<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7653.38">
<TITLE>RE: [OpenID] TransparencyCamp and OpenID (U)</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><B><I><FONT COLOR="#008000" FACE="Arial">UNCLASSIFIED</FONT></I></B><I></I>
</P>
<P><FONT SIZE=2 FACE="Courier New">There is a sub-committee of the Federal CIO Council called the Identity, Credential and Access Management Subcommittee which is looking into this whole question as it applies to all Federal websites. Jim McCartney is heading up the group looking into this particular issue, and they already have OpenID on their radar screens to evaluate in the near term. I've copied both Jim McCartney and Mr. Paul Grant, who is one of the co-chairs of the subcommittee on this to let them know the OpenID community is interested in figuring out how it can best fit into the Identity Assurance Framework. I know they are meeting in the very near future, so perhaps they can be included in the mix, assuming Peter's group is different from this Federal-wide group.</FONT></P>
<P><FONT SIZE=2 FACE="Courier New">Regarding Federal interest in OpenID, there definitely seems to be interest sprouting from a number of areas, not just the authentication issue. A number of folks seem interested in exploring its use further. The thought here is if you are already planning a trip out to the DC area, perhaps we can maximize your time spent by finding the right group to talk to you about some of the other possibilities as well. Issues include things like the following (and again, these are my write-ups, so if they are off base in terms of something OpenID can address, many apologies):</FONT></P>
<P><FONT SIZE=2 FACE="Courier New"> - Privacy Information Concerns: Because the new Transparency and Open Government directive in the works places significant emphasis on participation and collaboration across the Federal government, a concern expressed by some dealt with the fear that virtually every Federal server might need to contain some level of personally identifiable information. In practice, this would kill or slow down many website efforts due to the burden compliance with the Privacy Act causes. The goal from the web site hosts perspective is to completely eliminate unnecessary personally identifiable information that falls underneath the Privacy Act from their website (clearly many websites need this information for services and transactions), while still allowing transparency, participation, and collaboration.</FONT></P>
<P><FONT SIZE=2 FACE="Courier New"> - Reducing the number of logins: If, as the Transparency and Open Government memo suggests, that citizens are engaging in discussions, policy making, and requesting of services on Federal websites, they will need to have the ability to log on to each server. The concern is this unless we had something akin to a single sign-on to Federal sites, citizens might be forced to maintain usernames & passwords to each site they access and participate in. This is different, incidentally, from saying all the Federal information about an individual would be stored in one place (this came up at the meeting</FONT> <FONT SIZE=2 FACE="Courier New">–</FONT><FONT SIZE=2 FACE="Courier New"> I didn’t have a chance to refute that).</FONT></P>
<P><FONT SIZE=2 FACE="Courier New"> - Providing a Higher level of integrated service for participating on Federal sites for those who want it: If you did have a single sign-on approach to all Federal websites, it would make sense that you could do something akin to the what commercial portal sites do, by giving a “citizen control panel” that would display all their interactions across multiple Federal Websites.</FONT></P>
<P><FONT SIZE=2 FACE="Courier New"> - Allow the Option to hide participation on Federal sites: As an opposite approach to the previous idea, many in the privacy community wanted the option to be able to participate on Federal sites (including discussions, requesting answers to questions, receiving emails and feeds of information, etc.) without having any personally identifiable information stored on the Federal site. Obviously this wouldn’t make sense in the case the websites had personally identifiable information already, such as IRS filings, or health records. But for a lot of the lower level participation options, the privacy community wanted to have the option of </FONT></P>
<P><FONT SIZE=2 FACE="Courier New"> - Validating Federal Employees on non-Federal sites: There is a concern that Federal employees, when participating on non-Federal websites have no way of being validated as a Federal employee. There is a risk that if Federal employees are not participating on the various social networking and web 2.0 sites that someone else will assume their identity. This risk could become a validated threat in times of emergency, such as a forest fire, flood, or act of terrorism. </FONT></P>
<P><FONT SIZE=2 FACE="Courier New">Again, I'm quite sure that others have put together thoughts on this as well. I certainly can't speak for any of the various Federal groups and committees looking into the component parts, but if you're coming out, perhaps it might be useful to have something akin to a set of OpenID discussions.</FONT></P>
