[OpenID board] OIDF ED Update: OpenID and the US NIST Next Steps

Don Thibeau (OIDF ED) don at oidf.org
Fri Apr 9 17:57:47 UTC 2010


OIDF board members have interacted with The US NIST on a variety of topics
over the years. For example, last year ago several IdPs collaborated and
published a best practices document for CAPTCHA, that NIST used with regard
to their ongoing study of online identity proofing.  At NIST's request, two
days ago Eric Sachs and I briefed the NIST Board on latest developments with
OpenID, OIX, etc. My notes for that briefing are below:

National Strategy for Secure Online Transactions

There is an ongoing dialogue between the OpenID Foundation and Open Identity
Foundation (OIX) and the White House team drafting the National Strategy for
Secure Online Transactions. The current White House draft calls for a
"national trust framework" as one of several initiatives. One OIX objective
is to provide the strategy team further information on the role OIX can play
as a neutral, nonprofit "utility" for the certification of participants in
multiple trust frameworks for both internet and phone channels in the US and
international markets.  OIX is importantly differentiated by the board level
representation of companies that enable secure online transaction services
as a core competency of their business operations on a global scale for
hundreds of millions users on a daily basis.  

The Open Identity Exchange OIX

The OpenID Foundation and ICF, together with companies like Google, PayPal,
Equifax and others help found the OIX.  The most important aspect to
understand about the model OIX is following (which is explained in detailed
in the
<http://www.openidentityexchange.org/sites/default/files/the-open-identity-t
rust-framework-model-2010-03.pdf> Open Identity Trust Framework Model white
paper) is that it is not necessary for the US or any government to amend or
adapt its identity framework to work with OIX. Rather it is a matter of OIX
working with the GSA ICAM and other government agencies to simply turn their
requirements into an OIX trust framework.  This was lightweight process we
went through with ICAM in the US. Once they understood that "their trust
framework was our trust framework", it was easy to complete the process.
Unlike the other pre-existing trust frameworks developed by third parties
outside the government, OIX does not have its own "native" trust framework
to which others must map their requirements. 

 OpenID and NIST related information 

There are two tracks one is the E-Authentication Risk Assessment based on
OMB-04-04 and relating directly to the NIST levels;
<http://www.whitehouse.gov/OMB/memoranda/fy04/m04-04.pdf>
http://www.whitehouse.gov/OMB/memoranda/fy04/m04-04.pdf  The requirements
for implementation are found in:
<http://www.whitehouse.gov/omb/assets/omb/memoranda/fy04/m04-25.pdf>
http://www.whitehouse.gov/omb/assets/omb/memoranda/fy04/m04-25.pdf  There is
OMB Circular A-130
<http://www.whitehouse.gov/omb/Circulars_a130_a130trans4/>
http://www.whitehouse.gov/omb/Circulars_a130_a130trans4/  The GSA provides
assessment tools for agencies reporting at:
<http://www.idmanagement.gov/drilldown.cfm?action=era>
http://www.idmanagement.gov/drilldown.cfm?action=era

AS John Bradley outlined at the OpenID Technology Summit this week, the
OMB-04-04 and the risk assessment allow the RP to collect the information,
but lays out what security requirements are required for the protection of
that information including the strength of the credentials. Then on the
privacy side we deal with the privacy act of 1974 and the E-Government act
of 2002. This requires agencies to have systems of record, so that people
can make requests under the Privacy Act for information about them.  

Eric and I noted that there likely will be multiple levels of identity
proofing, one of which would be in-person like what Verizon could do, and
another would be online verification of credit card information or phone #
such as PayPal/Google/Yahoo/etc. could do.  I will be representing the OIDF
at the IDTrust 2010 workshop is will be held at NIST in Gaithersburg MD, US
on April 13-15 2010. NIST will announce today Friday that ANSI/NASPO are
starting a project to define standards for identity proofing.
http://www.naspo.info/  I plan to keep an eye on how it progresses, and
update the board. 

 

 

From: Don Thibeau 
Sent: Monday, April 05, 2010 6:18 PM
Subject: Information Security and Privacy Advisory Board Meeting Agenda for
April 7-9, 2010
When: Wednesday, April 07, 2010 6:30 PM-7:00 PM (GMT-05:00) Eastern Time (US
& Canada).
Where: 

 

 

 

------------

From:                                         Bowen, Pauline
[pauline.bowen at nist.gov]

Sent:                                           Monday, April 05, 2010 4:27
PM

To:                                               Eric Sachs; don at oidf.org;
Newton, Elaine M.

Subject:                                     Information Security and
Privacy Advisory Board Meeting Agenda for April 7-9, 2010

Attachments:                          ISPAB Meeting Agenda 2010-040710.doc;
Directions to Washington Marriott Wardman Park.doc

 

 

 


1:30 P.M. - 2:30 P.M.

NIST Update on FY10 Activities

Patrick Gallagher, NIST Director 

 


 2:30 P.M. -3:30 P.M.

 

OMB Update/Metrics

Vivek Kundra, Federal CIO, OMB 

 


 3:30 P.M. - 4:30 P.M.

OpenID

Elaine Newton, NIST

Don Thibeau, Executive Director, The OpenID Foundation

Eric Sachs, Google

 

 

Don Thibeau

don at OIDF.org

Executive Director

The OpenID Foundation

 <http://openid.net> http://openid.net

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-board/attachments/20100409/355ce5ac/attachment.htm>


More information about the board mailing list