[OpenID] TransparencyCamp and OpenID (U)

Ben Laurie benl at google.com
Thu Mar 12 16:46:12 UTC 2009 

On Thu, Mar 12, 2009 at 4:13 PM, Chris Messina <chris.messina at gmail.com> wrote:
> ...the rub being that SAML is already widely deployed (from what I
> hear) but 1) few use it 2) integration costs are too high and 3)
> managing SAML from a government-to-citizen perspective seems fraught
> with huge costs and unnecessary burdens on both sides of the aisle.
>
> It sounds like your ideal is "pragmatic SAML" but that seems a
> contradiction in terms. No?

I agree that all of SAML is way too large a pill to swallow but
there's no reason subsets that are usable cannot be defined, and,
indeed, have been.

As for deployment, well - google apps for your domain uses SAML for
enterprise customers, as well as the other examples that have been
given.

Boeing use SAML to manage all employees, contractors, etc. Something
like 2 million of them, if I remember. For example.

And for "managing SAML from a government-to-citizen perspective seems
fraught with huge costs and unnecessary burdens on both sides of the
aisle."  - managing SAML is only as hard as you make it. If all you
want something along the lines of an ID - like OpenID provides - then
its pretty trivial.

>
> Chris
>
> On 3/12/09, Ben Laurie <benl at google.com> wrote:
>> On Wed, Mar 11, 2009 at 5:44 PM, Chris Messina <chris.messina at gmail.com>
>> wrote:
>>> What might you propose if you were in Noel's position?
>>
>> I'm not sure there's anything I love very much so far, but at this
>> time, something SAML-based would seem as good as it gets.
>>
>>>
>>> On 3/11/09, Ben Laurie <benl at google.com> wrote:
>>>> On Tue, Mar 10, 2009 at 10:06 PM, Chris Messina <chris.messina at gmail.com>
>>>> wrote:
>>>>> On Tue, Mar 10, 2009 at 1:03 PM, Dickover, Noel, CTR, NII/DoD-CIO
>>>>> <Noel.Dickover.ctr at osd.mil> wrote:
>>>>>>
>>>>>> UNCLASSIFIED
>>>>>>
>>>>>> A question I had, assuming somebody
>>>>>> hasn't already asked it from you - in writing the Directive, how would
>>>>>> we
>>>>>> include the use of OpenID and OpenAuth?  We would want to specify the
>>>>>> generalized category that those fit into, but would need to allow for
>>>>>> potential competitor standards that might emerge in the future.
>>>>>
>>>>> One point of clarification: "OpenAuth" is a trademark owned by AOL;
>>>>> "OAuth"
>>>>> is probably what you're thinking of. It's important to keep the two out
>>>>> of
>>>>> the same sentences. ;)
>>>>> To answer your question, I might suggest including these technologies in
>>>>> the
>>>>> realm of "Identity" or "Social Media" technologies. OpenID is a
>>>>> technology
>>>>> that helps people identify themselves to you; we typically use email
>>>>> addresses for that purpose today, but an OpenID should become a more
>>>>> convenient alternative in the future (even if that includes email
>>>>> addresses
>>>>> as OpenIDs).
>>>>>
>>>>>>
>>>>>> So if you were writing this, what paragraph would you include that
>>>>>> would
>>>>>> specify things like OpenID in order to address the whole privacy issue?
>>>>>>  And
>>>>>> again, as we discussed at TransparencyCamp, that would involve two
>>>>>> options
>>>>>> for Citizens in participating on Federal sites - to  either use
>>>>>> external
>>>>>> servers to register for govt sites, or a single govt server for all
>>>>>> govt
>>>>>> websites which might result in better level of service.  And also to
>>>>>> have
>>>>>> a
>>>>>> plaec to authenticate Federal employees to external sites like Twitter,
>>>>>> which would start to address the problem of others acting as if they
>>>>>> were
>>>>>> from govt accounts.
>>>>>
>>>>> I think the first thing to make clear is that OpenID should be
>>>>> considered
>>>>> an
>>>>> important, but optional, convenience for making it easier for people to
>>>>> interact with and take advantage of government websites and services.
>>>>> Few
>>>>> people are looking for MORE accounts online, and OpenID is a
>>>>> vendor-neutral
