[OpenID] TransparencyCamp and OpenID (U)
Paul Madsen
paulmadsen at rogers.com
Thu Mar 12 16:26:15 UTC 2009
Chris, I submit you are listening to the wrong people on issues of SAML
adoption, whether eGov or otherwise.
I think it's fair to say that governments are looking at the
possibilities of accepting OpenID based SSO. If and when they turn this
on, the security characteristics of OpenID (and the other processes and
technology that impact assurance) will be factored into the decision as
to what applications will be candidates for access.
That's true for any federation protocol, e.g. SAML, cards, WS-Fed etc
regards
paul
Chris Messina wrote:
> ...the rub being that SAML is already widely deployed (from what I
> hear) but 1) few use it 2) integration costs are too high and 3)
> managing SAML from a government-to-citizen perspective seems fraught
> with huge costs and unnecessary burdens on both sides of the aisle.
>
> It sounds like your ideal is "pragmatic SAML" but that seems a
> contradiction in terms. No?
>
> Chris
>
> On 3/12/09, Ben Laurie <benl at google.com> wrote:
>
>> On Wed, Mar 11, 2009 at 5:44 PM, Chris Messina <chris.messina at gmail.com>
>> wrote:
>>
>>> What might you propose if you were in Noel's position?
>>>
>> I'm not sure there's anything I love very much so far, but at this
>> time, something SAML-based would seem as good as it gets.
>>
>>
>>> On 3/11/09, Ben Laurie <benl at google.com> wrote:
>>>
>>>> On Tue, Mar 10, 2009 at 10:06 PM, Chris Messina <chris.messina at gmail.com>
>>>> wrote:
>>>>
>>>>> On Tue, Mar 10, 2009 at 1:03 PM, Dickover, Noel, CTR, NII/DoD-CIO
>>>>> <Noel.Dickover.ctr at osd.mil> wrote:
>>>>>
>>>>>> UNCLASSIFIED
>>>>>>
>>>>>> A question I had, assuming somebody
>>>>>> hasn't already asked it from you - in writing the Directive, how would
>>>>>> we
>>>>>> include the use of OpenID and OpenAuth? We would want to specify the
>>>>>> generalized category that those fit into, but would need to allow for
>>>>>> potential competitor standards that might emerge in the future.
>>>>>>
>>>>> One point of clarification: "OpenAuth" is a trademark owned by AOL;
>>>>> "OAuth"
>>>>> is probably what you're thinking of. It's important to keep the two out
>>>>> of
>>>>> the same sentences. ;)
>>>>> To answer your question, I might suggest including these technologies in
>>>>> the
>>>>> realm of "Identity" or "Social Media" technologies. OpenID is a
>>>>> technology
>>>>> that helps people identify themselves to you; we typically use email
>>>>> addresses for that purpose today, but an OpenID should become a more
>>>>> convenient alternative in the future (even if that includes email
>>>>> addresses
>>>>> as OpenIDs).
>>>>>
>>>>>
>>>>>> So if you were writing this, what paragraph would you include that
>>>>>> would
>>>>>> specify things like OpenID in order to address the whole privacy issue?
>>>>>> And
>>>>>> again, as we discussed at TransparencyCamp, that would involve two
>>>>>> options
>>>>>> for Citizens in participating on Federal sites - to either use
>>>>>> external
>>>>>> servers to register for govt sites, or a single govt server for all
>>>>>> govt
>>>>>> websites which might result in better level of service. And also to
>>>>>> have
>>>>>> a
>>>>>> plaec to authenticate Federal employees to external sites like Twitter,
>>>>>> which would start to address the problem of others acting as if they
>>>>>> were
>>>>>> from govt accounts.
>>>>>>
>>>>> I think the first thing to make clear is that OpenID should be
>>>>> considered
>>>>> an
>>>>> important, but optional, convenience for making it easier for people to
>>>>> interact with and take advantage of government websites and services.
>>>>> Few
>>>>> people are looking for MORE accounts online, and OpenID is a
>>>>> vendor-neutral
>>>>> way to address this growing dilemma (of account proliferation).