<P><FONT SIZE=2 FACE="Courier New">Best,</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">Noel Dickover</FONT>
<BR><FONT SIZE=2 FACE="Courier New">DoD CIO, IT Investments and Commercial Policy Directorate Social Software and Emerging Technologies</FONT>
<BR><FONT SIZE=2 FACE="Courier New">703-601-4729x152</FONT>
<BR><FONT SIZE=2 FACE="Courier New">Noel.Dickover.ctr@osd.mil</FONT>
<BR><A HREF="https://www.dodtechipedia.mil"><U><FONT COLOR="#0000FF" SIZE=2 FACE="Courier New">https://www.dodtechipedia.mil</FONT></U></A><FONT SIZE=2 FACE="Courier New"> - Join the Fight!!!</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> </FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=2 FACE="Courier New">-----Original Message-----</FONT>
<BR><FONT SIZE=2 FACE="Courier New">From: Peter Williams [</FONT><A HREF="mailto:pwilliams@rapattoni.com"><U><FONT COLOR="#0000FF" SIZE=2 FACE="Courier New">mailto:pwilliams@rapattoni.com</FONT></U></A><FONT SIZE=2 FACE="Courier New">]</FONT>
<BR><FONT SIZE=2 FACE="Courier New">Sent: Friday, March 13, 2009 4:29 PM</FONT>
<BR><FONT SIZE=2 FACE="Courier New">To: Brett McDowell; Chris Messina</FONT>
<BR><FONT SIZE=2 FACE="Courier New">Cc: Silona Bonewald; Andrew Hoppin; Brian Behlendorf; Dickover, Noel, CTR, NII/DoD-CIO; OpenID List</FONT>
<BR><FONT SIZE=2 FACE="Courier New">Subject: RE: [OpenID] TransparencyCamp and OpenID (U)</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">I'm about to have my call with these folks about co-hosting such a kick-off event (in Washington DC). What is this community's gut feel for timing? Is there an urgency here that would drive us to do this soon... like early April. Or do folks need more time to arrange travel, etc.?</FONT></P>
<P><FONT SIZE=2 FACE="Courier New">Before or after RSA (April 20th)?</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">Before or after IIW (May 18)?</FONT>
</P>
<BR>
<P><FONT SIZE=2 FACE="Courier New">Brett McDowell | +1.413.652.1248 | </FONT><A HREF="http://info.brettmcdowell.com"><U><FONT COLOR="#0000FF" SIZE=2 FACE="Courier New">http://info.brettmcdowell.com</FONT></U></A>
</P>
<P><FONT SIZE=2 FACE="Courier New">On Mar 13, 2009, at 2:04 AM, Chris Messina wrote:</FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=2 FACE="Courier New">On Thu, Mar 12, 2009 at 8:34 PM, Brett McDowell <brett@projectliberty.org<<A HREF="mailto:brett@projectliberty.org">mailto:brett@projectliberty.org</A>>> wrote:</FONT>
<BR><FONT SIZE=2 FACE="Courier New">...The Identity Assurance Framework looks at how any particular credential service can achieve LOA 1 through LOA 4. What we don't have is any analysis of what an OP could achieve with OpenID 2.0. Knowing this will provide a clear gap analysis of what we have vs. what we need. We can base our deliberations on these hard facts. I can only believe this will be more productive than... actually I don't see any alternative to this approach if we are serious about making progress.</FONT></P>
<P><FONT SIZE=2 FACE="Courier New">Next Steps?</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">...I would be happy to talk with them about co-hosting a kick-off event to drill into this issue as it relates to OpenID specifically. I assume they will be interested. They, like I, would like to see citizens be able to use whatever private sector credentials they "already have" to access government applications. If those are OpenID's, then lets make sure those OpenID's are going to be acceptable to these federal Relying Parties (who knows, we might learn something that helps us win more RP adoption in other markets as well).</FONT></P>
<P><FONT SIZE=2 FACE="Courier New">Thoughts?</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">Sounds good to me! It would also be good to get in sync with a number of the existing OpenID-in-government conversations underway.</FONT></P>
<P><FONT SIZE=2 FACE="Courier New">We're not the first to bring this up or to consider the issues that exist for government to adopt OpenID; but, of course we have a great deal to add to that discussion and taking the approach as you described it sounds prudent.</FONT></P>
<P><FONT SIZE=2 FACE="Courier New">Chris</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">--</FONT>
<BR><FONT SIZE=2 FACE="Courier New">Chris Messina</FONT>
<BR><FONT SIZE=2 FACE="Courier New">Citizen-Participant &</FONT>
<BR><FONT SIZE=2 FACE="Courier New"> Open Web Advocate-at-Large</FONT>
</P>
<P><FONT SIZE=2 FACE="Courier New">factoryjoe.com<<A HREF="http://factoryjoe.com">http://factoryjoe.com</A>> # diso-project.org<<A HREF="http://diso-project.org">http://diso-project.org</A>></FONT>
<BR><FONT SIZE=2 FACE="Courier New">citizenagency.com<<A HREF="http://citizenagency.com">http://citizenagency.com</A>> # vidoop.com<<A HREF="http://vidoop.com">http://vidoop.com</A>></FONT>
<BR><FONT SIZE=2 FACE="Courier New">This email is: [ ] bloggable [X] ask first [ ] private</FONT>
</P>
<BR>
<BR>
</BODY>
</HTML>