<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">To Brian and all members of the OpenID Board,<div><br></div><div>In regards to three specific identified issues/opportunities to pursue in the near term that seem specifically relevant to the work of Liberty Alliance, I'd like to reiterate our interest in collaborating as follows...</div><div><div apple-content-edited="true"><div><div><br></div> </div> </div><br><div><div>On Sep 30, 2008, at 1:23 PM, Brian Kissel wrote:</div><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div lang="EN-US" link="blue" vlink="purple"><div class="Section1"><div style="text-indent: -0.25in; margin-top: 0in; margin-right: 0in; margin-left: 0.5in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-family: Symbol; "><span>·<span style="font: normal normal normal 7pt/normal 'Times New Roman'; "> <span class="Apple-converted-space"> </span></span></span></span><b>Trust/Assurance</b><span class="Apple-converted-space"> </span>– RPs want to know that they can rely on any given OP for user authentication and/or the corresponding end-user data. What are the mechanisms to achieve this?</div></div></div></span></blockquote><div><br></div><div>If you haven't had the opportunity to read the Liberty Alliance Identity Assurance Framework (IAF), you might assume it is a SAML-specific framework, but that is not the case. I have personally presented the IAF at the last two Internet Identity Workshops with a specific emphasis on how it relates to OP's building confidence with RP's. We are rolling out an accreditation program where OP's could hire "Liberty accredited" assessors to perform audits of your IDM processes (much more than just technology practices, but inclusive of your technology practices) to the four levels of assurance. This would allow OP's to have their "credential service" certified for reaching "Level of Assurance 1, 2, or 3... or 4 (if using a second hardware token, etc."). This then puts your RP's in the position of only needing to understand what "level of assurance" they need to satisfy their internal risk analysis. This is something Liberty Alliance is committed to growing awareness of and education of in the market. We'd welcome OP's to join the ranks of PKI CA's and SAML IDP's in this common effort to promote "assurance" and thus increase deployments of all these technologies by RP's. You can use me as the point of contact to learn more about this, but to review the framework itself see:</div><div><br></div><div><a href="http://www.projectliberty.org/liberty/content/download/4315/28869/file/liberty-identity-assurance-framework-v1.1.pdf">http://www.projectliberty.org/liberty/content/download/4315/28869/file/liberty-identity-assurance-framework-v1.1.pdf</a></div><br><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div lang="EN-US" link="blue" vlink="purple"><div class="Section1"><div style="text-indent: -0.25in; margin-top: 0in; margin-right: 0in; margin-left: 0.5in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p></o:p></div><div style="text-indent: -0.25in; margin-top: 0in; margin-right: 0in; margin-left: 0.5in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><font class="Apple-style-span" face="Symbol"><br></font></div><div style="text-indent: -0.25in; margin-top: 0in; margin-right: 0in; margin-left: 0.5in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-family: Symbol; "><span>·<span style="font: normal normal normal 7pt/normal 'Times New Roman'; "> <span class="Apple-converted-space"> </span></span></span></span><b>Business rule templates</b><span class="Apple-converted-space"> </span>for RP/OP and federated RP/RP interactions. Suggested that the OIDF should come up with these, akin to what Liberty and SAML provide.<o:p></o:p></div><div style="text-indent: -0.25in; margin-top: 0in; margin-right: 0in; margin-left: 0.5in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><font class="Apple-style-span" face="Symbol"><br></font></div></div></div></span></blockquote><div>Same offer to collaborate as stated above.</div><br><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div lang="EN-US" link="blue" vlink="purple"><div class="Section1"><div style="text-indent: -0.25in; margin-top: 0in; margin-right: 0in; margin-left: 0.5in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><br></div><div style="text-indent: -0.25in; margin-top: 0in; margin-right: 0in; margin-left: 0.5in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-family: Symbol; "><span>·<span style="font: normal normal normal 7pt/normal 'Times New Roman'; "> <span class="Apple-converted-space"> </span></span></span></span><b>Trust/Assurance & Business Rules/Templates/Frameworks. <span class="Apple-converted-space"> </span></b>This appeared to be a second order concern with UX and data availability being the top issues, but will likely be the logical next step whenever authentication assurance is required for more sensitive transactions or richer data is being transferred. Some work has been done with PAPE and TX to head in this direction, but there is still a lot more we need to do. Several people from the Liberty/SAML/WS-Fed camp have suggested benchmarking what these organizations have developed to determine if we can create lighter duty (and hopefully compatible) versions of their models that are more appropriate for the OpenID ecosystem. Not sure if there is an existing committee that’s well positioned to address this (Tony Nadalin and the Security Committee?) or whether another committee should be formed for this. But this is something that will need to be addresses in short order after UX and data availability, and given the complexity of the issues, we probably need to get started on it right away. Any volunteers to come up with a recommended game plan?</div></div></div></span></blockquote><div><br></div><div>Same offer to collaborate as above, but this time from a "Data Portablility Project" perspective (where I'm a Steering Committee member) and "Project Concordia" which Liberty Alliance, Microsoft (representing Information Card technologies), and OpenID originally launched as a three-party initiative to get this kind of interoperability between the systems but over the past 15 months or so has evolved to mostly a SAML/WS-Fed oriented effort. I can assure you that was only a consequence of the participants who were most interested in working on harmonization, not any sort of bias against OpenID. Nothing would make us happier over at Project Concordia than seeing a bunch of OpenID OP's and/or RP's show up with use-cases along the lines of what Brian is eluding to (from what I can tell) in this email.</div><div><br></div><div><br></div><div>Cheers,</div><div><br></div><div>|| Brett McDowell | <a href="http://ical.me.com/brett.mcdowell/FreeBusy">Calendar</a> | <a href="http://www.brettmcdowell.com/Brett_McDowell/WorkBlog/WorkBlog.html">Blog</a> | <a href="http://www.linkedin.com/in/brettmcdowell">Profile</a> | +1.413.652.1248</div></div></div></body></html>