>>>>> With regards to privacy, I think this is where the optional bit is
>>>>> essential. As it is, the government makes various uses of my phone
>>>>> number,
>>>>> my email address and my social security number to identify me; using a
>>>>> web-friendly identifier as an alternative would be convenient for me and
>>>>> allow me to choose a provider that I trust (which may so happen to be my
>>>>> email provider in the case of Google, Yahoo et al).
>>>>> I largely favor the government accepting third-party OpenID Providers
>>>>> for
>>>>> authentication, just as they do allow for email provider choice.
>>>>>
>>>> Wow, really? Wouldn't you prefer a protocol with some actual security?
>>>>
>>>>
>>>>> Pushing
>>>>> people through a central government-issued OpenID provider seems fraught
>>>>> with trouble — yet another account to forget since people would only
>>>>> need
>>>>> it
>>>>> for irregular interactions with the government (simply an extension of
>>>>> the
>>>>> current problem with government-issued accounts).
>>>>> Of course, where there is a need for remote authentication between
>>>>> government agency websites, I think it's worth considering using OpenID
>>>>> in
>>>>> these cases — if anything to lower the cost of implementation and
>>>>> support-over-time thanks to the maintenance efforts of the OpenID open
>>>>> source community (which admittedly needs to see more activity).
>>>>> For government employees, I do think that it would be useful for a
>>>>> central
>>>>> agency (whichever one already issues government credentials) to operate
>>>>> an
>>>>> OpenID Provider to enable government employees to authenticate and act
>>>>> within the capacity of their government purview on third-party sites.
>>>>>
>>>>> Let's keep this conversation going though — I think this is a great
>>>>> context
>>>>> (this list, that is) to have this discussion!
>>>>> Chris
>>>>>
>>>>>> v/r
>>>>>> Noel Dickover
>>>>>> DoD CIO, IT Investments and Commercial Policy Directorate
>>>>>> Social Software and Emerging Technologies
>>>>>> 703-601-4729x152
>>>>>> Noel.Dickover.ctr at osd.mil
>>>>>> https://www.dodtechipedia.mil - Join the Fight!!!
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
>>>>>> Behalf Of David Recordon
>>>>>> Sent: Wednesday, March 04, 2009 1:18 PM
>>>>>> To: general at openid.net
>>>>>> Subject: [OpenID] TransparencyCamp and OpenID
>>>>>>
>>>>>> This weekend both Chris Messina and I went to TransparencyCamp in DC
>>>>>> and
>>>>>> talked to a bunch of people there about OpenID. We shot a quick
>>>>>> episode
>>>>>> of
>>>>>> TheSocialWeb.tv about it:
>>>>>> http://www.thesocialweb.tv/blog/2009/03/transparency-camp.html
>>>>>>
>>>>>> --David
>>>>>> _______________________________________________
>>>>>> general mailing list
>>>>>> general at openid.net
>>>>>> http://openid.net/mailman/listinfo/general
>>>>>>
>>>>>> _______________________________________________
>>>>>> general mailing list
>>>>>> general at openid.net
>>>>>> http://openid.net/mailman/listinfo/general
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Chris Messina
>>>>> Citizen-Participant &
>>>>> Open Web Advocate-at-Large
>>>>>
>>>>> factoryjoe.com # diso-project.org
>>>>> citizenagency.com # vidoop.com
>>>>> This email is: [ ] bloggable [X] ask first [ ] private
>>>>>
>>>>> _______________________________________________
>>>>> general mailing list
>>>>> general at openid.net
>>>>> http://openid.net/mailman/listinfo/general
>>>>>
>>>>>
>>>>>
>>> --
>>> Chris Messina
>>> Citizen-Participant &
>>> Open Web Advocate-at-Large
>>>
>>> factoryjoe.com # diso-project.org
>>> citizenagency.com # vidoop.com
>>> This email is: [ ] bloggable [X] ask first [ ] private
>>>
>>>
>
>
>
--
Paul Madsen
e:paulmadsen @ ntt-at.com
p:613-482-0432
m:613-282-8647
web:connectid.blogspot.com
ConnectID <http://feeds.feedburner.com/%7Er/blogspot/gMwy/%7E6/1>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090312/8267920e/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gMwy.1.gif
Type: image/gif
Size: 23652 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090312/8267920e/attachment-0002.gif>
More information about the general
mailing list