[OpenID] TransparencyCamp and OpenID (U)

Chris Messina chris.messina at gmail.com
Thu Mar 12 16:13:59 UTC 2009 

...the rub being that SAML is already widely deployed (from what I
hear) but 1) few use it 2) integration costs are too high and 3)
managing SAML from a government-to-citizen perspective seems fraught
with huge costs and unnecessary burdens on both sides of the aisle.

It sounds like your ideal is "pragmatic SAML" but that seems a
contradiction in terms. No?

Chris

On 3/12/09, Ben Laurie <benl at google.com> wrote:
> On Wed, Mar 11, 2009 at 5:44 PM, Chris Messina <chris.messina at gmail.com>
> wrote:
>> What might you propose if you were in Noel's position?
>
> I'm not sure there's anything I love very much so far, but at this
> time, something SAML-based would seem as good as it gets.
>
>>
>> On 3/11/09, Ben Laurie <benl at google.com> wrote:
>>> On Tue, Mar 10, 2009 at 10:06 PM, Chris Messina <chris.messina at gmail.com>
>>> wrote:
>>>> On Tue, Mar 10, 2009 at 1:03 PM, Dickover, Noel, CTR, NII/DoD-CIO
>>>> <Noel.Dickover.ctr at osd.mil> wrote:
>>>>>
>>>>> UNCLASSIFIED
>>>>>
>>>>> A question I had, assuming somebody
>>>>> hasn't already asked it from you - in writing the Directive, how would
>>>>> we
>>>>> include the use of OpenID and OpenAuth?  We would want to specify the
>>>>> generalized category that those fit into, but would need to allow for
>>>>> potential competitor standards that might emerge in the future.
>>>>
>>>> One point of clarification: "OpenAuth" is a trademark owned by AOL;
>>>> "OAuth"
>>>> is probably what you're thinking of. It's important to keep the two out
>>>> of
>>>> the same sentences. ;)
>>>> To answer your question, I might suggest including these technologies in
>>>> the
>>>> realm of "Identity" or "Social Media" technologies. OpenID is a
>>>> technology
>>>> that helps people identify themselves to you; we typically use email
>>>> addresses for that purpose today, but an OpenID should become a more
>>>> convenient alternative in the future (even if that includes email
>>>> addresses
>>>> as OpenIDs).
>>>>
>>>>>
>>>>> So if you were writing this, what paragraph would you include that
>>>>> would
>>>>> specify things like OpenID in order to address the whole privacy issue?
>>>>>  And
>>>>> again, as we discussed at TransparencyCamp, that would involve two
>>>>> options
>>>>> for Citizens in participating on Federal sites - to  either use
>>>>> external
>>>>> servers to register for govt sites, or a single govt server for all
>>>>> govt
>>>>> websites which might result in better level of service.  And also to
>>>>> have
>>>>> a
>>>>> plaec to authenticate Federal employees to external sites like Twitter,
>>>>> which would start to address the problem of others acting as if they
>>>>> were
>>>>> from govt accounts.
>>>>
>>>> I think the first thing to make clear is that OpenID should be
>>>> considered
>>>> an
>>>> important, but optional, convenience for making it easier for people to
>>>> interact with and take advantage of government websites and services.
>>>> Few
>>>> people are looking for MORE accounts online, and OpenID is a
>>>> vendor-neutral
>>>> way to address this growing dilemma (of account proliferation).
>>>> With regards to privacy, I think this is where the optional bit is
>>>> essential. As it is, the government makes various uses of my phone
>>>> number,
>>>> my email address and my social security number to identify me; using a
>>>> web-friendly identifier as an alternative would be convenient for me and
>>>> allow me to choose a provider that I trust (which may so happen to be my
>>>> email provider in the case of Google, Yahoo et al).
>>>> I largely favor the government accepting third-party OpenID Providers
>>>> for
>>>> authentication, just as they do allow for email provider choice.
>>>
>>> Wow, really? Wouldn't you prefer a protocol with some actual security?
>>>
>>>> Pushing
>>>> people through a central government-issued OpenID provider seems fraught
>>>> with trouble — yet another account to forget since people would only
>>>> need
>>>> it
>>>> for irregular interactions with the government (simply an extension of
>>>> the
>>>> current problem with government-issued accounts).
>>>> Of course, where there is a need for remote authentication between
>>>> government agency websites, I think it's worth considering using OpenID
>>>> in
>>>> these cases — if anything to lower the cost of implementation and
>>>> support-over-time thanks to the maintenance efforts of the OpenID open
>>>> source community (which admittedly needs to see more activity).
>>>> For government employees, I do think that it would be useful for a
>>>> central
>>>> agency (whichever one already issues government credentials) to operate
>>>> an
>>>> OpenID Provider to enable government employees to authenticate and act
>>>> within the capacity of their government purview on third-party sites.
>>>>
>>>> Let's keep this conversation going though — I think this is a great
>>>> context
>>>> (this list, that is) to have this discussion!
>>>> Chris
>>>>>
>>>>>
>>>>> v/r
>>>>> Noel Dickover
>>>>> DoD CIO, IT Investments and Commercial Policy Directorate
>>>>> Social Software and Emerging Technologies
>>>>> 703-601-4729x152
>>>>> Noel.Dickover.ctr at osd.mil
>>>>> https://www.dodtechipedia.mil - Join the Fight!!!
>>>>>
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
>>>>> Behalf Of David Recordon
>>>>> Sent: Wednesday, March 04, 2009 1:18 PM
>>>>> To: general at openid.net
>>>>> Subject: [OpenID] TransparencyCamp and OpenID
>>>>>
>>>>> This weekend both Chris Messina and I went to TransparencyCamp in DC
>>>>> and
>>>>> talked to a bunch of people there about OpenID.  We shot a quick
>>>>> episode
>>>>> of
>>>>> TheSocialWeb.tv about it:
>>>>> http://www.thesocialweb.tv/blog/2009/03/transparency-camp.html
>>>>>
>>>>> --David
>>>>> _______________________________________________
>>>>> general mailing list
>>>>> general at openid.net
>>>>> http://openid.net/mailman/listinfo/general
>>>>>
>>>>> _______________________________________________
>>>>> general mailing list
>>>>> general at openid.net
>>>>> http://openid.net/mailman/listinfo/general
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Chris Messina
>>>> Citizen-Participant &
>>>>  Open Web Advocate-at-Large
>>>>
>>>> factoryjoe.com # diso-project.org
>>>> citizenagency.com # vidoop.com
>>>> This email is:   [ ] bloggable    [X] ask first   [ ] private
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general at openid.net
>>>> http://openid.net/mailman/listinfo/general
>>>>
>>>>
>>>
>>
>>
>> --
>> Chris Messina
>> Citizen-Participant &
>>  Open Web Advocate-at-Large
>>
>> factoryjoe.com # diso-project.org
>> citizenagency.com # vidoop.com
>> This email is:   [ ] bloggable    [X] ask first   [ ] private
>>
>


-- 
Chris Messina
Citizen-Participant &
  Open Web Advocate-at-Large

factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is:   [ ] bloggable    [X] ask first   [ ] private

More information about the general mailing list