[OpenID] OpenID + Government

Troy Benjegerdes hozer at hozed.org
Tue Aug 11 05:07:10 UTC 2009 

One of my 'identities' is 'troy at scl.ameslab.gov', and I would second the
idea of responding to the trust framework documents. (The other,
hozer at hozed.org has a longer history on open source mailing lists,
like the MIT kerberos list. This also makes it clear these are my
personal views, and not anything related to my current employer.)

There are also two more critically important aspects here that need to be
considered.. 

1) distributed Federal OpenID servers. There should NEVER be any attempt
to propose a single OpenID server for all federal users. Even though it might
be open source, and an open standard, the whole point of OpenID is distributed
authentication. It will fall apart over beaurcratic jurisdiction squabbling,
and be a horrible security idea. Oh, and I'm not a fed, I'm a contractor.. 
do you give contractors the same identity as federal employees? I think
that would be unwise.

2) Integration of OpenID with open-source Kerberos, and strong two-factor
authentication.  Many of the DOE national labs have had a long history of
using, developing, and supporting the Kerberos authentication protocol for
access to UNIX-like systems, and in some cases Windows systems via
interoperability with Active Directory (which uses the same standard protocols
as the open source MIT kerberos). OpenID *can* be integrated with a Kerberos
system (it took my co-worker something like 15 minutes to find a quick working
version based on an open source PHP openID library). But integration and
functionality is not the same as strong, well developed security. Wouldn't
it be great if were 300 lines of easily formally-verifiable code could link
with a single-sign-on Kerbersos system, and provide an OpenID server, instead
of relying on hundreds of thousands of lines of code in Apache?


** footnote:
Information on the Kerberos/LDAP infrastructre I am familiar with is at:
http://www.scl.ameslab.gov/Projects/Infrastructure/scl-ad.html


On Mon, Aug 10, 2009 at 06:33:27PM -0700, Chris Messina wrote:
> The opportunity is to respond directly to the documents that describes the
> Identity/Trust Frameworks:
> http://www.idmanagement.gov/documents/TrustFrameworkProviderAdoptionProcess.pdf
> http://www.idmanagement.gov/documents/IdentitySchemeAdoptionProcess.pdf
> http://www.idmanagement.gov/documents/PIV_IO_NonFed_Issuers_May2009.pdf
> 
> If you would like to make your views known, those which respond
> *specifically* to this document are likely have the most impact.
> 
> Chris
> 
> On Mon, Aug 10, 2009 at 6:28 PM, Peter Williams <pwilliams at rapattoni.com>wrote:
> 
> > "My proposal called on the federal government to run an OpenID server for
> > all its agencies, mostly because I want the government to kick the habit of
> > using commercial services for such essential information-age functions. (See
> > my earlier blogs, Five projects for Open Source for America<
> > http://broadcast.oreilly.com/2009/07/five-projects-for-open-source.html>
> > and themes from the Personal Democracy Forum conference<
> > http://radar.oreilly.com/2009/06/personal-democracy-forum-confe.html#miscellaneous
> > >."
> >
> >
> >
> > Michael S. Baum, Federal Certification Authority Liability and Policy
> > 263-67 (1994).
> >
> >
> >
> > http://www.verisign.com/repository/pubs/fca_liability.pdf
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ________________________________
> > From: openid-general-bounces at lists.openid.net [
> > openid-general-bounces at lists.openid.net] On Behalf Of Chris Messina [
> > chris.messina at gmail.com]
> > Sent: Monday, August 10, 2009 5:41 PM
> > To: OpenID List
> > Subject: [OpenID] OpenID + Government
> >
> > Well, I think the newscycles were tapped out with Facebook acquiring
> > FriendFeed and launching real-time search as well as Google launched a new
> > version of their search engine, but there was an important meeting in
> > Washington today and ReadWriteWeb got the story:
> >
> >
> > http://www.readwriteweb.com/archives/us_government_reviewing_openid_to_log_in_to_some_g.php
> >
> > Chris
> >
> > --
> > Chris Messina
> > Open Web Advocate
> >
> > Personal site: http://factoryjoe.com
> > Twitter: http://twitter.com/chrismessina
> >
> > Diso Project: http://diso-project.org
> > OpenID Foundation: http://openid.net
> >
> > This email is:   [ ] bloggable    [X] ask first   [ ] private
> > _______________________________________________
> > general mailing list
> > general at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-general
> >
> 
> 
> 
> -- 
> Chris Messina
> Open Web Advocate
> 
> Personal site: http://factoryjoe.com
> Twitter: http://twitter.com/chrismessina
> 
> Diso Project: http://diso-project.org
> OpenID Foundation: http://openid.net
> 
> This email is:   [ ] bloggable    [X] ask first   [ ] private

> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general


-- 
--------------------------------------------------------------------------
Troy Benjegerdes                'da hozer'                hozer at hozed.org  

Unless hours were cups of sack, and minutes capons, and clocks the tongues
of bawds, and dials the signs of leaping houses, and the blessed sun himself
a fair, hot wench in flame-colored taffeta, I see no reason why thou shouldst
be so superfluous to demand the time of the day.  I wasted time and now doth
time waste me.                        -- William Shakespeare

More information about the general mailing list