<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:System;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>OIDF board members have interacted with The US NIST on a
variety of topics over the years. For example, last year ago several IdPs collaborated
and published a best practices document for CAPTCHA, that NIST used with regard
to their ongoing study of online identity proofing. At NIST’s
request, two days ago Eric Sachs and I briefed the NIST Board on latest developments
with OpenID, OIX, etc. My notes for that briefing are below:<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>National
Strategy for Secure Online Transactions</b><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>There
is an ongoing dialogue between the OpenID Foundation and Open Identity
Foundation (OIX) and the White House team drafting the National Strategy for
Secure Online Transactions. The current White House draft calls for a
“national trust framework” as one of several initiatives. One OIX
objective is to provide the strategy team further information on the role OIX
can play as a neutral, nonprofit “utility” for the certification of
participants in multiple trust frameworks for both internet and phone channels
in the US and international markets. OIX is importantly differentiated by
the board level representation of companies that enable secure online
transaction services as a core competency of their business operations on a
global scale for hundreds of millions users on a daily basis. <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>The
Open Identity Exchange OIX</b><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>The
OpenID Foundation and ICF, together with companies like Google, PayPal, Equifax
and others help found the OIX. The most important aspect to understand
about the model OIX is following (which is explained in detailed in the <a
href="http://www.openidentityexchange.org/sites/default/files/the-open-identity-trust-framework-model-2010-03.pdf"
target="_blank"><span style='color:windowtext'>Open Identity Trust Framework
Model</span></a> white paper) is that it is not necessary for the US or any
government to amend or adapt its identity framework to work with OIX. Rather it
is a matter of OIX working with the GSA ICAM and other government agencies to
simply turn their requirements into an OIX trust framework. This was lightweight
process we went through with ICAM in the US. Once they understood that
"their trust framework was our trust framework", it was easy to
complete the process. Unlike the other pre-existing trust frameworks developed
by third parties outside the government, OIX does not have its own "native"
trust framework to which others must map their requirements. <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <b>OpenID
and NIST related information <o:p></o:p></b></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>There
are two tracks one is the E-Authentication Risk Assessment based on OMB-04-04
and relating directly to the NIST levels; <a
href="http://www.whitehouse.gov/OMB/memoranda/fy04/m04-04.pdf" target="_blank"><span
style='color:windowtext'>http://www.whitehouse.gov/OMB/memoranda/fy04/m04-04.pdf</span></a>
The requirements for implementation are found in: <a
href="http://www.whitehouse.gov/omb/assets/omb/memoranda/fy04/m04-25.pdf"
target="_blank"><span style='color:windowtext'>http://www.whitehouse.gov/omb/assets/omb/memoranda/fy04/m04-25.pdf</span></a>
There is OMB Circular A-130 <a
href="http://www.whitehouse.gov/omb/Circulars_a130_a130trans4/" target="_blank"><span
style='color:windowtext'>http://www.whitehouse.gov/omb/Circulars_a130_a130trans4/</span></a>
The GSA provides assessment tools for agencies reporting at: <a
href="http://www.idmanagement.gov/drilldown.cfm?action=era" target="_blank"><span
style='color:windowtext'>http://www.idmanagement.gov/drilldown.cfm?action=era</span></a><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>AS
John Bradley outlined at the OpenID Technology Summit this week, the OMB-04-04
and the risk assessment allow the RP to collect the information, but lays out
what security requirements are required for the protection of that information
including the strength of the credentials. Then on the privacy side we deal
with the privacy act of 1974 and the E-Government act of 2002. This requires
agencies to have systems of record, so that people can make requests under the
Privacy Act for information about them. <span style='color:#1F497D'><o:p></o:p></span></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>Eric and I noted that there
likely will be multiple levels of identity proofing, one of which would be
in-person like what Verizon could do, and another would be online verification
of credit card information or phone # such as PayPal/Google/Yahoo/etc. could do.
