[OpenID] Icam question at didw
Peter Williams
pwilliams at rapattoni.com
Sat Sep 19 20:57:47 UTC 2009
Will there be any criteria on the acceptable audit firms?
Can anyone claim to be an [security/IT] auditor, or are there minimum professional requirements (report must be signed by a CPA, for example).
Is the choice of firm subject to some third party acceptance (post report/expense)?
Will there be a register of authorized audit practitioners?
Is the US federal govt the final decision maker, post hoc? Or is the OIDF's acceptance the _final_ determination?
If these question are too hard at this early "design" stage, perhaps folks could alternatively identify a well-known scheme which is generally aligned with the philosophy OIDF is aiming for? Here are few examples, none of which may be applicable.
1. Folks are perfectly happy with how Mozilla runs its root registration authority.Its a good model.
2. Folks would want a assurance documentation and testing methodology equal to or better than WebTrust for CAs.
3. BS7799 is a minimum baseline for criteria. All topic areas are mandatory.
4. A quick and dirty 2 day evaluation by McAffee of your corporate posture scoring 7 out of 10 or better + a continuous penetration test on the outside network by a web scanning company is quite sufficient.
5. A company without ITIL-certification (or equivalent) really should not be looking at even trying
6. its quite enough to be a Google-for-domains subscribers... as one inherits Google's own audit result...
7. If you are in good standing with VeriSign to operate VeriSign class 3 SSL server cert, that's more than adequate for OIDF.
8. If the IdP system is within the PCI boundary and a VISA acquirer has accepted one's PCI claims and evidence, one is below the minimum requirements ..but one is getting pretty close.
9 if you cannot afford the insurance to assume a formal financial responsiblity level of $100 per subscriber, get out of the way.
-----Original Message-----
From: Don Thibeau [mailto:don at oidf.org]
Sent: Saturday, September 19, 2009 10:53 AM
To: John Bradley; Peter Williams
Cc: general @ OpenID.com
Subject: Re: [OpenID] Icam question at didw
John has accurately characterized our plans below.
Membership in the OpenID Foundation will be not be required.
Membership in the OIDF will likely provide some benefits but the OIDF Board has not yet finalized operational details.
We continue to collaborate with InCommon. the Information Card Foundation and others to provide a community wide approach that shares common values.
The pilot phase is a test of both technology and trust framework adoption and continues our close work with the GSA ICAM.
The objective is to cover costs and take an "open market" approach e.g. leaving the choice of auditor to the those who wish to be certified.
The Board, has from the beginning, set three goals, to promote self certification, maintain low costs and overhead and ensure credibility. All this is in support of the Foundation's primary mission to protect OpenID IPR and promote adoption.
We are planning discussions of these and other related topics at the TAO of Identity and other OIDF sponsored conferences like IIW
Don Thibeau
-----Original Message-----
From: John Bradley <ve7jtb at ve7jtb.com>
Date: Sat, 19 Sep 2009 13:15:36
To: Peter Williams<pwilliams at rapattoni.com>
Cc: openid General<general at openid.net>
Subject: Re: [OpenID] Icam question at didw
It is probably best for someone from the Board to answer for there
intentions re pricing.
I can tell you that there is nothing in the Trust Provider Framework
Adoption process from the GSA that would intentionally stop Unions or
any other legal entity from applying to be a credential issuer for the
US Gov.
There are also quite likely to be more than one Trust Framework
Provider per protocol.
I believe Kantara is also applying to certify IdP for the openID as
well as SAML.
Almost anyone can apply to be a trust framework provider including NAR
if they want to.
Being a Trust Framework Provider is a large and expensive
undertaking, but is possible.
I expect that the OIDF will be the most economical way for those
organizations to get certified, but it is not there only option.
I suspect but don't know for certain that applicants won't need to be
members of the OIDF, some people may not be able to join for a number
of reasons.
John B.
On 2009-09-19, at 1:00 PM, Peter Williams wrote:
> To ensure I'm not presenting a unique use case, I've chatted about
> openid -> .gov with some other trade associations offline - those
> with mass memberships linked by the internet.
>
> These organizations typically have large value political action
> committees, focused on their preferred political party (or other
> funded groups). At the DIDW conference itself last week , one large
> labor union was able to proudly show off its own organizing power -
> at the grassroots level. One should assume that their membership
> would be proud to interface to government functions under their
> union's banner. (I don't recall which political party they associate
> with.)
>
> Is the OIDF trust scheme likely to be accommodating or hostile to
> such associations and unions (of which there are many examples, with
> a large variety of political affiliations)? These organizations are
> typically excellent at grassroots representation, and would
> presumably be excellent candidate IdPs under the OIDF trust scheme
> (since openid was originally about grass roots trust)?
