Article

OIX trust framework to secure citizen-to-government authentication

Alexander B. Howard, Associate Editor
SAN FRANCISCO -- A new trust framework was launched this week at the RSA Conference that is dedicated to enabling the exchange of online identity credentials across public and private sectors.

    Requires Free Membership to View

More OpenID resources
U.S. CIO Vivek Kundra on Data.gov, OpenID and government transparency

OpenID pilot project for identity management at National Institutes of Health
Using grants from the OpenID Foundation and Information Card Foundation the Open Identity Exchange (OIX), has been approved by the U.S. government to certify online identity management providers.

The OIX trust framework provides a way for a website to trust identity, security and privacy assurances from an "identity provider" acting on behalf of a user. Google Inc., PayPal Inc. and Equifax Inc. are the first three OIX-certified identity providers to offer digital identity credentials that U.S. government websites can accept for privacy-protected registration and login.

"We've developed OIX as an industry-led trust framework," said Judy Spencer, chair of the Federal PKI Policy Authority and Federal Identity Credentialing Committee at the U.S. General Services Administration. "This is about following through for an administration very committed to open solutions and open government. Part of that commitment is using new technology to do real work. We're trying to mitigate vulnerabilities and protect privacy."

OIX comes as Congress examines new online privacy horizons and the Federal Trade Commission looks into cloud computing security. "This is a coherent set of privacy requirements around how citizens will interact with the government over the Web," said Don Thibeau, executive director of the OpenID Foundation.

John Madelin, director of professional services at Verizon Business, which is currently in the OIX certification process, said, "It's very clear that a user-centric model is the way things have to go in identity management. Anyone who has been involved in a large-scale identity management project sees the value of user-centric authentication. Users will have to take more responsibility for enrolling themselves, and a trusted third party will have to take the side of the user in brokering trusted transactions."

A trust framework for .gov

The launch of the OIX builds on the OpenID pilot project for identity management at the National Institutes of Health (NIH), where the U.S. government began using OpenID as a federated identity framework for .gov authentication.

Reactions to the OIX
around the Web
One step closer to a single sign-on for the web

Federal support for federal login

Google, PayPal and Equifax Offer Logins for US Gov't Systems

RSA: Google, PayPal, Equifax, Others Form Open Identity Exchange

PayPal, Google and Equifax back launch of Open Identity Exchange

Tech Companies Partner in Web Identity Access Effort

"I believe that trust frameworks are the next generation of how privacy will advance on the Internet," said Drummond Reed, executive director of the Information Card Foundation. "Think of this as taking a whitelist function and turning it into an ongoing, standardized certification program for authentication."

One important element of the OIX lies in the standardization of privacy principles promulgated though IDManagement.gov. These principles, agreed upon by a subcommittee of chief privacy officers from federal agencies, are a de facto standard for privacy in how the government will authenticate citizens interacting with .gov sites online. Organizations that wish to be certified to assess commercial identity providers must undergo scrutiny by the Identity, Credential and Access Management community. The Trust Framework Provider Adoption Process outlines the procedure.

"It's an open marketplace, with a choice of identity providers and assessors. The OIX will act as a referee, effectively, clearly separating the role of the policy makers from the role of the certifiers," said Thibeau. "There's a notion of openness throughout how we do it. It's all online and transparent, with assessors and reports all available."

OIX as third-party identity arbiter, not a federal body

"We don't want to be the regulator," said Spencer. "We want the industry to self-regulate. The idea is by collaborating, the OIX becomes a trusted provider for secure authentication of citizens with government websites. The plans are that the government will start enabling OpenID and Infocard for LOA1 [Level of Access 1] uses, like the ability to blog, customize RSS feeds or set up email alerts. Users will be able to create a 'My.Gov' experience, customizing a view."

It's very clear that a user-centric model is the way things have to go
in identity management.

John Madelin
director of professional servicesVerizon Business
From a compliance standpoint, this could be crucial for access control in the future, explained Reed. "This process of accepting an external identity from within the enterprise is just a new option for provisioning," he said. "You're going to have to provision the account one way or another."

"The U.S. government has done industry -- and hopefully the Internet -- a huge favor by moving towards this trust framework," said Reed. "There are dozens of applications every day where federal, state and local government are now using social media. In every case, those actions are built on assumptions of identity. U.S. CIO Kundra sees this as a tangible way he can point to working on meeting the Open Government Initiative."

Added Spencer, "It's up to the agencies after today. Every .gov website that wants to can use OpenID or an Information Card to authenticate citizens."

Let us know what you think about the story; email Alexander B. Howard, Associate Site Editor or @reply to @digiphile on Twitter. Follow @ITCompliance for compliance news throughout the week.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: