[OpenID board] Update to BOD on NYC OpenID Content Provider Advisory Committee Seminar
Brett McDowell
brett at projectliberty.org
Tue Sep 30 18:54:21 UTC 2008
To Brian and all members of the OpenID Board,
In regards to three specific identified issues/opportunities to pursue
in the near term that seem specifically relevant to the work of
Liberty Alliance, I'd like to reiterate our interest in collaborating
as follows...
On Sep 30, 2008, at 1:23 PM, Brian Kissel wrote:
> · Trust/Assurance – RPs want to know that they can rely on
> any given OP for user authentication and/or the corresponding end-
> user data. What are the mechanisms to achieve this?
If you haven't had the opportunity to read the Liberty Alliance
Identity Assurance Framework (IAF), you might assume it is a SAML-
specific framework, but that is not the case. I have personally
presented the IAF at the last two Internet Identity Workshops with a
specific emphasis on how it relates to OP's building confidence with
RP's. We are rolling out an accreditation program where OP's could
hire "Liberty accredited" assessors to perform audits of your IDM
processes (much more than just technology practices, but inclusive of
your technology practices) to the four levels of assurance. This
would allow OP's to have their "credential service" certified for
reaching "Level of Assurance 1, 2, or 3... or 4 (if using a second
hardware token, etc."). This then puts your RP's in the position of
only needing to understand what "level of assurance" they need to
satisfy their internal risk analysis. This is something Liberty
Alliance is committed to growing awareness of and education of in the
market. We'd welcome OP's to join the ranks of PKI CA's and SAML
IDP's in this common effort to promote "assurance" and thus increase
deployments of all these technologies by RP's. You can use me as the
point of contact to learn more about this, but to review the framework
itself see:
http://www.projectliberty.org/liberty/content/download/4315/28869/file/liberty-identity-assurance-framework-v1.1.pdf
>
> · Business rule templates for RP/OP and federated RP/RP
> interactions. Suggested that the OIDF should come up with these,
> akin to what Liberty and SAML provide.
>
Same offer to collaborate as stated above.
>
> · Trust/Assurance & Business Rules/Templates/Frameworks.
> This appeared to be a second order concern with UX and data
> availability being the top issues, but will likely be the logical
> next step whenever authentication assurance is required for more
> sensitive transactions or richer data is being transferred. Some
> work has been done with PAPE and TX to head in this direction, but
> there is still a lot more we need to do. Several people from the
> Liberty/SAML/WS-Fed camp have suggested benchmarking what these
> organizations have developed to determine if we can create lighter
> duty (and hopefully compatible) versions of their models that are
> more appropriate for the OpenID ecosystem. Not sure if there is an
> existing committee that’s well positioned to address this (Tony
> Nadalin and the Security Committee?) or whether another committee
> should be formed for this. But this is something that will need to
> be addresses in short order after UX and data availability, and
> given the complexity of the issues, we probably need to get started
> on it right away. Any volunteers to come up with a recommended game
> plan?
Same offer to collaborate as above, but this time from a "Data
Portablility Project" perspective (where I'm a Steering Committee
member) and "Project Concordia" which Liberty Alliance, Microsoft
(representing Information Card technologies), and OpenID originally
launched as a three-party initiative to get this kind of
interoperability between the systems but over the past 15 months or so
has evolved to mostly a SAML/WS-Fed oriented effort. I can assure you
that was only a consequence of the participants who were most
interested in working on harmonization, not any sort of bias against
OpenID. Nothing would make us happier over at Project Concordia than
seeing a bunch of OpenID OP's and/or RP's show up with use-cases along
the lines of what Brian is eluding to (from what I can tell) in this
email.
Cheers,
|| Brett McDowell | Calendar | Blog | Profile | +1.413.652.1248
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-board/attachments/20080930/f1b4463b/attachment-0001.htm>
More information about the board
mailing list