>
> In scheme design, one should assume that a huge trade association
> like the National Association of Realtors (NAR) outsources its
> web2.0 portal to some or other competitive vendor, that it may
> change vendor in any given year, or the association may just build
> its own by mashing-up 5 service vendors. Technology aside, like
> unions one should assume a mature, working centralized membership
> system, may even have a proposed smartcard-capable identity card,
> has a security program for its local-office feeder sites, and has
> existing certification protocols for delegating registration and
> identity vetting to thousands of brick-and-mortar offices with
> accredited officials who typically know people by sight.
>
> Will there be any professional mandates? Must the application be
> prepared and prosecuted by a CISSP at minimum, or will it perhaps
> require a CPA to interact with a formal AICPA-grade "attestation",
> or ...?
>
> I assume that being audited under the trust scheme criteria does NOT
> require the applicant to be a member of the OIDF. This would add an
> annual cost burden in addition to internal audit costs and external
> fees to the OIDF's chosen audit firm.
>
> Finally, I would love NAR (with its incredible organizing power, and
> a long history of running internal security programs) to join the
> OIDF formally, and help round out the trust scheme for the benefit
> of itself and other associations. I've lobbied for that before; but,
> unfortunately, Peter is a powerless pleb. If we could make the case,
> I know that NAR is pro-openid, loves open source culture, and even
> has VC-money to invest in such strategic initiatives. A skilled
> networker would an excellent opportunity to bridge what I cannot,
> and get them onboard in my view - with specific focus on the trust
> scheme.
>
> -----Original Message-----
> From: John Bradley [mailto:ve7jtb at ve7jtb.com]
> Sent: Wednesday, September 16, 2009 4:39 PM
> To: Peter Williams
> Cc: openid General
> Subject: Re: [OpenID] Icam question at didw
>
> You raise good points.
>
> We are looking at ways that peoples existing auditors may be able to
> perform the function to keep costs down.
>
> Certainly the OIDF is not looking at this to be a money maker. But it
> also has little money.
>
> I think you should take your use case to the certification committee
> of the board who are looking at those issues.
>
> John B.
> On 2009-09-16, at 7:30 PM, Peter Williams wrote:
>
>> I think it would be useful to justify the cost for small, medium and
>> large firms.
>>
>> Small means a firm with ~50 associates/employees. In realty, this
>> as a
>> typical independent brokerage. There are 2 or 3 in the averge size
>> city. Annual revenue may be 10m (revenue, not transaction value). The
>> trust network from that office accumulates year over year and will be
>> typically be 10-20k "active" consumers in that local market.
>>
>> Medium size is ~250 associates in a several offices across town, and
>> is probably part of a national franchise. Revenues per office will be
>> 60-100m, but probably audit costs can be partially shared across the
>> franchise. A large franchise will manage 10m identities, nationally.
>>
>> Then there are the existing governance structures who in aggregate
>> are
>> "big companies", with major budgets, and for whom $500k on it audits
>> is normal and is par for the course (providing controls and tests
>> from
>> related audits (eg pci) can be reapplied). But if the audit tests the
>> 800 leaves of the aggregation space (since realty operates like dod
>> with "local" registration authorities) then 800 * 500k is just not
>> sustainable. 800 * 200k a year essentially becomes a privacy tax...
>>
>>
>>
>> On Sep 16, 2009, at 4:03 PM, "John Bradley" <ve7jtb at ve7jtb.com>
>> wrote:
>>
>>> I can say that the OIDF shares the concern of keeping costs down for
>>> small IdP.
>>> That is why they are directly engaged in the process.
>>>
>>> The goal is to get everyone who can meet the certification
>>> requirements certified.
>>>
>>> The foundation doesn't have the financial resources to make that
>>> free
>>> however.
>>>
>>> If the membership has strong feelings about pricing models please
>>> share them with the board.
>>>
>>> Nothing has been finalized yet.
>>>
>>> John B.
>>>
>>> On 2009-09-16, at 6:12 PM, Peter Williams wrote:
>>>
>>>>
>>>> Here is the question I was going to ask the panel about trust
>>>> frameworks for open govt ( at digital ID world conference, las
>>>> Vegas,
>>>> today).
>>>>
>>>> (there was no time left for nobodies like me.)
>>>>
>>>> We know from the ssl world that even basic assurance audits cost
>>>> about
>>>> 500,000$ the first year, and 200,000$ thereafter. How will the
>>>> program
>>>> ensure that the very financial obligations do not eliminate small
>>>> and
>>>> medium size companies from the new identity economy?
>>>>
>>>> If required, I was prepared to get specific, saying that our
>>>> industry
>>>> of many SME companies has very high quality, very up to date
>>>> attribute
>>>> info on about 100 million consumers. But it's not obvious we can
>>>> afford to play.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>
>
More information about the general
mailing list