1. The E-Authentication Initiative
E-Authentication: Creating an Environment of Trust David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy

2. Session Objectives Identity Federation Basics
Why the Federal Government is federating
Key infrastructure needed for ID Federation
Interoperability and ID Federation
E-Authentication Trust Framework
The Electronic Authentication Partnership and how it facilitates identity federation

3. The Identity Problem
Individuals have multiple disconnected identities across the internet and other networks, leading to repeated, stand-alone authentications
Costly, insecure, inconvenient
User ID:
Password: my401k
My.employer.org
User ID:
Password: myjob
User ID: frequentflyer
Password: etravel

4. Background Federated identity definition
Rules, agreements, standards, technologies that make identity and entitlements portable across autonomous domains
Is critical for rich web services environment
Federated identity technologies and standards
PKI – ISO X.509v3
Security Assertion Markup Language – OASIS SAML 1.0,
Lacking standards
Biometrics
User ID/PIN/Password
Knowledge-based authentication
One-time passwords
Token-based authentication
Federated identity specifications (SAML)
Liberty Alliance
Shibboleth

5. Standards Convergence
SAML 1.X - Framework for exchanging security information about a principal: authentication, attributes, authorization information
Liberty ID-FF 1.X – Extend SAML 1.0, 1.1 for federation, SSO, web services
OASIS Standard SAML 2.0
Shibboleth
Specification
Liberty
Specifications
OASIS SAML 1.0, 1.1

6. Four Authentication Assurance Levels to meet multiple risk levels -
Increased $ Cost
Multi -
Factor Token
PKI/ Digital Signature
Knowledge -
Based
Very
Strong Password
High -
High
PIN/User ID
Medium
Low
Access to
Applying
Obtaining
Employee
Protected
for a Loan
Govt.
Screening
Website
Online
Benefits
for a High
Risk Job
Increased Need for Identity Assurance

7. President’s Management Agenda
1st Priority: Make Government citizen-centered.
5 Key Government-wide Initiatives:
Strategic Management of Human Capital
Competitive Sourcing
Improved Financial performance
Expanded Electronic Government
Budget and Performance Integration

8. Cross-cutting Infrastructure: eAuthentication GSA
PMC E-Gov Agenda
Government to Citizen
Lead
GSA
Treasury
DoED
DOI
Labor
Government to Business
Lead
GSA
EPA
Treasury
HHS
SBA
DOC
1. USA Service
2. EZ Tax Filing
3. Online Access for Loans
4. Recreation One Stop
5. Eligibility Assistance
Online
1. Federal Asset Sales
2. Online Rulemaking
Management
3. Simplified and Unified
Tax and Wage Reporting
4. Consolidated Health
Informatics (business case)
5. Business Gateway
6. Int’l Trade Process Streamlining
Cross-cutting Infrastructure: eAuthentication GSA
Government to Govt.
Internal Effectiveness and Efficiency
Lead
SSA
HHS
FEMA
DOI
1. e-Training
2. Recruitment One Stop
3. Enterprise HR Integration
4. e-Travel
5. e-Clearance
6. e-Payroll
7. Integrated Acquisition
8. e-Records Management
OPM
GSA
NARA
1. e-Vital (business case)
2. Grants.gov
3. Disaster Assistance
and Crisis Response
4. Geospatial Information
One Stop
5. Wireless Networks

9. Key Policy Points For Governmentwide deployment: No National ID.
No National unique identifier.
No central registry of personal information, attributes, or authorization privileges.
Different authentication assurance levels are needed for different types of transactions.
And for e-Authentication technical approach:
No single proprietary solution
Deploy multiple COTS products -- users choice
Products must interoperate together
Controls must protect privacy of personal information.

10. Financial Services Industry
Central Issue with Federated Identity – Who do you Trust?
280 Million Americans
Millions of Businesses
State/local/global Govts
Governments
Federal
States/Local
International
Travel Industry
Airlines
Hotels
Car Rental
Trusted Traveler Programs
Trust Network
Higher Education
Universities
PKI Bridge
E-Commerce Industry
ISPs
Internet Accounts
Credit Bureaus
eBay
Healthcare
American Medical Association
Patient Safetty Institute
Financial Services Industry
Home Banking
Credit/Debit Cards
Absent a National ID and unique National Identifier, the e-Authentication initiative will
establish trusted credentials/providers at determined assurance levels.

