[OpenID board] Update to BOD on NYC OpenID Content Provider Advisory Committee Seminar

Brett McDowell brett at projectliberty.org
Tue Sep 30 18:54:21 UTC 2008 

To Brian and all members of the OpenID Board,

In regards to three specific identified issues/opportunities to pursue  
in the near term that seem specifically relevant to the work of  
Liberty Alliance, I'd like to reiterate our interest in collaborating  
as follows...


On Sep 30, 2008, at 1:23 PM, Brian Kissel wrote:
> ·         Trust/Assurance – RPs want to know that they can rely on  
> any given OP for user authentication and/or the corresponding end- 
> user data.  What are the mechanisms to achieve this?

If you haven't had the opportunity to read the Liberty Alliance  
Identity Assurance Framework (IAF), you might assume it is a SAML- 
specific framework, but that is not the case.  I have personally  
presented the IAF at the last two Internet Identity Workshops with a  
specific emphasis on how it relates to OP's building confidence with  
RP's.  We are rolling out an accreditation program where OP's could  
hire "Liberty accredited" assessors to perform audits of your IDM  
processes (much more than just technology practices, but inclusive of  
your technology practices) to the four levels of assurance.  This  
would allow OP's to have their "credential service" certified for  
reaching "Level of Assurance 1, 2, or 3... or 4 (if using a second  
hardware token, etc.").  This then puts your RP's in the position of  
only needing to understand what "level of assurance" they need to  
satisfy their internal risk analysis.  This is something Liberty  
Alliance is committed to growing awareness of and education of in the  
market.  We'd welcome OP's to join the ranks of PKI CA's and SAML  
IDP's in this common effort to promote "assurance" and thus increase  
deployments of all these technologies by RP's.  You can use me as the  
point of contact to learn more about this, but to review the framework  
itself see:

http://www.projectliberty.org/liberty/content/download/4315/28869/file/liberty-identity-assurance-framework-v1.1.pdf

>
> ·         Business rule templates for RP/OP and federated RP/RP  
> interactions.  Suggested that the OIDF should come up with these,  
> akin to what Liberty and SAML provide.
>
Same offer to collaborate as stated above.

>
> ·         Trust/Assurance & Business Rules/Templates/Frameworks.   
> This appeared to be a second order concern with UX and data  
> availability being the top issues, but will likely be the logical  
> next step whenever authentication assurance is required for more  
> sensitive transactions or richer data is being transferred.  Some  
> work has been done with PAPE and TX to head in this direction, but  
> there is still a lot more we need to do.  Several people from the  
> Liberty/SAML/WS-Fed camp have suggested benchmarking what these  
> organizations have developed to determine if we can create lighter  
> duty (and hopefully compatible) versions of their models that are  
> more appropriate for the OpenID ecosystem.  Not sure if there is an  
> existing committee that’s well positioned to address this (Tony  
> Nadalin and the Security Committee?) or whether another committee  
> should be formed for this.  But this is something that will need to  
> be addresses in short order after UX and data availability, and  
> given the complexity of the issues, we probably need to get started  
> on it right away.  Any volunteers to come up with a recommended game  
> plan?

Same offer to collaborate as above, but this time from a "Data  
Portablility Project" perspective (where I'm a Steering Committee  
member) and "Project Concordia" which Liberty Alliance, Microsoft  
(representing Information Card technologies), and OpenID originally  
launched as a three-party initiative to get this kind of  
interoperability between the systems but over the past 15 months or so  
has evolved to mostly a SAML/WS-Fed oriented effort.  I can assure you  
that was only a consequence of the participants who were most  
interested in working on harmonization, not any sort of bias against  
OpenID.  Nothing would make us happier over at Project Concordia than  
seeing a bunch of OpenID OP's and/or RP's show up with use-cases along  
the lines of what Brian is eluding to (from what I can tell) in this  
email.


Cheers,

|| Brett McDowell | Calendar | Blog | Profile | +1.413.652.1248
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-board/attachments/20080930/f1b4463b/attachment-0001.htm>

More information about the board mailing list