[OpenID] Icam question at didw
John Bradley
ve7jtb at ve7jtb.com
Sat Sep 19 21:16:08 UTC 2009
InCommon http://www.incommonfederation.org/ has a model that has been
accepted by the GSA for there existing cross federation.
That has been one of the main inputs to our approach.
The joint OIDF and ICF white-paper on open trust frameworks is also
informative.
It is still a work in progress though.
http://openid.net/government/
The ICF has a faq pointing to a bunch of the relevant doc's as well
http://informationcard.net/faqs/open-identity-initiative
This may be a major turning point in our community/industry.
People should pay attention to what is going on.
Thanks for your interest Peter.
John B.
On 2009-09-19, at 4:57 PM, Peter Williams wrote:
> Will there be any criteria on the acceptable audit firms?
>
> Can anyone claim to be an [security/IT] auditor, or are there
> minimum professional requirements (report must be signed by a CPA,
> for example).
>
> Is the choice of firm subject to some third party acceptance (post
> report/expense)?
>
> Will there be a register of authorized audit practitioners?
>
> Is the US federal govt the final decision maker, post hoc? Or is the
> OIDF's acceptance the _final_ determination?
>
> If these question are too hard at this early "design" stage, perhaps
> folks could alternatively identify a well-known scheme which is
> generally aligned with the philosophy OIDF is aiming for? Here are
> few examples, none of which may be applicable.
>
>
> 1. Folks are perfectly happy with how Mozilla runs its root
> registration authority.Its a good model.
>
> 2. Folks would want a assurance documentation and testing
> methodology equal to or better than WebTrust for CAs.
>
> 3. BS7799 is a minimum baseline for criteria. All topic areas are
> mandatory.
>
> 4. A quick and dirty 2 day evaluation by McAffee of your corporate
> posture scoring 7 out of 10 or better + a continuous penetration
> test on the outside network by a web scanning company is quite
> sufficient.
>
> 5. A company without ITIL-certification (or equivalent) really
> should not be looking at even trying
>
> 6. its quite enough to be a Google-for-domains subscribers... as one
> inherits Google's own audit result...
>
> 7. If you are in good standing with VeriSign to operate VeriSign
> class 3 SSL server cert, that's more than adequate for OIDF.
>
> 8. If the IdP system is within the PCI boundary and a VISA acquirer
> has accepted one's PCI claims and evidence, one is below the minimum
> requirements ..but one is getting pretty close.
>
> 9 if you cannot afford the insurance to assume a formal financial
> responsiblity level of $100 per subscriber, get out of the way.
>
>
>
> -----Original Message-----
> From: Don Thibeau [mailto:don at oidf.org]
> Sent: Saturday, September 19, 2009 10:53 AM
> To: John Bradley; Peter Williams
> Cc: general @ OpenID.com
> Subject: Re: [OpenID] Icam question at didw
>
> John has accurately characterized our plans below.
>
> Membership in the OpenID Foundation will be not be required.
> Membership in the OIDF will likely provide some benefits but the
> OIDF Board has not yet finalized operational details.
> We continue to collaborate with InCommon. the Information Card
> Foundation and others to provide a community wide approach that
> shares common values.
>
> The pilot phase is a test of both technology and trust framework
> adoption and continues our close work with the GSA ICAM.
>
> The objective is to cover costs and take an "open market" approach
> e.g. leaving the choice of auditor to the those who wish to be
> certified.
>
> The Board, has from the beginning, set three goals, to promote self
> certification, maintain low costs and overhead and ensure
> credibility. All this is in support of the Foundation's primary
> mission to protect OpenID IPR and promote adoption.
>
> We are planning discussions of these and other related topics at the
> TAO of Identity and other OIDF sponsored conferences like IIW
>
>
> Don Thibeau
>
> -----Original Message-----
> From: John Bradley <ve7jtb at ve7jtb.com>
>
> Date: Sat, 19 Sep 2009 13:15:36
> To: Peter Williams<pwilliams at rapattoni.com>
> Cc: openid General<general at openid.net>
> Subject: Re: [OpenID] Icam question at didw
>
>
> It is probably best for someone from the Board to answer for there
> intentions re pricing.
>
> I can tell you that there is nothing in the Trust Provider Framework
> Adoption process from the GSA that would intentionally stop Unions or
> any other legal entity from applying to be a credential issuer for the
> US Gov.
>
> There are also quite likely to be more than one Trust Framework
> Provider per protocol.
>
> I believe Kantara is also applying to certify IdP for the openID as
> well as SAML.
>
> Almost anyone can apply to be a trust framework provider including NAR
> if they want to.
>
> Being a Trust Framework Provider is a large and expensive
> undertaking, but is possible.
>
> I expect that the OIDF will be the most economical way for those
> organizations to get certified, but it is not there only option.
>
> I suspect but don't know for certain that applicants won't need to be
> members of the OIDF, some people may not be able to join for a number
> of reasons.
>
> John B.
>
> On 2009-09-19, at 1:00 PM, Peter Williams wrote:
>
>> To ensure I'm not presenting a unique use case, I've chatted about
>> openid -> .gov with some other trade associations offline - those
>> with mass memberships linked by the internet.
>>
>> These organizations typically have large value political action
>> committees, focused on their preferred political party (or other
>> funded groups). At the DIDW conference itself last week , one large
>> labor union was able to proudly show off its own organizing power -
>> at the grassroots level. One should assume that their membership
>> would be proud to interface to government functions under their
>> union's banner. (I don't recall which political party they associate
>> with.)
