[OpenID] Icam question at didw
Peter Williams
pwilliams at rapattoni.com
Sat Sep 19 18:20:46 UTC 2009
I know both the community and corporate board is overly-stuffed with technology type personalities. Folks might want to recognize that the typical customer of the provider of a standard audit is likely to choose the scheme "provider" (for openid protocol) that is aligned with its wider membership interests and sensibilities.
The foundation needs to present itself as 'in business' - and market to those credential-providing firms whose interests OIDF would more widely embody - that Kantara may not. Obviously, the foundation needs its operating costs covered, and requiring membership is not out of the question. This whole matter just requires an outline of cost structures, so budgets (typically made 1-2 years) ahead of time can be arranged. One may need an associate-corporate membership class for example, for firms that want the C&A service but cannot afford the membership cost on the current formula (given they have such large internal membership themselves).
I'd guess, if a trade-association like NAR has a choice and the desire to act at this point, it would much prefer OIDF to Kantara - not that I know one way or the other (to be fair to Kantara). Assuming all things otherwise equivalent, it's going to come down to alignment of organizational missions. If OIDF can take its grassroots experience within the identity community and become the brand with which the other (non-identity) grassroots organizations feel comfortable, it's got an excellent change of carving out a large share of the C&A-based funding.
This is making me feel like joining as an individual member, now; that IPR issue notwithstanding. I think we can even the $$ playing field a bit in the delivery of a C&A program, simply by leveraging all the C&A methods the SSL community has developed over 15 years - and placed into the public domain. This would be a good area to get the newer members of the CISSP community excited over, too. There are 30,000 of them to call on, and 5000 of new to the industry with no affiliation to speak of. If just 1% of that community were to find themselves OIDF-aligned as individuals, that's a good start in C&A skills baselining. One only needs then to associate with 5-10 CISSPs with the higher training in formal govt C&A. With that, the OIDF resume would match anything anyone else has to offer.
-----Original Message-----
From: John Bradley [mailto:ve7jtb at ve7jtb.com]
Sent: Saturday, September 19, 2009 10:16 AM
To: Peter Williams
Cc: openid General
Subject: Re: [OpenID] Icam question at didw
It is probably best for someone from the Board to answer for there
intentions re pricing.
I can tell you that there is nothing in the Trust Provider Framework
Adoption process from the GSA that would intentionally stop Unions or
any other legal entity from applying to be a credential issuer for the
US Gov.
There are also quite likely to be more than one Trust Framework
Provider per protocol.
I believe Kantara is also applying to certify IdP for the openID as
well as SAML.
Almost anyone can apply to be a trust framework provider including NAR
if they want to.
Being a Trust Framework Provider is a large and expensive
undertaking, but is possible.
I expect that the OIDF will be the most economical way for those
organizations to get certified, but it is not there only option.
I suspect but don't know for certain that applicants won't need to be
members of the OIDF, some people may not be able to join for a number
of reasons.
John B.
On 2009-09-19, at 1:00 PM, Peter Williams wrote:
> To ensure I'm not presenting a unique use case, I've chatted about
> openid -> .gov with some other trade associations offline - those
> with mass memberships linked by the internet.
>
> These organizations typically have large value political action
> committees, focused on their preferred political party (or other
> funded groups). At the DIDW conference itself last week , one large
> labor union was able to proudly show off its own organizing power -
> at the grassroots level. One should assume that their membership
> would be proud to interface to government functions under their
> union's banner. (I don't recall which political party they associate
> with.)
>
> Is the OIDF trust scheme likely to be accommodating or hostile to
> such associations and unions (of which there are many examples, with
> a large variety of political affiliations)? These organizations are
> typically excellent at grassroots representation, and would
> presumably be excellent candidate IdPs under the OIDF trust scheme
> (since openid was originally about grass roots trust)?
>
> In scheme design, one should assume that a huge trade association
> like the National Association of Realtors (NAR) outsources its
> web2.0 portal to some or other competitive vendor, that it may
> change vendor in any given year, or the association may just build
> its own by mashing-up 5 service vendors. Technology aside, like
> unions one should assume a mature, working centralized membership
> system, may even have a proposed smartcard-capable identity card,
> has a security program for its local-office feeder sites, and has
> existing certification protocols for delegating registration and
> identity vetting to thousands of brick-and-mortar offices with
> accredited officials who typically know people by sight.
