OpenID federated identity framework set for .gov authentication pilot

By Alexander B. Howard, Associate Editor 15 Sep 2009 | SearchCompliance.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

Best of the Web OpenID Pilot Program to be Announced by US Government (ReadWriteWeb) Open Identity for Open Government Explained (Identity Woman) IDManagement.gov "Open Trust Frameworks for Open Government" (PDF, OpenID Foundation) US Government To Embrace OpenID, Courtesy Of Google, Yahoo, PayPal Et Al. (TechCrunch) Open ID for Government Takes Its Tentative First Steps (TechPresident.com) Feds to Let Citizens Log In With Yahoo, Google, Paypal Accounts (Wired)

Kundra emphasized his support for more transparency and ease of use at the recent Gov 2.0 Summit. Instead of .gov websites that amount to "brochureware," Kundra said this move could allow government websites to evolve toward becoming "interactive, service-driven sites the American people can use in their own context."

"If you think about the American people as our customers, as far as access to information, they already have an account, whether it's Yahoo or Google or Microsoft or Facebook," Kundra said. "Why not leverage those platforms for services that are not sensitive in nature and services that are disposable in some ways, as far as use is concerned?"

That's a key aspect of the president's Transparency and Open Government directive, in terms of authentication, and if the program sees success in government both OpenID and Information Card (InfoCard) could be important in the creation of identity frameworks for the enterprise. Adopting this open framework is a concrete step that should make it easy for people to register and participate on government websites -- generally known as ".govs" -- without the need to create new usernames or passwords.

The involvement of multiple providers that will compete on features and ease of use is likely to catalyze competition, creating what Drummond Reed, executive director of the Information Card Foundation, calls an "identity economy." "We're going to see a long tail of identity providers just like you see portals in websites," said Reed in an interview with SearchCompliance.com.

Under the pilot program, the Center for Information Technology, National Institutes of Health and the Department of Health and Human Services will be the test beds for the identity framework program. Each will begin accepting OpenID and InfoCard credentials later this fall. The 10 organizations whose OpenIDs will be supported are Yahoo, PayPal Inc., Google Inc., Equifax Inc., AOL LLC, VeriSign Inc., Acxiom Corp., Citi, Privacy Vaults Online Inc. and Wave Systems Corp. OpenIDs that are self-hosted or on other services won't be accepted, at least at first.

"We've created a trusted framework and a trusted transaction model for the first time that I know of -- the breakthrough here is just that," said Don Thibeau, executive director of the OpenID Foundation.

Mary Ruddy, founder of Meristic Inc. and founding board member of the Information Card Foundation, explained, "We came at this from a user-centric perspective. Members of the public will be able to fully control how much or how little personal information they share with the government at all times."

Given that commercial services will be used to authenticate citizens on government websites, there are some outstanding questions about why agencies didn't create their own system. "Early on, the government came to the foundations and said that we think that you can perform this function better than we can," said Thibeau. "There's also a timeliness issue. If there isn't adoption, there's the risk of a Balkanized state where the first victim is privacy. Judy Spencer said publicly at a privacy meeting that she felt it would be irresponsible for the government not to adopt OpenID. If we don't catch the genie now, we won't be able to address the issue."

If you want to have accountability in government, you need to have transparency. If you want to have transparency, you need to solve the problem of identity. Don Thibeau executive director, OpenID Foundation

Privacy, portability and user experience are significant issues for the identity framework. Some services are already collecting personally identifiable information, like health data. Security is naturally also at the top of the lists of concerns for authentication at .gov sites. "Under the OTF, the government has created a framework for schemes at four levels of assurance, defining security and privacy requirements for each," said Reed. "At level one, there is a very strong privacy requirement. If you're going to provide the service of a user going to the government agency, you won't use that as a correlatable fact."

These security, privacy, and reliability requirements are further described by the Trust Framework Provider Adoption Process on IDManagement.gov. "If you want to do Social Security, it will have to be certified at level 3," said Thibeau. "Technically, SAML [Security Assertion Markup Language] is another protocol that the government is certifying, but you have to have providers for that."

Enforcement of these provisions will sit with external auditors, although there's some vagueness about who precisely they will be. "This goes to the heart of the OTF -- as requirements published, foundations certified -- we have a program for certifying the identity providers," said Reed. "Providers have to say that they will comply, and then auditors have to certify that they have the ability to do that."

Reed added that "this is a better way of handling this than national cards. Compare this to what India is doing with a centralized system." In Thibeau's view, "that's an important difference, since there won't be a centralized database where all of this resides."

An information card presents other challenges, given that it has a physical incarnation. "It's one of the areas where there are differences in the technologies," said Reed. "With OpenID, there you're talking about identifier portability. If a user cares about that, a user can configure the provider as a delegate. With information cards, it's inherently a portable credential. Because they are portable, standard backup practices apply. If you're storing cards in the cloud, you have a backup. The cards themselves have to be portable. You have to be able to move to another one. That's been part of the architecture from the start."

Tags: ID and access management for compliance,  Compliance framework software,  Industry-specific requirements for compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT ID and access management for compliance Data loss prevention technology matures but is still no cure-all Electronic privacy integral to identity management standards, says DHS Healthcare, cybersecurity policy and privacy on legislative agenda D.C. CTO sees compliance, cost savings benefits to cloud computing Social media platforms demand a clear employee Internet use policy Pietrylo case a cautionary Web 2.0 communications compliance failure Compliance concerns dog enterprise 2.0 collaboration platforms Twitter security risks, popularity spark regulatory concerns What's in the White House Cyberspace Policy Review you need to know? Why it may not be ideal for your lawyer to be your compliance officer Compliance framework software ISO 27001 certification not enough for verifying SaaS, cloud security Energy efficiency, carbon driving sustainable business development Architect preventative compliance controls for best risk management Social media platforms demand a clear employee Internet use policy Pietrylo case a cautionary Web 2.0 communications compliance failure Compliance concerns dog enterprise 2.0 collaboration platforms Chapter excerpt: Decision-making processes and IT governance Startup helps turn carbon footprint management into cost savings Chapter excerpt: The Three Core Disciplines of IT Risk Management Open Group releases log management update, risk management guide Industry-specific requirements for compliance Poor application security creates supply chain risk, security threat Business Model for Information Security: Security right the first time Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more NERC CSO warns of cybersecurity threats, risk to electric grid FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing McCain answers new FCC net neutrality rules with Internet Freedom Act SAP sees green in sustainability software for carbon compliance

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI compliance  (SearchCompliance.com) XBRL  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary