[OpenID] OpenID + Government

Peter Williams pwilliams at rapattoni.com
Tue Aug 11 20:43:29 UTC 2009 

If the infocard stack is technically reputable, can you explain why an
accredited provider would be excluded from using it (and openid) from
making assertions of physical presence?

Alternatively, can you identify what the complementary set of
( unnamed ) protocols have that supports their unique ability to
assert physical presence?

(understand that in us realty, we manage as an industry millions of
physical access control devices (and their correlation records) as
well As a million logical accounts and probably about 50 million
openid-grade accounts of consumers.)


At cost recovery of about 1 dollar month for 2 factor assurances, if
the 4 vendors in this 100million dollar annual marketplace have to
each spend an additional million a year just to cover the audit, the
additional controls, the certification/disclosure costs, the financial
responsibility insurance, I'm not sure there is margin to even play in
the openid space. It's just too expensive
Sent from my iPhone

On Aug 11, 2009, at 11:49 AM, "Brett McDowell"
<email at brettmcdowell.com> wrote:

> Peter,
>
> The nice thing about transparency is that it allows for disinformation
> to be challenged and corrected.  Can you point to anything ever
> published by Liberty Alliance, or publicly stated as a position by
> Liberty Alliance, that would substantiate your accusation below?
>
> I'm on vacation so will probably have to let this thread go its own
> way (since I hope to stop reading email soon!), but just couldn't
> ignore a false accusation like that directed at my former employer,
> especially since this type of accusation/assumption is what continues
> to get in the way of forward progress.
>
> Going further... I'll address what might be your interpretation of
> Liberty Alliance sentiments (so even if nothing was ever public, would
> your accusation be true based on comments in private meetings?).  No.
> You are categorically wrong about your assessment of any Liberty
> Alliance perspective on Information Cards.  There has always been an
> established respect for the security features of the IMI protocol
> stack which would lead any architect to know it was relevant above LOA
> 1.
>
> As for OpenID, everyone I have ever heard from, including OpenID
> advocates and the current assessment announced yesterday by the ICAM/
> GSA representatives, simply affirms as fact (no attitude or bias, just
> fact) that OpenID 1.X cannot reach LOA 1 and OpenID 2.0 can only do
> LOA 1.  That's not a disparaging comment or the artifact of any
> conspiracy.  Frankly, as a member of the OpenID Foundation myself, I'd
> say it's good news!
>
> There may be some in the OpenID community who have ideas for how
> OpenID 2.X or 3.X could achieve higher levels of assurance.  If yes,
> let's see that work take place in the open so new stakeholders who
> haven't paid attention before could be involved and let their
> requirements be articulated, etc.
>
> The state of the protocol today does not define the role of OpenID
> forever.
>
> P.S.
> From our actions and our words, I hope it is clear that Kantara
> Initiative does not exist to promote SAML, or any other single
> technology.  The goal is to drive adoption of all relevant solutions
> to the identity problem through improved interoperability and
> operational frameworks/programs that address the non-technical
> barriers like privacy, assurance, liability, education and usability.
>
> Peace,
>
> Brett McDowell  |  +1.413.652.1248  |  http://KantaraInitiative.org
>
> On Aug 11, 2009, at 12:56 PM, Peter Williams wrote:
>
>> This WOULD be in line with the thinking of the Liberty folks, a year
>> or more ago - in which they desparately wanted openid/infocard to be
>> reduced "by policy fiat" to serving the low-assurance marketplace
>> ("online identities" accessing assets of little or no value),
>> preserving their major investements in SAML2 for "> LOA1"
>> transactions. They dont seem to have got exactly that built into the
>> (unstated) implications of the rules, but they may have wrangled an
>> exlusive on the signalling of PIV-II, when used its _physical_ (vs
>> _logical_)  access control role.
>

More information about the general mailing list