I will be representing the OIDF at the IDTrust 2010 workshop is will be held at
NIST in Gaithersburg MD, US on April 13-15 2010. NIST will announce today Friday
that ANSI/NASPO are starting a project to define standards for identity
proofing. <a href="http://www.naspo.info/">http://www.naspo.info/</a> I
plan to keep an eye on how it progresses, and update the board. <o:p></o:p></p>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><o:p> </o:p></span></b></p>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><o:p> </o:p></span></b></p>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Don Thibeau <br>
<b>Sent:</b> Monday, April 05, 2010 6:18 PM<br>
<b>Subject:</b> Information Security and Privacy Advisory Board Meeting Agenda
for April 7-9, 2010<br>
<b>When:</b> Wednesday, April 07, 2010 6:30 PM-7:00 PM (GMT-05:00) Eastern Time
(US & Canada).<br>
<b>Where:</b> <o:p></o:p></span></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='text-autospace:none'> <o:p></o:p></p>
<p class=MsoNormal style='text-autospace:none'><b><span style='font-size:10.0pt;
font-family:"System","sans-serif"'>------------<o:p></o:p></span></b></p>
<p class=MsoNormal style='margin-left:120.0pt;text-indent:-120.0pt;text-autospace:
none'><b><span style='color:black'>From: </span></b><span
style='color:black'>Bowen, Pauline [pauline.bowen@nist.gov]<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:120.0pt;text-indent:-120.0pt;text-autospace:
none'><b><span style='color:black'>Sent: </span></b><span
style='color:black'>Monday, April 05, 2010 4:27 PM<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:120.0pt;text-indent:-120.0pt;text-autospace:
none'><b><span style='color:black'>To: </span></b><span
style='color:black'>Eric Sachs; <a href="mailto:don@oidf.org">don@oidf.org</a>;
Newton, Elaine M.<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:120.0pt;text-indent:-120.0pt;text-autospace:
none'><b><span style='color:black'>Subject: </span></b><span
style='color:black'>Information Security and Privacy Advisory Board Meeting
Agenda for April 7-9, 2010<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:120.0pt;text-indent:-120.0pt;text-autospace:
none'><b><span style='color:black'>Attachments: </span></b><span
style='color:black'>ISPAB Meeting Agenda 2010-040710.doc; Directions to
Washington Marriott Wardman Park.doc<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:120.0pt;text-indent:-120.0pt;text-autospace:
none'><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:12.0pt;
font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-autospace:none'><span style='font-size:12.0pt;
font-family:"Times New Roman","serif"'> </span><span style='font-size:
12.0pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=638
style='width:6.65in;border-collapse:collapse'>
<tr style='height:30.15pt'>
<td width=169 valign=top style='width:126.9pt;padding:0in 5.4pt 0in 5.4pt;
height:30.15pt'>
<p class=MsoNormal style='margin-top:2.0pt;text-autospace:none'>1:30 P.M. –
2:30 P.M.<o:p></o:p></p>
</td>
<td width=469 style='width:351.9pt;padding:0in 5.4pt 0in 5.4pt;height:30.15pt'>
<p class=MsoNormal style='mso-margin-top-alt:2.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:0in'><b><i>NIST Update on FY10 Activities</i></b><b><i><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></i></b></p>
<p class=MsoNormal style='mso-margin-top-alt:2.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:0in'>Patrick Gallagher, NIST Director <b><i><o:p></o:p></i></b></p>
<p class=MsoNormal style='mso-margin-top-alt:2.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:0in;text-autospace:none'><span
style='font-size:12.0pt'><o:p> </o:p></span></p>
</td>
</tr>
<tr>
<td width=169 valign=top style='width:126.9pt;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal style='margin-top:1.0pt'> 2:30 P.M. –3:30 P.M.<span
style='font-family:"Times New Roman","serif"'><o:p></o:p></span></p>
<p class=MsoNormal align=center style='margin-top:1.0pt;text-align:center;
text-autospace:none'><o:p> </o:p></p>
</td>
<td width=469 style='width:351.9pt;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal style='mso-margin-top-alt:2.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:0in'><b><i>OMB Update/Metrics</i></b><b><i><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></i></b></p>
<p class=MsoNormal style='mso-margin-top-alt:2.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:0in'>Vivek <span lang=IT>Kundra, Federal CIO,
OMB</span><b><span lang=IT> </span></b><b><o:p></o:p></b></p>
<p class=MsoNormal style='mso-margin-top-alt:2.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:0in;text-autospace:none'><o:p> </o:p></p>
</td>
</tr>
<tr>
<td width=169 valign=top style='width:126.9pt;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal style='margin-top:1.0pt;text-autospace:none'> 3:30
P.M. – 4:30 P.M.<span style='color:blue'><o:p></o:p></span></p>
</td>
<td width=469 style='width:351.9pt;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal style='mso-margin-top-alt:2.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:0in'><b><i>OpenID</i></b><b><i><span
style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></i></b></p>
<p class=MsoNormal style='mso-margin-top-alt:2.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:0in'>Elaine Newton, NIST<o:p></o:p></p>
<p class=MsoNormal>Don Thibeau, Executive Director, The OpenID Foundation<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:2.0pt;margin-right:0in;
margin-bottom:2.0pt;margin-left:0in;text-autospace:none'>Eric Sachs, Google<span
style='font-size:12.0pt'><o:p></o:p></span></p>
</td>
</tr>
</table>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><i><span style='color:#1F497D'>Don Thibeau<o:p></o:p></span></i></p>
<p class=MsoNormal><i><span style='color:#1F497D'>don@OIDF.org<o:p></o:p></span></i></p>
<p class=MsoNormal>Executive Director<o:p></o:p></p>
<p class=MsoNormal>The OpenID Foundation<o:p></o:p></p>
<p class=MsoNormal><a href="http://openid.net"><span style='color:blue'>http://openid.net</span></a><o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>