[OpenID] OpenID + Government

David Recordon david at sixapart.com
Tue Aug 11 17:21:57 UTC 2009 

Hey Peter,
Having been directly in a number of government conversations this  
year, I think you're reading a bit too much into the history.  There  
are a number of Federal Agencies within the US Government who are  
already using OpenID or very interested in adopting OpenID for sign in  
to their services.  That isn't to say that OpenID as a technology  
fully solves every use case today, but there are many that with  
forethought around security and privacy where OpenID fits quite nicely.

--David

On Aug 11, 2009, at 9:56 AM, Peter Williams wrote:

> If I conjecture a little, this does all start to make sense; and the  
> planning and lobbying perhaps goes as far back at least 2 years on  
> this.
>
> I wondered why both Google and Microsoft were retaining/creating  
> support for SAML2, in the RP role. It would well be _because_ SAML2  
> is being given a carve out - that allows only the SAML2 authnreq  
> protocol to project physical presence (i.e. only will a certified  
> SAML2 IDP be accredited for validly asserting a terminal's  
> verification of PIV-II card presence, at a trusted/keyed reader  
> associated with the IDP's network).
>
> If we make that assumption, it would explain the provision to  
> competely exclude Openid and infocards protocols (by accreditation  
> policy design) from projecting PIV-II's physical presence claim.
>
> This WOULD be in line with the thinking of the Liberty folks, a year  
> or more ago - in which they desparately wanted openid/infocard to be  
> reduced "by policy fiat" to serving the low-assurance marketplace  
> ("online identities" accessing assets of little or no value),  
> preserving their major investements in SAML2 for "> LOA1"  
> transactions. They dont seem to have got exactly that built into the  
> (unstated) implications of the rules, but they may have wrangled an  
> exlusive on the signalling of PIV-II, when used its _physical_ (vs  
> _logical_)  access control role.
>
>
> ________________________________________
> From: openid-general-bounces at lists.openid.net [openid-general-bounces at lists.openid.net 
> ] On Behalf Of Peter Williams [pwilliams at rapattoni.com]
> Sent: Tuesday, August 11, 2009 9:30 AM
> To: J. Trent Adams; Chris Messina
> Cc: OpenID List
> Subject: Re: [OpenID] OpenID + Government
>
> "That draft includes requirements that OpenID or related Info Card  
> identities not be used to authenticate people who are physically  
> present (it's just for remote online access), "
>
>
> given an openid is controlled by the user (not the provider), how  
> can any one provider assure the govt of this?
>
> The whole point of openid  (in contrast to incommon's version of  
> SAML2, say) is that the identity is controlled by the user. If the  
> google suspends or terminates the relationship with a given user  
> today (because Google claims the user violate their terms of  
> service), the use HAS to have the means to be access his/her Plaxo  
> RP account -- with no additional steps.
>
> Im going to guess that for any complying provider, they will have to  
> disable supprot for openid delegation, which allows one openid to be  
> used (a) in compliance with the draft requirements (when yahoo is  
> the TSP-certified OP selected by a .gov website), and (b) not in  
> compliance (when some non-certified OP "testing for and claiming  
> physical presence" is the OP select by some other, non .gov website).
>
> Since the architecture allows any 1 id through delegation to be  
> different things to different assertion consumers, the only way for  
> Yahoo (say) to comply with the assurance draft is to ELIMINATE ITS  
> SUPPORT FOR OPENID DELEGATION (which google has already done,  
> apparently).
>
> We seem to be rapidly losing what openid is/was all about: user  
> empowerment and control.
>
> ________________________________________
> From: openid-general-bounces at lists.openid.net [openid-general-bounces at lists.openid.net 
> ] On Behalf Of J. Trent Adams [jtrentadams at gmail.com]
> Sent: Tuesday, August 11, 2009 7:48 AM
> To: Chris Messina
> Cc: OpenID List
> Subject: Re: [OpenID] OpenID + Government
>
> All -
>
> The event went well, and was good to see OpenID, InfoCard, Kantara,  
> and
> InCommon working together with Protivity on behalf of the GSA/ICAM
> initiative.
>
> While the combined representatives were well-prepared for most  
> questions
> raised, there were a couple of sticking points that would be good to
> focus some energy on moving forward:
>
> 1. Protection against unintended self-exposure.
> 2. Protection against masquerading.
> 3. Usability issues relating to LOA 1 vs LOA > 1
>
> Since there's not a lot that the technology can really do with the  
> first
> issue, it might make sense to focus on how the TFP applicants could
> address this issue during accreditation.  Similarly dodgey is
> masquerading, though there might be a creative way to layer in an
> assertion of one's identity should they wish to publicly claim it.  I
> believe Chris Louden will be taking these points back to his group,  
> but
> if anyone has suggestions I'm sure they'd be well accepted.
>
> More prosaically, we all know about the usability issues.  To date,
> though, we've been focused primarily on how to improve adoption/use of
> OpenID in isolation.  The concerns raised in the room were more akin  
> to
> how users can be guided along their interactions when they need to  
> shift
> from OpenID to something with a higher LOA (when the discussions  
> move in
> that direction).  This was a heated topic with no clear path for
> resolution in the meeting.
>
> Finally, it was interesting to note that Protivity is only  
> recommending
> that OpenID 2.0 be supported in conjunction with this project.   
> Perhaps
> adoption of 2.0 will be spurred on by this requirement.
>
> Cheers,
> Trent
>
>
> Chris Messina wrote:
>> Well, I think the newscycles were tapped out with Facebook acquiring
>> FriendFeed and launching real-time search as well as Google  
>> launched a
>> new version of their search engine, but there was an important  
>> meeting
>> in Washington today and ReadWriteWeb got the story:
>>
>> http://www.readwriteweb.com/archives/us_government_reviewing_openid_to_log_in_to_some_g.php
>>
>> Chris
>>
>> --
>> Chris Messina
>> Open Web Advocate
>>
>> Personal site: http://factoryjoe.com
>> Twitter: http://twitter.com/chrismessina
>>
>> Diso Project: http://diso-project.org
>> OpenID Foundation: http://openid.net
>>
>> This email is:   [ ] bloggable    [X] ask first   [ ] private
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>>
>
> --
> J. Trent Adams
> =jtrentadams
>
> Profile: http://www.mediaslate.org/jtrentadams/
> LinkedIN: http://www.linkedin.com/in/jtrentadams
> Twitter: http://twitter.com/jtrentadams
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

More information about the general mailing list