220 likes | 360 Views
Open Identity Trust Frameworks: “We Need the Eggs”. Don Thibeau, Executive Director, OpenID Foundation (OIDF) Drummond Reed, Executive Director, Information Card Foundation (ICF). Topics. Background Interop frameworks & trust frameworks The Open Identity Trust Model Next steps.
E N D
Open Identity Trust Frameworks:“We Need the Eggs” Don Thibeau,Executive Director, OpenID Foundation (OIDF) Drummond Reed,Executive Director, Information Card Foundation (ICF)
Topics • Background • Interop frameworks & trust frameworks • The Open Identity Trust Model • Next steps
We live in a world of “trust frameworks” • Most are closed • Visa, MasterCard, AMEX credit card networks • Phone networks • ATM networks • Some are open • Political, social, religious organizations • Some are explicit (legal agreements) • Some are implicit (social contracts)
So how did this get started? • The U.S. government came to the OIDF and ICF in March and asked us to help put an open identity trust framework in place • The mother of all use cases • GSA ICAM relying party requirements: • Open (not just US citizens) • Explicit (legal documentation of certification to NIST levels of assurance) • Internet scale
So where are we now? • See the first set of deliverables at IDmanagement.gov • Identity Scheme Adoption Process (ISAP) • Trust Framework Provider Adoption Process (TFPAP) • Two open identity scheme profiles completed under the ISAP process
OpenID and InfoCard profiles • OpenID LOA 1 profile is now implemented across tens of millions of OpenID accounts • Test/pilot infrastructure built • Multiple IdP implementations tested • Pilot customer (National Institute of Health) with test site • IMI Information Cards 1.0 profile covers LOA 1, 2, and non-PKI 3
So what’s next? • How to best implement the profiles • How to best implement the trust framework RelyingParties(RPs) IdentityProviders(IdPs) Policy interop Technical interop
Market Education InternetIdentityLayer Policy Interoperability (Trust Frameworks) Where trust frameworks fit Usability (User Experience Ceremonies) Technology Interoperability (Identity Protocols) Hardware Devices (Security Capabilities)
First principles • Our first joint white paper established that an open, Internet-scale approach to trust frameworks must be: • Open to all IdPs and RPs • Open to any qualified assessor/auditor • Open to any qualified certification process (including audited self-certification) • Open to evolution and adaptation as market changes
Key insights • US ICAM trust policy requirements are the first of many • In addition to Levels of Assurance (LOA) for IdPs, we also need Levels of Protection (LOP) for RPs • A new legal entity might be the best option as the trust framework provider (TFP)
IIW insights • Technical interop (identity scheme profiles) is a precondition to policy interop (trust profiles) • Technical interop listings drive adoption before trust layer is required • Policy interop listings drive adoption where explicit trust is required • Trust profiles can be implicit or explicit • Most OpenID logins today rely on implicit trust • US ICAM logins require an explicit trust framework • Profiles can be reused at both layers
Open Identity Interop Framework RPs IdPs UserAgents Policy Authorities(Gov’ts, edu’s, industry) • Adoption enablers: • Predictability • Reliability • Implicit trust Interoperability Listings Technology Profiles
Open Identity Framework RPs IdPs UserAgents Certification Agreements Policy Authorities(Gov’ts, edu’s, industry) Assessors/Auditors Certification Listings Policy Profiles Interoperability Listings Technology Profiles
Why the Open Identity Trust Model? • Adoption efficiency • Openness/Transparency • Credibility/Accountability • User experience
Adoption efficiency The OIIF makes it easy for anyone of any size to ensure technical or policy interop with their choice of profiles Eliminates the n-squared problem of multi-lateral interop testing or trust agreements Quickly become unwieldy for even a small number of IdPs and RPs Grows market for everyone The “network effect for trust”
Openness/Transparency • Properly implemented, the OITF provides an open, transparent process for Internet trust agreements • Helps protect participants from collusion or anti-trust concerns • Enables trusted transactions within and between communities • Anticipates cross-border data protection issues
Credibility/Accountability • Each participant (trust community, IdP, RP, assessor) reinforces the credibility of the entire model • Mutual accountability of all participants • Enhanced by government participation • Gov’ts serve as the initial “trust anchors”
User experience • Better interoperability improves user experience of Internet identity • More consistent ceremony leads to lower login or transaction abandonment at RPs • Consistent trust mark encourages user confidence
Why do this together? • Cost efficiency • Lowers legal, design, and operations costs • Lowers overhead for assessors, IdPs, and RPs who need to be certified • Process efficiency • Single entity for negotiation of MOAs with trust communities • Will attract other trust communities • Effectiveness • 1+1=3
We want your feedback! • We will be holding sessions here at IIW • We will be publishing a new white paper shortly • Contact either of us with questions or feedback don@oidf.org director@informationcard.net • Tell us if your organization or trust community is interested