>
> Will there be any professional mandates? Must the application be
> prepared and prosecuted by a CISSP at minimum, or will it perhaps
> require a CPA to interact with a formal AICPA-grade "attestation",
> or ...?
>
> I assume that being audited under the trust scheme criteria does NOT
> require the applicant to be a member of the OIDF. This would add an
> annual cost burden in addition to internal audit costs and external
> fees to the OIDF's chosen audit firm.
>
> Finally, I would love NAR (with its incredible organizing power, and
> a long history of running internal security programs) to join the
> OIDF formally, and help round out the trust scheme for the benefit
> of itself and other associations. I've lobbied for that before; but,
> unfortunately, Peter is a powerless pleb. If we could make the case,
> I know that NAR is pro-openid, loves open source culture, and even
> has VC-money to invest in such strategic initiatives. A skilled
> networker would an excellent opportunity to bridge what I cannot,
> and get them onboard in my view - with specific focus on the trust
> scheme.
>
> -----Original Message-----
> From: John Bradley [mailto:ve7jtb at ve7jtb.com]
> Sent: Wednesday, September 16, 2009 4:39 PM
> To: Peter Williams
> Cc: openid General
> Subject: Re: [OpenID] Icam question at didw
>
> You raise good points.
>
> We are looking at ways that peoples existing auditors may be able to
> perform the function to keep costs down.
>
> Certainly the OIDF is not looking at this to be a money maker. But it
> also has little money.
>
> I think you should take your use case to the certification committee
> of the board who are looking at those issues.
>
> John B.
> On 2009-09-16, at 7:30 PM, Peter Williams wrote:
>
>> I think it would be useful to justify the cost for small, medium and
>> large firms.
>>
>> Small means a firm with ~50 associates/employees. In realty, this
>> as a
>> typical independent brokerage. There are 2 or 3 in the averge size
>> city. Annual revenue may be 10m (revenue, not transaction value). The
>> trust network from that office accumulates year over year and will be
>> typically be 10-20k "active" consumers in that local market.
>>
>> Medium size is ~250 associates in a several offices across town, and
>> is probably part of a national franchise. Revenues per office will be
>> 60-100m, but probably audit costs can be partially shared across the
>> franchise. A large franchise will manage 10m identities, nationally.
>>
>> Then there are the existing governance structures who in aggregate
>> are
>> "big companies", with major budgets, and for whom $500k on it audits
>> is normal and is par for the course (providing controls and tests
>> from
>> related audits (eg pci) can be reapplied). But if the audit tests the
>> 800 leaves of the aggregation space (since realty operates like dod
>> with "local" registration authorities) then 800 * 500k is just not
>> sustainable. 800 * 200k a year essentially becomes a privacy tax...
>>
>>
>>
>> On Sep 16, 2009, at 4:03 PM, "John Bradley" <ve7jtb at ve7jtb.com>
>> wrote:
>>
>>> I can say that the OIDF shares the concern of keeping costs down for
>>> small IdP.
>>> That is why they are directly engaged in the process.
>>>
>>> The goal is to get everyone who can meet the certification
>>> requirements certified.
>>>
>>> The foundation doesn't have the financial resources to make that
>>> free
>>> however.
>>>
>>> If the membership has strong feelings about pricing models please
>>> share them with the board.
>>>
>>> Nothing has been finalized yet.
>>>
>>> John B.
>>>
>>> On 2009-09-16, at 6:12 PM, Peter Williams wrote:
>>>
>>>>
>>>> Here is the question I was going to ask the panel about trust
>>>> frameworks for open govt ( at digital ID world conference, las
>>>> Vegas,
>>>> today).
>>>>
>>>> (there was no time left for nobodies like me.)
>>>>
>>>> We know from the ssl world that even basic assurance audits cost
>>>> about
>>>> 500,000$ the first year, and 200,000$ thereafter. How will the
>>>> program
>>>> ensure that the very financial obligations do not eliminate small
>>>> and
>>>> medium size companies from the new identity economy?
>>>>
>>>> If required, I was prepared to get specific, saying that our
>>>> industry
>>>> of many SME companies has very high quality, very up to date
>>>> attribute
>>>> info on about 100 million consumers. But it's not obvious we can
>>>> afford to play.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>
>
More information about the general
mailing list