[OpenID] OpenID + Government

Peter Williams pwilliams at rapattoni.com
Tue Aug 11 16:56:18 UTC 2009 

If I conjecture a little, this does all start to make sense; and the planning and lobbying perhaps goes as far back at least 2 years on this.

I wondered why both Google and Microsoft were retaining/creating support for SAML2, in the RP role. It would well be _because_ SAML2 is being given a carve out - that allows only the SAML2 authnreq protocol to project physical presence (i.e. only will a certified SAML2 IDP be accredited for validly asserting a terminal's verification of PIV-II card presence, at a trusted/keyed reader associated with the IDP's network).

If we make that assumption, it would explain the provision to competely exclude Openid and infocards protocols (by accreditation policy design) from projecting PIV-II's physical presence claim.

This WOULD be in line with the thinking of the Liberty folks, a year or more ago - in which they desparately wanted openid/infocard to be reduced "by policy fiat" to serving the low-assurance marketplace ("online identities" accessing assets of little or no value), preserving their major investements in SAML2 for "> LOA1" transactions. They dont seem to have got exactly that built into the (unstated) implications of the rules, but they may have wrangled an exlusive on the signalling of PIV-II, when used its _physical_ (vs _logical_)  access control role.


________________________________________
From: openid-general-bounces at lists.openid.net [openid-general-bounces at lists.openid.net] On Behalf Of Peter Williams [pwilliams at rapattoni.com]
Sent: Tuesday, August 11, 2009 9:30 AM
To: J. Trent Adams; Chris Messina
Cc: OpenID List
Subject: Re: [OpenID] OpenID + Government

"That draft includes requirements that OpenID or related Info Card identities not be used to authenticate people who are physically present (it's just for remote online access), "


given an openid is controlled by the user (not the provider), how can any one provider assure the govt of this?

The whole point of openid  (in contrast to incommon's version of SAML2, say) is that the identity is controlled by the user. If the google suspends or terminates the relationship with a given user today (because Google claims the user violate their terms of service), the use HAS to have the means to be access his/her Plaxo RP account -- with no additional steps.

Im going to guess that for any complying provider, they will have to disable supprot for openid delegation, which allows one openid to be used (a) in compliance with the draft requirements (when yahoo is the TSP-certified OP selected by a .gov website), and (b) not in compliance (when some non-certified OP "testing for and claiming physical presence" is the OP select by some other, non .gov website).

Since the architecture allows any 1 id through delegation to be different things to different assertion consumers, the only way for Yahoo (say) to comply with the assurance draft is to ELIMINATE ITS SUPPORT FOR OPENID DELEGATION (which google has already done, apparently).

We seem to be rapidly losing what openid is/was all about: user empowerment and control.

________________________________________
From: openid-general-bounces at lists.openid.net [openid-general-bounces at lists.openid.net] On Behalf Of J. Trent Adams [jtrentadams at gmail.com]
Sent: Tuesday, August 11, 2009 7:48 AM
To: Chris Messina
Cc: OpenID List
Subject: Re: [OpenID] OpenID + Government

All -

The event went well, and was good to see OpenID, InfoCard, Kantara, and
InCommon working together with Protivity on behalf of the GSA/ICAM
initiative.

While the combined representatives were well-prepared for most questions
raised, there were a couple of sticking points that would be good to
focus some energy on moving forward:

 1. Protection against unintended self-exposure.
 2. Protection against masquerading.
 3. Usability issues relating to LOA 1 vs LOA > 1

Since there's not a lot that the technology can really do with the first
issue, it might make sense to focus on how the TFP applicants could
address this issue during accreditation.  Similarly dodgey is
masquerading, though there might be a creative way to layer in an
assertion of one's identity should they wish to publicly claim it.  I
believe Chris Louden will be taking these points back to his group, but
if anyone has suggestions I'm sure they'd be well accepted.

More prosaically, we all know about the usability issues.  To date,
though, we've been focused primarily on how to improve adoption/use of
OpenID in isolation.  The concerns raised in the room were more akin to
how users can be guided along their interactions when they need to shift
from OpenID to something with a higher LOA (when the discussions move in
that direction).  This was a heated topic with no clear path for
resolution in the meeting.

Finally, it was interesting to note that Protivity is only recommending
that OpenID 2.0 be supported in conjunction with this project.  Perhaps
adoption of 2.0 will be spurred on by this requirement.

Cheers,
Trent


Chris Messina wrote:
> Well, I think the newscycles were tapped out with Facebook acquiring
> FriendFeed and launching real-time search as well as Google launched a
> new version of their search engine, but there was an important meeting
> in Washington today and ReadWriteWeb got the story:
>
> http://www.readwriteweb.com/archives/us_government_reviewing_openid_to_log_in_to_some_g.php
>
> Chris
>
> --
> Chris Messina
> Open Web Advocate
>
> Personal site: http://factoryjoe.com
> Twitter: http://twitter.com/chrismessina
>
> Diso Project: http://diso-project.org
> OpenID Foundation: http://openid.net
>
> This email is:   [ ] bloggable    [X] ask first   [ ] private
> ------------------------------------------------------------------------
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>

--
J. Trent Adams
=jtrentadams

Profile: http://www.mediaslate.org/jtrentadams/
LinkedIN: http://www.linkedin.com/in/jtrentadams
Twitter: http://twitter.com/jtrentadams

_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

More information about the general mailing list