Open Identity Trust Framework

Convener: Don Thibeau and Drummond Reed

Tags: Open identity, trust frameworks, assurance, policy, US government

Discussion notes: [SEE SLIDES.]

Background

There’s a work in process, spurred by committee of committees in U.S. Federal Government, who have been focusing in the past year on identity from the perspective of services to the citizen. Began 10 years ago with Al Gore having Government do things in hopes that industry would follow. (Didn’t work.) So now it’s a political effort of trying to open up government, using social networking tools (many of which helped Obama in his campaign). In March the U.S. Gov’t asked Foundations to help in this, the “mother of all use cases.”

Purpose

The purpose of this IIW discussion is to answer questions and get feedback on evolving work by OIDF and ICF in this effort.

Government RP Requirements

Open (not just US citizens); explicit (level of assurance (NIST LOA) requirements; Internet scale.

Foundations’ Work

Since March the Foundations have worked with U.S. Government to develop government documents spelling out process.

What’s next? How best to implement the profiles and trust framework.

[See slides regarding Foundations’ principles of openness, key insights, IIW insights in particular.]

User agents could take advantage of a white list operated by the Open Identity Interoperability Framework, which will have a registry capability.

Metadata registry would handle both the Trust Framework (covered by MOA) and the Interoperability Framework.

We are trying to anticipate a global framework.

To be consistent with their missions, the Foundations are aiming to further adoption.

Questions/Comments:

NIST defined LOA; what about LOP – who is to define? U.S. Government’s TFAP does have some protection requirements (but who these obligations are for/who can enforce them is another matter). Privacy Impact Assessment (PIA) applies to Government web sites, but how to apply this if trust framework extends to private RPs? The FTC is wanting to protect users’ privacy in ways that don’t put heavy burden on user.

What is meant by an “explicit trust framework”?

When you say “Internet scale”, I see one point right now. Where is the list now? Is this another DNS? Is it centralized?

What is a trust profile? A trust profile is LOA and LOP as defined by policy authorities. Trust framework is the way the whole thing becomes interoperable.

What profiles? SAML, OpenID and InfoCards, but in theory whatever is approved by U.S. Gov’t in that trust framework.

Kantara has developed something quite similar.

Who is the envisioned trust framework provider? Both boards have invested in this exchange with government. Now both Foundations are considering, together and separately, whether they should take on this role, and if so, how. Standalone? Joint venture? Outsourced to Kantara? Etc.

Who are the Assessors?

How does liability work?

How does this relate to ISO/ITU work? They are internationalizing NIST work for LOA. Isn’t the ITU working on trust framework? That work is very complementary – it makes it easier to have profiles that lots of folks can agree to.

Identity and trust assessments are essentially independent – they need to be viewed as separate processes and separate infrastructures. Authentication useful when plugged into a process. The model is too simple and too concentrated.

Seems to make sense to get in the door by responding to U.S. Gov’t requirements. Simple first step to start engaging.

There should be many sessions to drill into the parts of this.

Who’s driving the process, and how do people get involved? OIDF and ICF are driving this, contact us or board members if you want to participate. It’s moving at Government time, which allows people to participate in shaping it.

Why are the Foundations doing this? Not directly to influence the Government, but aware that what Government does will inevitably affect the private sector.

Wouldn’t it make sense for Kantara and the Foundations to cooperate on this? Yes.

Should we take out the word “Trust” – it should be “Open Identity Exchange Framework”. [Dick:] No – the certification is to allow trust.

Why would LOA1 require certification? Because the customer says so. But is that a good reason?

[Quite well attended – roughly 45 people, at capacity.]

http://wiki.informationcard.net/files/Presentations/open-identity-trust-fmwks.ppt