The OIX trust framework provides a way for a website to trust identity, security and privacy assurances from an "identity provider" acting on behalf of a user. Google Inc., PayPal Inc. and Equifax Inc. are the first three OIX-certified identity providers to offer digital identity credentials that U.S. government websites can accept for privacy-protected registration and login.
"We've developed OIX as an industry-led trust framework," said Judy Spencer, chair of the Federal PKI Policy Authority and Federal Identity Credentialing Committee at the U.S. General Services Administration. "This is about following through for an administration very committed to open solutions and open government. Part of that commitment is using new technology to do real work. We're trying to mitigate vulnerabilities and protect privacy."
OIX comes as Congress examines new online privacy horizons and the Federal Trade Commission looks into cloud computing security. "This is a coherent set of privacy requirements around how citizens will interact with the government over the Web," said Don Thibeau, executive director of the OpenID Foundation.
John Madelin, director of professional services at Verizon Business, which is currently in the OIX certification process, said, "It's very clear that a user-centric model is the way things have to go in identity management. Anyone who has been involved in a large-scale identity management project sees the value of user-centric authentication. Users will have to take more responsibility for enrolling themselves, and a trusted third party will have to take the side of the user in brokering trusted transactions."
A trust framework for .gov
The launch of the OIX builds on the OpenID pilot project for identity management at the National Institutes of Health (NIH), where the U.S. government began using OpenID as a federated identity framework for .gov authentication.
"I believe that trust frameworks are the next generation of how privacy will advance on the Internet," said Drummond Reed, executive director of the Information Card Foundation. "Think of this as taking a whitelist function and turning it into an ongoing, standardized certification program for authentication."
One important element of the OIX lies in the standardization of privacy principles promulgated though IDManagement.gov. These principles, agreed upon by a subcommittee of chief privacy officers from federal agencies, are a de facto standard for privacy in how the government will authenticate citizens interacting with .gov sites online. Organizations that wish to be certified to assess commercial identity providers must undergo scrutiny by the Identity, Credential and Access Management community. The Trust Framework Provider Adoption Process outlines the procedure.
"It's an open marketplace, with a choice of identity providers and assessors. The OIX will act as a referee, effectively, clearly separating the role of the policy makers from the role of the certifiers," said Thibeau. "There's a notion of openness throughout how we do it. It's all online and transparent, with assessors and reports all available."
OIX as third-party identity arbiter, not a federal body
"We don't want to be the regulator," said Spencer. "We want the industry to self-regulate. The idea is by collaborating, the OIX becomes a trusted provider for secure authentication of citizens with government websites. The plans are that the government will start enabling OpenID and Infocard for LOA1 [Level of Access 1] uses, like the ability to blog, customize RSS feeds or set up email alerts. Users will be able to create a 'My.Gov' experience, customizing a view."
"The U.S. government has done industry -- and hopefully the Internet -- a huge favor by moving towards this trust framework," said Reed. "There are dozens of applications every day where federal, state and local government are now using social media. In every case, those actions are built on assumptions of identity. U.S. CIO Kundra sees this as a tangible way he can point to working on meeting the Open Government Initiative."
Added Spencer, "It's up to the agencies after today. Every .gov website that wants to can use OpenID or an Information Card to authenticate citizens."