>>>>> way to address this growing dilemma (of account proliferation).
>>>>> With regards to privacy, I think this is where the optional bit is
>>>>> essential. As it is, the government makes various uses of my phone
>>>>> number,
>>>>> my email address and my social security number to identify me; using a
>>>>> web-friendly identifier as an alternative would be convenient for me and
>>>>> allow me to choose a provider that I trust (which may so happen to be my
>>>>> email provider in the case of Google, Yahoo et al).
>>>>> I largely favor the government accepting third-party OpenID Providers
>>>>> for
>>>>> authentication, just as they do allow for email provider choice.
>>>>
>>>> Wow, really? Wouldn't you prefer a protocol with some actual security?
>>>>
>>>>> Pushing
>>>>> people through a central government-issued OpenID provider seems fraught
>>>>> with trouble — yet another account to forget since people would only
>>>>> need
>>>>> it
>>>>> for irregular interactions with the government (simply an extension of
>>>>> the
>>>>> current problem with government-issued accounts).
>>>>> Of course, where there is a need for remote authentication between
>>>>> government agency websites, I think it's worth considering using OpenID
>>>>> in
>>>>> these cases — if anything to lower the cost of implementation and
>>>>> support-over-time thanks to the maintenance efforts of the OpenID open
>>>>> source community (which admittedly needs to see more activity).
>>>>> For government employees, I do think that it would be useful for a
>>>>> central
>>>>> agency (whichever one already issues government credentials) to operate
>>>>> an
>>>>> OpenID Provider to enable government employees to authenticate and act
>>>>> within the capacity of their government purview on third-party sites.
>>>>>
>>>>> Let's keep this conversation going though — I think this is a great
>>>>> context
>>>>> (this list, that is) to have this discussion!
>>>>> Chris
>>>>>>
>>>>>>
>>>>>> v/r
>>>>>> Noel Dickover
>>>>>> DoD CIO, IT Investments and Commercial Policy Directorate
>>>>>> Social Software and Emerging Technologies
>>>>>> 703-601-4729x152
>>>>>> Noel.Dickover.ctr at osd.mil
>>>>>> https://www.dodtechipedia.mil - Join the Fight!!!
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
>>>>>> Behalf Of David Recordon
>>>>>> Sent: Wednesday, March 04, 2009 1:18 PM
>>>>>> To: general at openid.net
>>>>>> Subject: [OpenID] TransparencyCamp and OpenID
>>>>>>
>>>>>> This weekend both Chris Messina and I went to TransparencyCamp in DC
>>>>>> and
>>>>>> talked to a bunch of people there about OpenID.  We shot a quick
>>>>>> episode
>>>>>> of
>>>>>> TheSocialWeb.tv about it:
>>>>>> http://www.thesocialweb.tv/blog/2009/03/transparency-camp.html
>>>>>>
>>>>>> --David
>>>>>> _______________________________________________
>>>>>> general mailing list
>>>>>> general at openid.net
>>>>>> http://openid.net/mailman/listinfo/general
>>>>>>
>>>>>> _______________________________________________
>>>>>> general mailing list
>>>>>> general at openid.net
>>>>>> http://openid.net/mailman/listinfo/general
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Chris Messina
>>>>> Citizen-Participant &
>>>>>  Open Web Advocate-at-Large
>>>>>
>>>>> factoryjoe.com # diso-project.org
>>>>> citizenagency.com # vidoop.com
>>>>> This email is:   [ ] bloggable    [X] ask first   [ ] private
>>>>>
>>>>> _______________________________________________
>>>>> general mailing list
>>>>> general at openid.net
>>>>> http://openid.net/mailman/listinfo/general
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Chris Messina
>>> Citizen-Participant &
>>>  Open Web Advocate-at-Large
>>>
>>> factoryjoe.com # diso-project.org
>>> citizenagency.com # vidoop.com
>>> This email is:   [ ] bloggable    [X] ask first   [ ] private
>>>
>>
>
>
> --
> Chris Messina
> Citizen-Participant &
>  Open Web Advocate-at-Large
>
> factoryjoe.com # diso-project.org
> citizenagency.com # vidoop.com
> This email is:   [ ] bloggable    [X] ask first   [ ] private
>

More information about the general mailing list