[OpenID] TransparencyCamp and OpenID (U)

Nate Klingenstein ndk at internet2.edu
Thu Mar 12 16:31:47 UTC 2009 

Chris,

I don't think that's a very accurate description of the deployment  
pattern of Shibboleth, at least, which uses SAML as one of its primary  
protocols.  While the deployment in the US has been less rapid than  
that of Europe in particular, there is heavy usage in the educational  
sector.

It is free open source, of course.  We've poured a ton of work into  
securing the software, improving interop, and giving deployers as many  
choices - and extension points - as possible to make integration work  
well.  There are packages like simpleSAMLphp(which supports OpenID,  
afaik) available for other environments, too.

The US Higher Ed federation, InCommon, already counts some major  
government agencies that work often with the academic community as  
partners, including NIH and NSF. We're building up a higher LOA at  
some universities now to meet the security needs of their apps, and  
we're very grateful for their active participation and support.

The deployment in the consumer and corporate space is vastly less.  I  
suspect that is related to communication patterns and security vs.  
usability tradeoffs, but that's just a guess.  I'm excited to watch  
all the progress that OpenID and Facebook Connect are making here.

Take care,
Nate.

On Mar 12, 2009, at 9:13, Chris Messina <chris.messina at gmail.com> wrote:

> ...the rub being that SAML is already widely deployed (from what I
> hear) but 1) few use it 2) integration costs are too high and 3)
> managing SAML from a government-to-citizen perspective seems fraught
> with huge costs and unnecessary burdens on both sides of the aisle.
>
> It sounds like your ideal is "pragmatic SAML" but that seems a
> contradiction in terms. No?
>
> Chris
>
> On 3/12/09, Ben Laurie <benl at google.com> wrote:
>> On Wed, Mar 11, 2009 at 5:44 PM, Chris Messina <chris.messina at gmail.com 
>> >
>> wrote:
>>> What might you propose if you were in Noel's position?
>>
>> I'm not sure there's anything I love very much so far, but at this
>> time, something SAML-based would seem as good as it gets.
>>
>>>
>>> On 3/11/09, Ben Laurie <benl at google.com> wrote:
>>>> On Tue, Mar 10, 2009 at 10:06 PM, Chris Messina <chris.messina at gmail.com 
>>>> >
>>>> wrote:
>>>>> On Tue, Mar 10, 2009 at 1:03 PM, Dickover, Noel, CTR, NII/DoD-CIO
>>>>> <Noel.Dickover.ctr at osd.mil> wrote:
>>>>>>
>>>>>> UNCLASSIFIED
>>>>>>
>>>>>> A question I had, assuming somebody
>>>>>> hasn't already asked it from you - in writing the Directive,  
>>>>>> how would
>>>>>> we
>>>>>> include the use of OpenID and OpenAuth?  We would want to  
>>>>>> specify the
>>>>>> generalized category that those fit into, but would need to  
>>>>>> allow for
>>>>>> potential competitor standards that might emerge in the future.
>>>>>
>>>>> One point of clarification: "OpenAuth" is a trademark owned by  
>>>>> AOL;
>>>>> "OAuth"
>>>>> is probably what you're thinking of. It's important to keep the  
>>>>> two out
>>>>> of
>>>>> the same sentences. ;)
>>>>> To answer your question, I might suggest including these  
>>>>> technologies in
>>>>> the
>>>>> realm of "Identity" or "Social Media" technologies. OpenID is a
>>>>> technology
>>>>> that helps people identify themselves to you; we typically use  
>>>>> email
>>>>> addresses for that purpose today, but an OpenID should become a  
>>>>> more
>>>>> convenient alternative in the future (even if that includes email
>>>>> addresses
>>>>> as OpenIDs).
>>>>>
>>>>>>
>>>>>> So if you were writing this, what paragraph would you include  
>>>>>> that
>>>>>> would
>>>>>> specify things like OpenID in order to address the whole  
>>>>>> privacy issue?
>>>>>> And
>>>>>> again, as we discussed at TransparencyCamp, that would involve  
>>>>>> two
>>>>>> options
>>>>>> for Citizens in participating on Federal sites - to  either use
>>>>>> external
>>>>>> servers to register for govt sites, or a single govt server for  
>>>>>> all
>>>>>> govt
>>>>>> websites which might result in better level of service.  And  
>>>>>> also to
>>>>>> have
>>>>>> a
>>>>>> plaec to authenticate Federal employees to external sites like  
>>>>>> Twitter,
>>>>>> which would start to address the problem of others acting as if  
>>>>>> they
>>>>>> were
>>>>>> from govt accounts.
>>>>>
>>>>> I think the first thing to make clear is that OpenID should be
>>>>> considered
>>>>> an
>>>>> important, but optional, convenience for making it easier for  
