[OpenID board] OIDF ED Update: OpenID and the US NIST Next Steps
Don Thibeau (OIDF ED)
don at oidf.org
Fri Apr 9 17:57:47 UTC 2010
OIDF board members have interacted with The US NIST on a variety of topics
over the years. For example, last year ago several IdPs collaborated and
published a best practices document for CAPTCHA, that NIST used with regard
to their ongoing study of online identity proofing. At NIST's request, two
days ago Eric Sachs and I briefed the NIST Board on latest developments with
OpenID, OIX, etc. My notes for that briefing are below:
National Strategy for Secure Online Transactions
There is an ongoing dialogue between the OpenID Foundation and Open Identity
Foundation (OIX) and the White House team drafting the National Strategy for
Secure Online Transactions. The current White House draft calls for a
"national trust framework" as one of several initiatives. One OIX objective
is to provide the strategy team further information on the role OIX can play
as a neutral, nonprofit "utility" for the certification of participants in
multiple trust frameworks for both internet and phone channels in the US and
international markets. OIX is importantly differentiated by the board level
representation of companies that enable secure online transaction services
as a core competency of their business operations on a global scale for
hundreds of millions users on a daily basis.
The Open Identity Exchange OIX
The OpenID Foundation and ICF, together with companies like Google, PayPal,
Equifax and others help found the OIX. The most important aspect to
understand about the model OIX is following (which is explained in detailed
in the
<http://www.openidentityexchange.org/sites/default/files/the-open-identity-t
rust-framework-model-2010-03.pdf> Open Identity Trust Framework Model white
paper) is that it is not necessary for the US or any government to amend or
adapt its identity framework to work with OIX. Rather it is a matter of OIX
working with the GSA ICAM and other government agencies to simply turn their
requirements into an OIX trust framework. This was lightweight process we
went through with ICAM in the US. Once they understood that "their trust
framework was our trust framework", it was easy to complete the process.
Unlike the other pre-existing trust frameworks developed by third parties
outside the government, OIX does not have its own "native" trust framework
to which others must map their requirements.
OpenID and NIST related information
There are two tracks one is the E-Authentication Risk Assessment based on
OMB-04-04 and relating directly to the NIST levels;
<http://www.whitehouse.gov/OMB/memoranda/fy04/m04-04.pdf>
http://www.whitehouse.gov/OMB/memoranda/fy04/m04-04.pdf The requirements
for implementation are found in:
<http://www.whitehouse.gov/omb/assets/omb/memoranda/fy04/m04-25.pdf>
http://www.whitehouse.gov/omb/assets/omb/memoranda/fy04/m04-25.pdf There is
OMB Circular A-130
<http://www.whitehouse.gov/omb/Circulars_a130_a130trans4/>
http://www.whitehouse.gov/omb/Circulars_a130_a130trans4/ The GSA provides
assessment tools for agencies reporting at:
<http://www.idmanagement.gov/drilldown.cfm?action=era>
http://www.idmanagement.gov/drilldown.cfm?action=era
AS John Bradley outlined at the OpenID Technology Summit this week, the
OMB-04-04 and the risk assessment allow the RP to collect the information,
but lays out what security requirements are required for the protection of
that information including the strength of the credentials. Then on the
privacy side we deal with the privacy act of 1974 and the E-Government act
of 2002. This requires agencies to have systems of record, so that people
can make requests under the Privacy Act for information about them.
Eric and I noted that there likely will be multiple levels of identity
proofing, one of which would be in-person like what Verizon could do, and
another would be online verification of credit card information or phone #
such as PayPal/Google/Yahoo/etc. could do. I will be representing the OIDF
at the IDTrust 2010 workshop is will be held at NIST in Gaithersburg MD, US
on April 13-15 2010. NIST will announce today Friday that ANSI/NASPO are
starting a project to define standards for identity proofing.
http://www.naspo.info/ I plan to keep an eye on how it progresses, and
update the board.
From: Don Thibeau
Sent: Monday, April 05, 2010 6:18 PM
Subject: Information Security and Privacy Advisory Board Meeting Agenda for
April 7-9, 2010
When: Wednesday, April 07, 2010 6:30 PM-7:00 PM (GMT-05:00) Eastern Time (US
& Canada).
Where:
------------
From: Bowen, Pauline
[pauline.bowen at nist.gov]
Sent: Monday, April 05, 2010 4:27
PM
To: Eric Sachs; don at oidf.org;
Newton, Elaine M.
Subject: Information Security and
Privacy Advisory Board Meeting Agenda for April 7-9, 2010
Attachments: ISPAB Meeting Agenda 2010-040710.doc;
Directions to Washington Marriott Wardman Park.doc
1:30 P.M. - 2:30 P.M.
NIST Update on FY10 Activities
Patrick Gallagher, NIST Director
2:30 P.M. -3:30 P.M.
OMB Update/Metrics
Vivek Kundra, Federal CIO, OMB
3:30 P.M. - 4:30 P.M.
OpenID
Elaine Newton, NIST
Don Thibeau, Executive Director, The OpenID Foundation
Eric Sachs, Google
Don Thibeau
don at OIDF.org
Executive Director
The OpenID Foundation
<http://openid.net> http://openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-board/attachments/20100409/355ce5ac/attachment.htm>
More information about the board
mailing list