[OpenID] TransparencyCamp and OpenID (U)

Wed Mar 11 05:26:28 UTC 2009

Or perhaps we can put it in the category of assertion based message
exchange. Authentication is simply a profile of it (as an application
that checks the username and the credential.)

When we consider something like this for government, it is also useful
to distinguish the Identity Proofing and Web Account. Often, we do not
need proven identity to interact with government web sites. It may
just turn out to be the persistency that is important. In this kind of
case, accepting any OpenID based account makes sense. Then, there are
some processes that requires verified/proven identity. In this case,
the OpenID account and the verified identity is to be linked at some
stage. There are two possible points: At the OpenID provider (OP), and
at the Relying party. Doing it at the OpenID provider has the merit of
providing uniquely identified pseudonym, but has the disadvantage of
making the OP an information accumulation point. Doing it at RP does
not give the system a filtering opportunity, but the OP will not
accumulate the vernonymous transaction history. FYI, NZ government's
approach is close to the later, though they are using SAML as their
assertion format.

As the Identity proofing is a very expensive process, it would be
economically more efficient to have it verified once and reuse it.
This, IMHO, is somewhere Govt can come in. Actually, many governments
do the Identity Proofing service at the National Level as an Identity
Verification Service (IVS).

Many government service requires the "uniquness" of the recipent. Just
using third party OPs would be difficult in this case unless the
service uses IVS. The moment the service uses IVS, the recipient has
revealed his real identity. This, in some cases, is unecessary
disclosure of the personal data. To avoid it, it may be interesting
for the Government to run a OP that provides the "uniqueness" only
under the special supervision of privacy authority. Of course, in this
case, the OP has to provide the relying party specific pseudonyms.

Nat Sakimura

On 3/11/09, Chris Messina <chris.messina at gmail.com> wrote:
> On Tue, Mar 10, 2009 at 1:03 PM, Dickover, Noel, CTR, NII/DoD-CIO <
> Noel.Dickover.ctr at osd.mil> wrote:
>
>> UNCLASSIFIED
>>
>> A question I had, assuming somebody
>> hasn't already asked it from you - in writing the Directive, how would we
>> include the use of OpenID and OpenAuth?  We would want to specify the
>> generalized category that those fit into, but would need to allow for
>> potential competitor standards that might emerge in the future.
>>
>
> One point of clarification: "OpenAuth" is a trademark owned by AOL; "OAuth"
> is probably what you're thinking of. It's important to keep the two out of
> the same sentences. ;)
>
> To answer your question, I might suggest including these technologies in the
> realm of "Identity" or "Social Media" technologies. OpenID is a technology
> that helps people identify themselves to you; we typically use email
> addresses for that purpose today, but an OpenID should become a more
> convenient alternative in the future (even if that includes email addresses
> as OpenIDs).
>
>
>
>> So if you were writing this, what paragraph would you include that would
>> specify things like OpenID in order to address the whole privacy issue?
>>  And
>> again, as we discussed at TransparencyCamp, that would involve two options
>> for Citizens in participating on Federal sites - to  either use external
>> servers to register for govt sites, or a single govt server for all govt
>> websites which might result in better level of service.  And also to have
>> a
>> plaec to authenticate Federal employees to external sites like Twitter,
>> which would start to address the problem of others acting as if they were
>> from govt accounts.
>
>
> I think the first thing to make clear is that OpenID should be considered an
> important, but optional, convenience for making it easier for people to
> interact with and take advantage of government websites and services. Few
> people are looking for MORE accounts online, and OpenID is a vendor-neutral
> way to address this growing dilemma (of account proliferation).
>
> With regards to privacy, I think this is where the optional bit is
> essential. As it is, the government makes various uses of my phone number,
> my email address and my social security number to identify me; using a
> web-friendly identifier as an alternative would be convenient for me and
> allow me to choose a provider that I trust (which may so happen to be my
> email provider in the case of Google, Yahoo et al).
>
> I largely favor the government accepting third-party OpenID Providers for
> authentication, just as they do allow for email provider choice. Pushing
> people through a central government-issued OpenID provider seems fraught
> with trouble — yet another account to forget since people would only need it
> for irregular interactions with the government (simply an extension of the
> current problem with government-issued accounts).
>
> Of course, where there is a need for remote authentication between
> government agency websites, I think it's worth considering using OpenID in
> these cases — if anything to lower the cost of implementation and
> support-over-time thanks to the maintenance efforts of the OpenID open
> source community (which admittedly needs to see more activity).
>
> For government employees, I do think that it would be useful for a central
> agency (whichever one already issues government credentials) to operate an
> OpenID Provider to enable government employees to authenticate and act
> within the capacity of their government purview on third-party sites.
>
> Let's keep this conversation going though — I think this is a great context
> (this list, that is) to have this discussion!
>
> Chris
>
>
>>
>> v/r
>> Noel Dickover
>> DoD CIO, IT Investments and Commercial Policy Directorate
>> Social Software and Emerging Technologies
>> 703-601-4729x152
>> Noel.Dickover.ctr at osd.mil
>> https://www.dodtechipedia.mil - Join the Fight!!!
>>
>>
>>
>> -----Original Message-----
>> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
>> Behalf Of David Recordon
>> Sent: Wednesday, March 04, 2009 1:18 PM
>> To: general at openid.net
>> Subject: [OpenID] TransparencyCamp and OpenID
>>
>> This weekend both Chris Messina and I went to TransparencyCamp in DC and
>> talked to a bunch of people there about OpenID.  We shot a quick episode
>> of
>> TheSocialWeb.tv about it:
>> http://www.thesocialweb.tv/blog/2009/03/transparency-camp.html
>>
>> --David
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>>
>
>
> --
> Chris Messina
> Citizen-Participant &
>  Open Web Advocate-at-Large
>
> factoryjoe.com # diso-project.org
> citizenagency.com # vidoop.com
> This email is:   [ ] bloggable    [X] ask first   [ ] private
>

-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/