>>>>> people to
>>>>> interact with and take advantage of government websites and  
>>>>> services.
>>>>> Few
>>>>> people are looking for MORE accounts online, and OpenID is a
>>>>> vendor-neutral
>>>>> way to address this growing dilemma (of account proliferation).
>>>>> With regards to privacy, I think this is where the optional bit is
>>>>> essential. As it is, the government makes various uses of my phone
>>>>> number,
>>>>> my email address and my social security number to identify me;  
>>>>> using a
>>>>> web-friendly identifier as an alternative would be convenient  
>>>>> for me and
>>>>> allow me to choose a provider that I trust (which may so happen  
>>>>> to be my
>>>>> email provider in the case of Google, Yahoo et al).
>>>>> I largely favor the government accepting third-party OpenID  
>>>>> Providers
>>>>> for
>>>>> authentication, just as they do allow for email provider choice.
>>>>
>>>> Wow, really? Wouldn't you prefer a protocol with some actual  
>>>> security?
>>>>
>>>>> Pushing
>>>>> people through a central government-issued OpenID provider seems  
>>>>> fraught
>>>>> with trouble ― yet another account to forget since people wo 
>>>>> uld only
>>>>> need
>>>>> it
>>>>> for irregular interactions with the government (simply an  
>>>>> extension of
>>>>> the
>>>>> current problem with government-issued accounts).
>>>>> Of course, where there is a need for remote authentication between
>>>>> government agency websites, I think it's worth considering using  
>>>>> OpenID
>>>>> in
>>>>> these cases ― if anything to lower the cost of implementation and
>>>>> support-over-time thanks to the maintenance efforts of the  
>>>>> OpenID open
>>>>> source community (which admittedly needs to see more activity).
>>>>> For government employees, I do think that it would be useful for a
>>>>> central
>>>>> agency (whichever one already issues government credentials) to  
>>>>> operate
>>>>> an
>>>>> OpenID Provider to enable government employees to authenticate  
>>>>> and act
>>>>> within the capacity of their government purview on third-party  
>>>>> sites.
>>>>>
>>>>> Let's keep this conversation going though ― I think this is  
>>>>> a great
>>>>> context
>>>>> (this list, that is) to have this discussion!
>>>>> Chris
>>>>>>
>>>>>>
>>>>>> v/r
>>>>>> Noel Dickover
>>>>>> DoD CIO, IT Investments and Commercial Policy Directorate
>>>>>> Social Software and Emerging Technologies
>>>>>> 703-601-4729x152
>>>>>> Noel.Dickover.ctr at osd.mil
>>>>>> https://www.dodtechipedia.mil - Join the Fight!!!
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: general-bounces at openid.net [mailto:general-bounces at openid.net 
>>>>>> ] On
>>>>>> Behalf Of David Recordon
>>>>>> Sent: Wednesday, March 04, 2009 1:18 PM
>>>>>> To: general at openid.net
>>>>>> Subject: [OpenID] TransparencyCamp and OpenID
>>>>>>
>>>>>> This weekend both Chris Messina and I went to TransparencyCamp  
>>>>>> in DC
>>>>>> and
>>>>>> talked to a bunch of people there about OpenID.  We shot a quick
>>>>>> episode
>>>>>> of
>>>>>> TheSocialWeb.tv about it:
>>>>>> http://www.thesocialweb.tv/blog/2009/03/transparency-camp.html
>>>>>>
>>>>>> --David
>>>>>> _______________________________________________
>>>>>> general mailing list
>>>>>> general at openid.net
>>>>>> http://openid.net/mailman/listinfo/general
>>>>>>
>>>>>> _______________________________________________
>>>>>> general mailing list
>>>>>> general at openid.net
>>>>>> http://openid.net/mailman/listinfo/general
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Chris Messina
>>>>> Citizen-Participant &
>>>>> Open Web Advocate-at-Large
>>>>>
>>>>> factoryjoe.com # diso-project.org
>>>>> citizenagency.com # vidoop.com
>>>>> This email is:   [ ] bloggable    [X] ask first   [ ] private
>>>>>
>>>>> _______________________________________________
>>>>> general mailing list
>>>>> general at openid.net
>>>>> http://openid.net/mailman/listinfo/general
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Chris Messina
>>> Citizen-Participant &
>>> Open Web Advocate-at-Large
>>>
>>> factoryjoe.com # diso-project.org
>>> citizenagency.com # vidoop.com
>>> This email is:   [ ] bloggable    [X] ask first   [ ] private
>>>
>>
>
>
> -- 
> Chris Messina
> Citizen-Participant &
>  Open Web Advocate-at-Large
>
> factoryjoe.com # diso-project.org
> citizenagency.com # vidoop.com
> This email is:   [ ] bloggable    [X] ask first   [ ] private
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list