>>
>> Is the OIDF trust scheme likely to be accommodating or hostile to
>> such associations and unions (of which there are many examples, with
>> a large variety of political affiliations)? These organizations are
>> typically excellent at grassroots representation, and would
>> presumably be excellent candidate IdPs under the OIDF trust scheme
>> (since openid was originally about grass roots trust)?
>>
>> In scheme design, one should assume that a huge trade association
>> like the National Association of Realtors (NAR) outsources its
>> web2.0 portal to some or other competitive vendor, that it may
>> change vendor in any given year, or the association may just build
>> its own by mashing-up 5 service vendors. Technology aside, like
>> unions one should assume a mature, working centralized membership
>> system, may even have a proposed smartcard-capable identity card,
>> has a security program for its local-office feeder sites, and has
>> existing certification protocols for delegating registration and
>> identity vetting to thousands of brick-and-mortar offices with
>> accredited officials who typically know people by sight.
>>
>> Will there be any professional mandates? Must the application be
>> prepared and prosecuted by a CISSP at minimum, or will it perhaps
>> require a CPA to interact with a formal AICPA-grade "attestation",
>> or ...?
>>
>> I assume that being audited under the trust scheme criteria does NOT
>> require the applicant to be a member of the OIDF. This would add an
>> annual cost burden in addition to internal audit costs and external
>> fees to the OIDF's chosen audit firm.
>>
>> Finally, I would love NAR (with its incredible organizing power, and
>> a long history of running internal security programs) to join the
>> OIDF formally, and help round out the trust scheme for the benefit
>> of itself and other associations. I've lobbied for that before; but,
>> unfortunately, Peter is a powerless pleb. If we could make the case,
>> I know that NAR is pro-openid, loves open source culture, and even
>> has VC-money to invest in such strategic initiatives. A skilled
>> networker would an excellent opportunity to bridge what I cannot,
>> and get them onboard in my view - with specific focus on the trust
>> scheme.
>>
>> -----Original Message-----
>> From: John Bradley [mailto:ve7jtb at ve7jtb.com]
>> Sent: Wednesday, September 16, 2009 4:39 PM
>> To: Peter Williams
>> Cc: openid General
>> Subject: Re: [OpenID] Icam question at didw
>>
>> You raise good points.
>>
>> We are looking at ways that peoples existing auditors may be able to
>> perform the function to keep costs down.
>>
>> Certainly the OIDF is not looking at this to be a money maker. But
>> it
>> also has little money.
>>
>> I think you should take your use case to the certification committee
>> of the board who are looking at those issues.
>>
>> John B.
>> On 2009-09-16, at 7:30 PM, Peter Williams wrote:
>>
>>> I think it would be useful to justify the cost for small, medium and
>>> large firms.
>>>
>>> Small means a firm with ~50 associates/employees. In realty, this
>>> as a
>>> typical independent brokerage. There are 2 or 3 in the averge size
>>> city. Annual revenue may be 10m (revenue, not transaction value).
>>> The
>>> trust network from that office accumulates year over year and will
>>> be
>>> typically be 10-20k "active" consumers in that local market.
>>>
>>> Medium size is ~250 associates in a several offices across town, and
>>> is probably part of a national franchise. Revenues per office will
>>> be
>>> 60-100m, but probably audit costs can be partially shared across the
>>> franchise. A large franchise will manage 10m identities, nationally.
>>>
>>> Then there are the existing governance structures who in aggregate
>>> are
>>> "big companies", with major budgets, and for whom $500k on it audits
>>> is normal and is par for the course (providing controls and tests
>>> from
>>> related audits (eg pci) can be reapplied). But if the audit tests
>>> the
>>> 800 leaves of the aggregation space (since realty operates like dod
>>> with "local" registration authorities) then 800 * 500k is just not
>>> sustainable. 800 * 200k a year essentially becomes a privacy tax...
>>>
>>>
>>>
>>> On Sep 16, 2009, at 4:03 PM, "John Bradley" <ve7jtb at ve7jtb.com>
>>> wrote:
>>>
>>>> I can say that the OIDF shares the concern of keeping costs down
>>>> for
>>>> small IdP.
>>>> That is why they are directly engaged in the process.
>>>>
>>>> The goal is to get everyone who can meet the certification
>>>> requirements certified.
>>>>
>>>> The foundation doesn't have the financial resources to make that
>>>> free
>>>> however.
>>>>
>>>> If the membership has strong feelings about pricing models please
>>>> share them with the board.
>>>>
>>>> Nothing has been finalized yet.
>>>>
>>>> John B.
>>>>
>>>> On 2009-09-16, at 6:12 PM, Peter Williams wrote:
>>>>
>>>>>
>>>>> Here is the question I was going to ask the panel about trust
>>>>> frameworks for open govt ( at digital ID world conference, las
>>>>> Vegas,
>>>>> today).
>>>>>
>>>>> (there was no time left for nobodies like me.)
>>>>>
>>>>> We know from the ssl world that even basic assurance audits cost
>>>>> about
>>>>> 500,000$ the first year, and 200,000$ thereafter. How will the
>>>>> program
>>>>> ensure that the very financial obligations do not eliminate small
>>>>> and
>>>>> medium size companies from the new identity economy?
>>>>>
>>>>> If required, I was prepared to get specific, saying that our
>>>>> industry
>>>>> of many SME companies has very high quality, very up to date
>>>>> attribute
>>>>> info on about 100 million consumers. But it's not obvious we can
>>>>> afford to play.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> general mailing list
>>>>> general at lists.openid.net
>>>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>>
>>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
More information about the general
mailing list