratively solve the harmonization and interoperability challenges that exist among identity-enabled enterprise, Web 2.0 and Cloud applications and services. Its membership includes representatives from the global government, financial services, healthcare, telecom, IT, developer and Web communities, working together to address the technology, business and privacy aspects of digital identity management. The Kantara Initiative Identity Assurance Certification Program, which certifies identity services at four identity assurance levels outlined in the Identity Assurance Framework (IAF), is currently in pilot.

Footnotes

1. Source: Identity Scheme Adoption Process RC v1.0.0, (“ISAP“), page 6
2. Source: ISAP, page 6 and Trust Framework Provider Adoption Process, RC v1.0.0 (“TFPAP“), page iv.
3. Source: Open Trust Networks For Open Government: A White Paper from the OpenID Foundation and Information Card Foundation, V4.0, July 7, 2009, page 4.
4. Source: TFPAP, page 7-8.
5. Source: TFPAP, page 8 and iv.
6. Source: ISAP, page 7-8.
7. Source: TFPAP, page 8.
8. Source: ISAP, page 9.