[OpenID] Icam question at didw

John Bradley ve7jtb at ve7jtb.com
Sat Sep 19 17:15:36 UTC 2009 

It is probably best for someone from  the Board to answer for there  
intentions re pricing.

I can tell you that there is nothing in the Trust Provider Framework  
Adoption process from the GSA that would intentionally stop Unions or  
any other legal entity from applying to be a credential issuer for the  
US Gov.

There are also quite likely to be more than one Trust Framework  
Provider per protocol.

I believe Kantara is also applying to certify IdP for the openID as  
well as  SAML.

Almost anyone can apply to be a trust framework provider including NAR  
if they want to.

Being a Trust Framework Provider is a large and expensive  
undertaking,  but is possible.

I expect that the OIDF will be the most economical way for those  
organizations to get certified, but it is not there only option.

I suspect but don't know for certain that applicants won't need to be  
members of the OIDF,  some people may not be able to join for a number  
of reasons.

John B.

On 2009-09-19, at 1:00 PM, Peter Williams wrote:

> To ensure I'm not presenting a unique use case, I've chatted about  
> openid -> .gov with some other trade associations offline - those  
> with mass memberships linked by the internet.
>
> These organizations typically have large value political action  
> committees, focused on their preferred political party (or other  
> funded groups). At the DIDW conference itself last week , one large  
> labor union was able to proudly show off its own organizing power -  
> at the grassroots level. One should assume that their membership  
> would be proud to interface to government functions under their  
> union's banner. (I don't recall which political party they associate  
> with.)
>
> Is the OIDF trust scheme likely to be accommodating or hostile to  
> such associations and unions (of which there are many examples, with  
> a large variety of political affiliations)? These organizations are  
> typically excellent at grassroots representation, and would  
> presumably be excellent candidate IdPs under the OIDF trust scheme  
> (since openid was originally about grass roots trust)?
>
> In scheme design, one should assume that a huge trade association  
> like the National Association of Realtors (NAR) outsources its  
> web2.0 portal to some or other competitive vendor, that it may  
> change vendor in any given year, or the association may just build  
> its own by mashing-up 5 service vendors. Technology aside, like  
> unions one should assume a mature, working centralized membership  
> system, may even have a proposed smartcard-capable identity card,  
> has a security program for its local-office feeder sites, and has  
> existing certification protocols for delegating registration and  
> identity vetting to thousands of brick-and-mortar offices with  
> accredited officials who typically know people by sight.
>
> Will there be any professional mandates? Must the application be  
> prepared and prosecuted by a CISSP at minimum, or will it perhaps  
> require a CPA to interact with a formal AICPA-grade "attestation",  
> or ...?
>
> I assume that being audited under the trust scheme criteria does NOT  
> require the applicant to be a member of the OIDF. This would add an  
> annual cost burden in addition to internal audit costs and external  
> fees to the OIDF's chosen audit firm.
>
> Finally, I would love NAR (with its incredible organizing power, and  
> a long history of running internal security programs) to join the  
> OIDF formally, and help round out the trust scheme for the benefit  
> of itself and other associations. I've lobbied for that before; but,  
> unfortunately, Peter is a powerless pleb. If we could make the case,  
> I know that NAR is pro-openid, loves open source culture, and even  
> has VC-money to invest in such strategic initiatives. A skilled  
> networker would an excellent opportunity to bridge what I cannot,  
> and get them onboard in my view - with specific focus on the trust  
> scheme.
>
> -----Original Message-----
> From: John Bradley [mailto:ve7jtb at ve7jtb.com]
> Sent: Wednesday, September 16, 2009 4:39 PM
> To: Peter Williams
> Cc: openid General
> Subject: Re: [OpenID] Icam question at didw
>
> You raise good points.
>
> We are looking at ways that peoples existing auditors may be able to
> perform the function to keep costs down.
>
> Certainly the OIDF is not looking at this to be a money maker.  But it
> also has little money.
>
> I think you should take your use case to the certification committee
> of the board who are looking at those issues.
>
> John B.
> On 2009-09-16, at 7:30 PM, Peter Williams wrote:
>
>> I think it would be useful to justify the cost for small, medium and
>> large firms.
>>
>> Small means a firm with ~50 associates/employees. In realty, this  
>> as a
>> typical independent brokerage. There are 2 or 3 in the averge size
>> city. Annual revenue may be 10m (revenue, not transaction value). The
>> trust network from that office accumulates year over year and will be
>> typically be 10-20k "active" consumers in that local market.
>>
>> Medium size is ~250 associates in a several offices across town, and
>> is probably part of a national franchise. Revenues per office will be
>> 60-100m, but probably audit costs can be partially shared across the
>> franchise. A large franchise will manage 10m identities, nationally.
>>
>> Then there are the existing governance structures who in aggregate  
>> are
>> "big companies", with major budgets, and for whom $500k on it audits
>> is normal and is par for the course (providing controls and tests  
>> from
>> related audits (eg pci) can be reapplied). But if the audit tests the
>> 800 leaves of the aggregation space (since realty operates like dod
>> with "local" registration authorities) then 800 * 500k is just not
>> sustainable. 800 * 200k a year  essentially becomes a privacy tax...
>>
>>
>>
>> On Sep 16, 2009, at 4:03 PM, "John Bradley" <ve7jtb at ve7jtb.com>  
>> wrote:
>>
>>> I can say that the OIDF shares the concern of keeping costs down for
>>> small IdP.
>>> That is why they are directly engaged in the process.
>>>
>>> The goal is to get everyone who can meet the certification
>>> requirements certified.
>>>
>>> The foundation doesn't have the financial resources to make that  
>>> free
>>> however.
>>>
>>> If the membership has strong feelings about pricing models please
>>> share them with the board.
>>>
>>> Nothing has been finalized yet.
>>>
>>> John B.
>>>
>>> On 2009-09-16, at 6:12 PM, Peter Williams wrote:
>>>
>>>>
>>>> Here is the question I was going to ask the panel about trust
>>>> frameworks for open govt ( at digital ID world conference, las
>>>> Vegas,
>>>> today).
>>>>
>>>> (there was no time left for nobodies like me.)
>>>>
>>>> We know from the ssl world that even basic assurance audits cost
>>>> about
>>>> 500,000$ the first year, and 200,000$ thereafter. How will the
>>>> program
>>>> ensure that the very financial obligations do not eliminate small
>>>> and
>>>> medium size companies from the new identity economy?
>>>>
>>>> If required, I was prepared to get specific, saying that our
>>>> industry
>>>> of many SME companies has very high quality, very up to date
>>>> attribute
>>>> info on about 100 million consumers. But it's not obvious we can
>>>> afford to play.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>
>

More information about the general mailing list