1. The Venn of Levels RL “Bob” Morgan, University of Washington / Internet2 / InCommon TERENA/Refeds, October 2009 Rome, IT

2. A historical tale...... of a mild-mannered government seeking to reduce paperwork and improve responsiveness by offering online services to its citizens in a secure, affordable, and privacy-protecting way... of swashbuckling bureaucrats and daring technologists fighting for the protocols they believe in... of groundbreaking memoranda, game- changing standards, processes so clean and open they take your breath away...

3. 2003-2007: the E-Auth Era OMB 04-04, December 2003 promotes e-authentication for e-government encourages use of external credential providers describes four levels of risk and corresponding levels of identity assurance directs NIST to specify technologies to support the four levels, via SP 800-63 "important to match LoA against cost and burden of solution" made real by E-Authentication Program operated by GSA

4. E-Auth: the thrill of adoption... established federation 2004-05 roughly in parallel with InCommon SAML protocol, COTS products focus on commercial identity providers serving agency applications IdPs assessed for assurance level (3 campuses in early 2005) agencies required to have participating apps much discussion of interfederation with InCommon "interfed" demo with NSF FastLane, Dec 2006

5. E-Auth: the agony of no apps... by 2007 E-Auth losing steam costs too high: heavyweight program (product testing, app requirements, etc) benefits too low: too few IdPs... new business models proposed, agencies pursue other options InCommon works directly with NIH special agreement "consistent with 800-63" NIH joins InCommon, using InC SAML profile first InC users of NIH apps early 2008 now many apps/users, working on Level 2/Silver

6. 2008: rumblings of change GSA organizes ICAM program, identitymanagement.gov site to set new direction E-Auth is EOL (turned off March 2009) agencies encouraged to work with sector partners, using appropriate technologies, consistent with 800-63, following model of NIH and InCommon InCommon seeks "government-wide MoU" to work with all agencies Nov 2008: new social-web-enabled administration is elected...

8. 2009: change? you got it Obama administration seeks to transform government transparency, delivery via web new federal CIO is big fan of Web 2.0, social networking, encourages agencies to adopt new techniques social networking depends on identity, is closely associated with OpenID OpenID now supported by major consumer services: Google, Live, Yahoo, Facebook, Paypal, etc, with hundreds of millions of users mandate from CIO to support OpenID

9. A big tent for protocols 800-63 isn't SAML-specific specifies security criteria for "assertion protocols" OpenID and Information Card can fit too (as does WS-Federation) new ICAM "Identity Scheme Adoption Process" defining how new protocols can be approved for use... at which assurance levels ICAM works with OpenID and Information Card communities to define acceptable profiles, adopt them August 2009 SAML is "grandfathered"?

11. Promoting protocol maturity identity protocols typically need profiles for defined (e.g. government) use SAML has Kantara eGov profile TFP program defines profiles for OpenID, Information Card (IMI) also defined procedures for trust management SAML has metadata spec, new metadata-IOP TFP defines (crude) means for OpenID, IMI maybe define use of SAML metadata for these? already being used by WS-Federation XRD to the rescue?

12. Trust Framework Providers how can government decide to work with, say, Facebook as an IdP? need LoA assessment, use of approved protocol, a scalable structure and process need a thing like... InCommon, like... E-Auth TFP Adoption Process says how to do it describe rules, how assessments are done InCommon helps OpenID, Infocard Foundations figure out how to be like InC Kantara Initiative Identity Assurance in the mix... InCommon will apply for approval

13. TFPAP and privacy most of TFPAP is just like E-Auth and 800-63 technical support of 4 levels, etc new material added on privacy controls based on concerns about consumer IdPs users must opt-in, must see attrs being sent about them, info must not be used for marketing... InCommon must develop new provisions in its framework to support these requirements how do these relate to business scenarios? does a PI have to opt in to use NIH? or do university privacy policies suffice? we'll see

14. But are there apps? OpenID is Level 1 profile mandates minimal PII disclosure, though apps can request, eg, email address many gov services have strict PII-handling rules, also rules on formally accepting comments, so posting a blog comment may just not apply are those insisting on Level 2 law-respecting public servants or stodgy bureaucrats? pilot library app in NIH will accept OpenID, Infocard, InCommon

15. Whither assurance? Facebook makes case for its identities "web of trust" means you're generally connected, it's hard to spoof for long, so they're "pretty good" do 800-63 levels even apply to consumer/social services? maybe define new ones? elected officials want good communications with consitituents (aka "CivicID") eg to know if person is in their district, and a voter can Facebook et al fill this need?

16. InCommon Assurance framework/profiles published Nov 2008 rest of program (including price) not done yet no campuses ready to apply; some are close US Gov is main driver NIH research-admin app in 2010; NSF follows FERPA student-privacy rules may bless Silver as "OK for access to personal info" may drive adoption by other student-sector SPs who will audit? who will answer tough questions? maybe Kantara-blessed auditors?

17. Attribute assurance major point of discussion at recent USGov/Internet2 Tao of Attributes meeting some propose "asserted-by" tag others suggest a "issued in comformance with profile urn:xxx" tag upcoming Kantara/Concordia survey trying to find out what SPs care about in assurance...