11. Identity Federation – Key Interoperability Needs
Identity Federations extend
beyond current peer-peer,
bi-lateral agreements to build
common infrastructure shared
among multiple parties.
Federation Trust
(Policy Interoperability)
Federation Communications
(Technical Interoperability)
Federation Business Relationships
(Business Interoperability)

12. Federation Infrastructure
Interoperable Technology (Communications)
Determine intra-Federation communication architecture -- protocols
Administer common interface specifications, use cases, profiles
Ensure interoperability ( as needed) according to the specifications
Provide a common portal service (I.e., discovery and interaction services)
Trust
Establish common trust model
Administer common identity management/authentication policies for Federation members
Business Relationships
Establish and administer common business rules
Manage relations among relying parties and CSPs
Manage compliance/dispute resolution

13. The Need for Federated Identity Trust and Business Models
Technical issues for sharing identities are being solved, but slowly
Federal Interoperability Lab
OASIS and Liberty conformance test programs
Trust is critical issue for deployment of federated identity
Federated ID networks have strong need for trust assurance standards
How robust are the identity verification procedures?
How strong is this shared identity?
How secure is the infrastructure?
Common business rules are needed for federated identity to scale
N2 bi-lateral trust relationships is not a scalable business process
Common business rules are needed to define:
Trust assurance and credential strength
Roles, responsibilities, of IDPs and relying parties
Liabilities associated with use of 3rd party credentials
Business relationship costs
Privacy requirements for handling Personally Identifiable Information (PII)
VeriSign Registry Overview
com/net/org (Regulated)
.tv and .cc (Non-Regulated)
Challenges/Business Risks
ATLAS—Raising the Bar in Registry Services
Securing and enhancing the com/net/org franchise
Efficient platform that reduces capital and operating expenses
Platform for growth across VeriSign divisions
Other Business Opportunities
Enhanced Naming Services that stimulate demand for domain names
Registry Outsourcing
Managed DNS
Directory Services
Summary

14. E-Authentication Trust Model for Federated Identity
1. Establish e-Authentication
risk and assurance levels
(OMB M Federal Policy Notice, adopted by EAP
2. Establish standard methodology for e-Authentication risk
assessment (ERA) 2/04
4. Establish methodology for evaluating credentials/providers
on assurance criteria (EAP SAC and Federal CAF
3. Establish technical standards for e-Authentication systems (NIST Special Pub Authentication Technical Guidance
6. Establish common business rules for use of trusted 3rd-party credentials
5. Assess CSPs and maintain trust list of trusted CSPs for govt-wide (and private sector) use 2/04
7. Test products and implementations for interoperability

15. The Need for Identity Federation Business Case
“Federated identity is economically inevitable…”
Burton Group
However, there must be a clear business case that others can understand
Business opportunity must be meaningful yet realistic
Business partners need to understand the business case
The solution must be replicable
Start simple, use standard templates, avoid complexity for complexity sake
Leverage open standards
Should be clear business case for identity federation for:
Financial services industry
Health care industry
Higher education

16. Identity Federation Models
Bi-lateral (peer-to- peer)
Hub & Spoke (unilateral)
Circle of Trust (many-to-many)
Federated ID
Federated ID
Federated ID
Federated ID
Federated ID
Federated
Federated
Federated ID ID ID
Federated ID

17. Commercial Trust Assurance Services State/Local Governments
The Need for the Electronic Authentication Partnership
Interoperability for:
Federal Government
Commercial Trust Assurance Services
Policy
Authentication
Assurance levels
Credential Profiles
Accreditation
Business Rules
Privacy Principles
IDP
IDP
IDP
State/Local Governments
Policy, Technical, &
Business Interoperability
Technology
Adopted schemes
Common specs
User Interfaces
APIs
Interoperable
COTS products
Authz support RP
IDP RP RP
Industry
Common Business and
Operating Rules 8

18. What is the EAP
Multi-industry partnership creating a framework for interoperable, trustworthy authentication
Incorporated non-profit association with 60 members
Product and technology agnostic
Goals
Provide organizations with a straightforward means of relying on digital credentials issued by a variety of authentication systems
Eliminate or at least reduce the need for organizations to establish bilateral agreements
Facilitate the creation of federations through replicable rules
Enable federation-to-federation trust
In practice this means a federated approach

19. What the EAP is doing now for ID Federation
Bi-lateral Agreements
IDP
SP/RP
Pair-wise Trust Model
IDP
SP/RP
Pair-wise Interface Spec and Products
IDP
SP/RP
Current State of Industry: Bi-Lateral Pairs
IDP
IDP
IDP
Common Business Rules/Agreements
Common Trust Model
Common Interface Specification
Interoperable Products
SP/RP
IDP
SP/RP
SP/RP
EAP Objective: Multi-Party, Interoperable Federation

20. Multiple, Interoperable Federations
What the EAP envisions for ID Federation
IDP
EAP
Common Business Rules/Agreements
Common Trust Models
Common Basic Interface Specifications
Interoperable Products
IDP
IDP
Federation 1
IDP
SP/RP
SP/RP
SP/RP
IDP
IDP
IDP
IDP
Federation 3
SP/RP
IDP
IDP
SP/RP
Federation 2
SP/RP
SP/RP
SP/RP
SP/RP
EAP Vision:
Multiple, Interoperable Federations
SP/RP
SP/RP

21. Phone E-mail David Temoshok 202-208-7655 david.temoshok@gsa.gov
For More Information
Phone
David Temoshok
Websites 27