Don Thibeau,Executive Director, OpenID Foundation (OIDF)

Drummond Reed,Executive Director, Information Card Foundation (ICF)

2

BackgroundThe Open Identity FrameworkHow the OIF will drive adoptionNext steps

3

Most are closed◦ Visa, MasterCard, AMEX credit card networks◦ Phone networks◦ ATM networks

Some are open◦ Political, social, religious organizations

Some are explicit (legal agreements)Some are implicit (social contracts)

4

In April, the U.S. government asked the OIDF and ICF to create a trust framework for OpenID and Information Cards◦ This would enable U.S. government websites to begin

accepting OpenID and Information Card credentialsGSA ICAM relying party requirements:

◦ Open (not just US citizens)◦ Explicit (legal documentation of certification to NIST

levels of assurance)◦ Internet scale

5

See the first set of deliverables at IDmanagement.gov◦ Identity Scheme Adoption Process (ISAP)◦ Trust Framework Provider Adoption Process (TFPAP)

Two open identity scheme profiles completed under the ISAP process

6

OpenID LOA 1 profile is now implemented across tens of millions of OpenID accounts◦ Test/pilot infrastructure built◦ Multiple IdP implementations tested◦ Pilot customer (National Institute of Health) with test site

IMI Information Cards 1.0 profile covers LOA 1, 2, and non-PKI 3

7

How to best implement the profilesHow to best implement the trust framework

IdentityProviders

(IdPs)RelyingParties(RPs)

Policy interop

Technical interop

8

In August, OIDF and ICF published a joint white paper saying an open, Internet-scale approach to trust frameworks must be:◦ Open to any trust framework authority◦ Open to all IdPs and RPs◦ Open to any qualified assessor/auditor◦ Open to any qualified certification process (including self-

certification)◦ Open to evolution and adaptation to market forces

9

An open Internet-scale trust framework must also:◦ Offer both Levels of Assurance (LOA) for IdPs and Levels

of Protection (LOP) for RPs◦ Provide a means for dealing with liability◦ Provide a simple, useful, scalable listing service◦ Be open and transparent in its dealings, use public

documents written in plain language, and provide frequent reports on all activities

10

The following slide shows the basic design reflecting the OIF principles

It illustrates the relationships between the four parties connected by OIF legal agreements◦ The OIF TFP itself◦ Auditors/assessors◦ Identity providers◦ Relying parties

Trust framework agreementsOptional direct agreements

IdentityProviders

(IdPs)RelyingParties(RPs)

Users

Trust Framework Provider(the Open Identity Framework)

auditors/assessors

trust framework authorities

12

The OIF design explicitly supports at two levels of interoperability◦ Technical certification listings drive adoption before the

trust layer is required◦ Policy certification listings drives adoption where explicit

trust is requiredSelf-certification and third-party certification is

supported at both layersTechnical and policy requirements (“profiles”) can

be reused at both layers

IdentityProviders

(IdPs)RelyingParties(RPs)

Trust Framework Provider(the Open Identity Framework)

auditors/assessors

trust framework authorities

Technical CertificationListings

Technical InteropRequirements

IdentityProviders

(IdPs)RelyingParties(RPs)

Trust Framework Provider(the Open Identity Framework)

auditors/assessors

trust framework authorities

Technical CertificationListings

Policy CertificationListings

Policy InteropRequirements

EfficiencyOpenness/TransparencyCredibility/AccountabilityUser experience

15

The OIF makes it easy for anyone of any size to ensure technical or policy interop with their choice of profiles

Eliminates the n-squared problem of multi-lateral interop testing or trust agreements◦ Quickly become unwieldy for even a small number of

IdPs and RPsGrows the market for everyone

◦ The “network effect for trust”

16

17

Properly implemented, the OITF provides an open, transparent process for trusted identity transactions◦ Both within and between communities

Helps protect participants from collusion or anti-trust concerns

Anticipates cross-border data protection issues

18

Each participant (policy authority, IdP, RP, assessor/auditor) reinforces the credibility of the entire model

Mutual accountability of all participantsEnhanced by government participation

◦ Gov’ts serve as the initial “trust anchors”

19

Increased interoperability of Internet identity across websites

More consistent ceremony leads to lower login or transaction abandonment at RPs

Consistent trust mark raises user confidence

20

Cost efficiency◦ Lower legal, design, and operations costs◦ Lower overhead for assessors/auditors, IdPs, and RPs

who need certificationProcess efficiency

◦ Single entity for negotiation of MOAs with policy authorities

Effectiveness◦ 1+1=3

21

Please contact either foundation with questions or comments

don@oidf.orgdirector@informationcard.net

Let us know if your organization is interested