[OpenID] OpenID + Government

Brett McDowell email at brettmcdowell.com
Tue Aug 11 19:00:21 UTC 2009 

Peter,

The nice thing about transparency is that it allows for disinformation  
to be challenged and corrected.  Can you point to anything ever  
published by Liberty Alliance, or publicly stated as a position by  
Liberty Alliance, that would substantiate your accusation below?

I'm on vacation so will probably have to let this thread go its own  
way (since I hope to stop reading email soon!), but just couldn't  
ignore a false accusation like that directed at my former employer,  
especially since this type of accusation/assumption is what continues  
to get in the way of forward progress.

Going further... I'll address what might be your interpretation of  
Liberty Alliance sentiments (so even if nothing was ever public, would  
your accusation be true based on comments in private meetings?).  No.   
You are categorically wrong about your assessment of any Liberty  
Alliance perspective on Information Cards.  There has always been an  
established respect for the security features of the IMI protocol  
stack which would lead any architect to know it was relevant above LOA  
1.

As for OpenID, everyone I have ever heard from, including OpenID  
advocates and the current assessment announced yesterday by the ICAM/ 
GSA representatives, simply affirms as fact (no attitude or bias, just  
fact) that OpenID 1.X cannot reach LOA 1 and OpenID 2.0 can only do  
LOA 1.  That's not a disparaging comment or the artifact of any  
conspiracy.  Frankly, as a member of the OpenID Foundation myself, I'd  
say it's good news!

There may be some in the OpenID community who have ideas for how  
OpenID 2.X or 3.X could achieve higher levels of assurance.  If yes,  
let's see that work take place in the open so new stakeholders who  
haven't paid attention before could be involved and let their  
requirements be articulated, etc.

The state of the protocol today does not define the role of OpenID  
forever.

P.S.
 From our actions and our words, I hope it is clear that Kantara  
Initiative does not exist to promote SAML, or any other single  
technology.  The goal is to drive adoption of all relevant solutions  
to the identity problem through improved interoperability and  
operational frameworks/programs that address the non-technical  
barriers like privacy, assurance, liability, education and usability.

Peace,

Brett McDowell  |  +1.413.652.1248  |  http://KantaraInitiative.org

On Aug 11, 2009, at 12:56 PM, Peter Williams wrote:

> This WOULD be in line with the thinking of the Liberty folks, a year  
> or more ago - in which they desparately wanted openid/infocard to be  
> reduced "by policy fiat" to serving the low-assurance marketplace  
> ("online identities" accessing assets of little or no value),  
> preserving their major investements in SAML2 for "> LOA1"  
> transactions. They dont seem to have got exactly that built into the  
> (unstated) implications of the rules, but they may have wrangled an  
> exlusive on the signalling of PIV-II, when used its _physical_ (vs  
> _logical_)  access control role.

More information about the general mailing list