1) Working Group Name:
International Government Assurance Profile (iGov)
The purpose of this working group is to develop a security and privacy profile of the OpenID Connect specifications that allow users to authenticate and share consented attribute information with public sector services across the globe. The resulting profile will enable standardized integration with public sector relying parties in multiple jurisdictions. The profile will be applicable to, but not exclusively targeted at, identity broker-based implementations.
- Develop a set of internationally applicable use cases and requirements that are specific enough to guide the profiling design work, considering interrelations with risk mitigation and user experience efforts.
- Define a layered set of profiles for OAuth 2.0 and OpenID Connect, where each successively builds on and references the previous ones.
- Promote progressive harmonization with existing specifications and protocols as appropriate.
- The profiles are to be based on OAuth 2, OpenID Connect, JWT, JOSE and other related OpenID Foundation and IETF specifications.
- Support both direct and hub deployment architectures.
The following efforts are out of scope:
- Development of a generalized resource discovery mechanism.
- Development of related trust frameworks.
- Development of new extensions or technical specifications.
All items not expressly mentioned as in scope or out of scope are to be determined by the Working Group.
4) Proposed Specifications
The following layered specifications will be produced, with precise specification names and boundaries subject to change:
- International Government Assurance Profile for OAuth 2.0.
- International Government Assurance Profile for OpenID Connect (referencing the previous specification as appropriate).
It is anticipated that the following non-normative materials will also be produced, at a minimum:
- International Government Assurance Use Cases and Requirements
- International Government Assurance Overview
5) Anticipated audience or users
The anticipated audience for the documents produced by this Working Group includes developers, deployers, and designers of online services and network devices that act on behalf of individuals accessing public sector and/or high value commercial services. It is expected that all levels of governments can participate and benefit from the specifications delivered by this working group. The group also anticipates gathering input from individual users of online services in order to respond to their needs and preferences.
Work will be conducted in English.
7) Method of work:
E-mail discussions on the working group mailing list, regular working group conference calls, and opportunistic face-to-face meetings when a significant number of active members are co-located.
8) Basis for determining when the work is completed:
The work will be considered complete once it is apparent that maximal consensus on the draft has been achieved, consistent with the purpose and scope of the charter, and interoperability with at least two independently developed implementations of software based on the profiles has been demonstrated.
The working group intends to expedite the process of gathering stakeholder representatives to collaborate in the development of profiles to support secure and privacy enhancing online authentication, authorization, and consent when accessing public sector and/or other high value private sector services.
France Connect, BA ID in Argentina and Clave Unica in Chile are some examples of Governments currently using OpenID Connect for broad citizen to Government interaction.
One impetus is the proliferated deployment of “identity hub” architectures within many international digital services delivery schemes, such as the US’s Connect.gov and the United Kingdom’s Verify UK. Currently, relying party applications integrate with these architectures using Security Assertions Markup Language (SAML) v2.0. While a well-known standard, SAML does not support the consent and authorization mechanisms of OpenID Connect, nor is it easy to integrate with for a broad range of application developers. This working group would determine the privacy and security characteristics, as well as the relevant use cases within the public sector necessary to establish a profile that can be widely deployed in government identity services.
It is expected that the profiles developed in this working group would be recommended within public services trust frameworks, such as the US Trust Framework Services (TFS) program.
Related work and liaison relationships:
This Working Group has a number of dependencies on, and shared goals with, the output of other efforts.
- IETF OAuth Working Group
- IETF Token Binding Working Group
- OIDF OpenID Connect Working Group
- OIDF HEART WG
- Kantara UMA WG
- Kantara Federation Interoperability WG
- ISO/IEC SC 27/WG 5
Non-Normatively Related Profiles
- FICAM Security Assertion Markup Language (SAML) 2.0 Identifier and Protocol Profiles for Backend Attribute Exchange (BAE) v2.0
- NZ iGovt Context Mapping Service
- UK IDAP
- Troy Ronda, SecureKey
- Nat Sakimura, Nomura Research Institute
- John Bradley, Ping Identity
- Michael B. Jones, Microsoft
- Rolando Martínez González, (Chile) Individual Member
- Venkat Maddali, (NZ) Individual Member
- Alvaro Cuno Parari, (Peru) Individual Member
- Juan Ignacio Fiorentino (BA ID, Buenos Aires) Individual Member
- Roland Hedberg (Umea University, Sweden) Individual Member
- Paul Grassi (US, NIST)
FICAM OpenID Connect Profile, Draft
This Working Group will target producing use cases and requirements within 2 months of inception in order to guide its design effort, and will target 6-12 months overall to develop a V1.0 set of profiles and other auxiliary materials, facilitating the development of multiple independent draft implementations as appropriate during this time. The following are suggested initial milestones for consideration by the Working Group:
- GIS Sept 2015: Approval of WG creation
- TBD Event to announce Implementer’s drafts (NLT 12 months after formal kickoff of WG).
- Interop testing among multiple implementations (once Implementer’s Drafts are available)
- TBD Event to announce Final profiles (NLT 6-12 months after Implementer’s Drafts)