[OpenID] TransparencyCamp and OpenID (U)

Mon Mar 16 13:53:18 UTC 2009

UNCLASSIFIED

There is a sub-committee of the Federal CIO Council called the Identity,
Credential and Access Management Subcommittee which is looking into this
whole question as it applies to all Federal websites.  Jim McCartney is
heading up the group looking into this particular issue, and they
already have OpenID on their radar screens to evaluate in the near term.
I've copied both Jim McCartney and Mr. Paul Grant, who is one of the
co-chairs of the subcommittee on this to let them know the OpenID
community is interested in figuring out how it can best fit into the
Identity Assurance Framework. I know they are meeting in the very near
future, so perhaps they can be included in the mix, assuming Peter's
group is different from this Federal-wide group.

Regarding Federal interest in OpenID, there definitely seems to be
interest sprouting from a number of areas, not just the authentication
issue.  A number of folks seem interested in exploring its use further.
The thought here is if you are already planning a trip out to the DC
area, perhaps we can maximize your time spent by finding the right group
to talk to you about some of the other possibilities as well.  Issues
include things like the following (and again, these are my write-ups, so
if they are off base in terms of something OpenID can address, many
apologies):

 - Privacy Information Concerns: Because the new Transparency and Open
Government directive in the works places significant emphasis on
participation and collaboration across the Federal government, a concern
expressed by some dealt with the fear that virtually every Federal
server might need to contain some level of personally identifiable
information.  In practice, this would kill or slow down many website
efforts due to the burden compliance with the Privacy Act causes.  The
goal from the web site hosts perspective is to completely eliminate
unnecessary personally identifiable information that falls underneath
the Privacy Act from their website (clearly many websites need this
information for services and transactions), while still allowing
transparency, participation, and collaboration.

 - Reducing the number of logins: If, as the Transparency and Open
Government memo suggests, that citizens are engaging in discussions,
policy making, and requesting of services on Federal websites, they will
need to have the ability to log on to each server.  The concern is this
unless we had something akin to a single sign-on to Federal sites,
citizens might be forced to maintain usernames & passwords to each site
they access and participate in.  This is different, incidentally, from
saying all the Federal information about an individual would be stored
in one place (this came up at the meeting - I didn't have a chance to
refute that).

 - Providing a Higher level of integrated service for participating on
Federal sites for those who want it: If you did have a single sign-on
approach to all Federal websites, it would make sense that you could do
something akin to the what commercial portal sites do, by giving a
"citizen control panel" that would display all their interactions across
multiple Federal Websites.

 - Allow the Option to hide participation on Federal sites:  As an
opposite approach to the previous idea, many in the privacy community
wanted the option to be able to participate on Federal sites (including
discussions, requesting answers to questions, receiving emails and feeds
of information, etc.) without having any personally identifiable
information stored on the Federal site.  Obviously this wouldn't make
sense in the case the websites had personally identifiable information
already, such as IRS filings, or health records.  But for a lot of the
lower level participation options, the privacy community wanted to have
the option of 

 - Validating Federal Employees on non-Federal sites: There is a concern
that Federal employees, when participating on non-Federal websites have
no way of being validated as a Federal employee.   There is a risk that
if Federal employees are not participating on the various social
networking and web 2.0 sites that someone else will assume their
identity.  This risk could become a validated threat in times of
emergency, such as a forest fire, flood, or act of terrorism.  

Again, I'm quite sure that others have put together thoughts on this as
well.  I certainly can't speak for any of the various Federal groups and
committees looking into the component parts, but if you're coming out,
perhaps it might be useful to have something akin to a set of OpenID
discussions.

Best,

Noel Dickover
DoD CIO, IT Investments and Commercial Policy Directorate Social
Software and Emerging Technologies
703-601-4729x152
Noel.Dickover.ctr at osd.mil
https://www.dodtechipedia.mil - Join the Fight!!!

-----Original Message-----
From: Peter Williams [mailto:pwilliams at rapattoni.com]
Sent: Friday, March 13, 2009 4:29 PM
To: Brett McDowell; Chris Messina
Cc: Silona Bonewald; Andrew Hoppin; Brian Behlendorf; Dickover, Noel,
CTR, NII/DoD-CIO; OpenID List
Subject: RE: [OpenID] TransparencyCamp and OpenID (U)

I'm about to have my call with these folks about co-hosting such a
kick-off event (in Washington DC).  What is this community's gut feel
for timing?  Is there an urgency here that would drive us to do this
soon... like early April.  Or do folks need more time to arrange travel,
etc.?

Before or after RSA (April 20th)?

Before or after IIW (May 18)?

Brett McDowell | +1.413.652.1248 | http://info.brettmcdowell.com

On Mar 13, 2009, at 2:04 AM, Chris Messina wrote:

On Thu, Mar 12, 2009 at 8:34 PM, Brett McDowell
<brett at projectliberty.org<mailto:brett at projectliberty.org>> wrote:
...The Identity Assurance Framework looks at how any particular
credential service can achieve LOA 1 through LOA 4.  What we don't have
is any analysis of what an OP could achieve with OpenID 2.0.  Knowing
this will provide a clear gap analysis of what we have vs. what we need.
We can base our deliberations on these hard facts.  I can only believe
this will be more productive than... actually I don't see any
alternative to this approach if we are serious about making progress.

Next Steps?

...I would be happy to talk with them about co-hosting a kick-off event
to drill into this issue as it relates to OpenID specifically.   I
assume they will be interested.  They, like I, would like to see
citizens be able to use whatever private sector credentials they
"already have" to access government applications.  If those are
OpenID's, then lets make sure those OpenID's are going to be acceptable
to these federal Relying Parties (who knows, we might learn something
that helps us win more RP adoption in other markets as well).

Thoughts?

Sounds good to me! It would also be good to get in sync with a number of
the existing OpenID-in-government conversations underway.

We're not the first to bring this up or to consider the issues that
exist for government to adopt OpenID; but, of course we have a great
deal to add to that discussion and taking the approach as you described
it sounds prudent.

Chris

--
Chris Messina
Citizen-Participant &
 Open Web Advocate-at-Large

factoryjoe.com<http://factoryjoe.com> #
diso-project.org<http://diso-project.org>
citizenagency.com<http://citizenagency.com> #
vidoop.com<http://vidoop.com>
This email is:   [ ] bloggable    [X] ask first   [ ] private

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090316/20ff1c44/attachment-0002.htm>