1. 1 Enabling Open Government Using the OIDF/ICF Open Trust Framework OASIS Identity Management 2009 September 29, 2009 Don Thibeau, ED, OpenID Foundation Drummond Reed, ED, Information Card Foundation

2. 2 Topics  The Open Identity Solutions for Open Government Initiative Policy Foundation  Understanding the U.S. Government Approach Identity Schemes Trust Frameworks  Open Identity Schemes OpenID InfoCards  Introducing the Open Trust Framework Key Design Principles Participant Roles The Basic Workflow Components of Specific Trust Framework  Next Steps/How to Get Involved

3. 3 Goals of Open Identity Solutions for Open Government Program  Make Government more transparent to citizenry  Make it easier for citizenry to access government information  Avoid issuance of application-specific credentials  Leverage Industry credentials for Government use  Leverage Web 2.0 technologies  See presentation and document posted on http://www.IDmanagement.gov

4. 4 Policy Foundation: OMB M04-04 Assurance Level Impact Profiles Potential Impact Categories for Authentication Errors 1234 Inconvenience, distress or damage to standing or reputation LowMod High Financial loss or agency liabilityLowMod High Harm to agency programs or public interestsN/ALowModHigh Unauthorized release of sensitive informationN/ALowModHigh Personal SafetyN/A LowMod High Civil or criminal violationsN/ALowModHigh  Risks

5. 5 Policy Foundation: NIST Special Pub 800-63  SP 800-63 Technical Guidance Allowed Token Types1234 Hard crypto token  One-time Password Device  Soft crypto token  Password & PINs  Assurance Level

6. 6 US Government Approach  Adopt technologies in use by industry “Identity Scheme Profiles” Identity Scheme Adoption Process (ISAP)*  Adopt industry trust models “Trust Framework Providers” Trust Framework Provider Adoption Process (TFPAP)*  See documents posted on http://www.IDmanagement.gov

7. 7 Identity Scheme Adoption

8. 8 Open Identity Schemes: OpenID  OpenID Open Source roots OpenID Foundation serves as steward and provides necessary infrastructure Used/supported by Google, Yahoo, Facebook, AOL, MySpace, Novell, Sun, etc. 1 billion+ OpenID-enabled accounts 40,000+ web sites support OpenID  ICAM Profile Profile based on OpenID 2.0 Requires SSL/TLS on all endpoints Requires Directed Identity Approach Requires pair-wise unique pseudonymous identifiers Requires Short lived association handles

9. 9 OpenID Flow

10. 10 Open Identity Schemes: Information Cards  Information Card Analogous to the cards you carry in wallet Open Source & industry standards Supported by Microsoft, Intel, Oracle, Novell, Equifax, Google, Citi, etc. Built into MS Vista; option for XP Lower rate of adoption than OpenID ALs 1 thru 3; possibly AL 4  ICAM Profile Profile of Identity Metasystem Interoperability Document 1.0 (IMI) Requires encryption of PII Requires use of optional Private Personal Identifier (PPID) Currently managed cards only

11. 11 Information Card Flow

12. 12 Trust Framework Adoption  The Open Identity Solution approach is to enroll industry trust frameworks Specify relevant identity scheme profiles Map Levels of Assurance (LOA) to requirements of NIST SP 800-63 Incorporate privacy requirements  The GSA made an outreach to the OpenID Foundation, Information Card Foundation, InCommon, and Liberty/Kantara  Participating trust frameworks are being submitted under the ICAM Trust Framework Provider Adoption Process

13. 13 The Open Trust Framework  Jointly developed by the OpenID Foundation and the Information Card Foundation  Reflects our common interests in providing a trust framework adapted to open identity technologies – technologies that: Are open standards Operate at Internet scale Support user-controlled identity management Do not presume any pre-existing trust relationships between identity providers and relying parties  A draft application was submitted to GSA on 8 September 2009 for review and feedback under the TFPAP  Currently being further revised to reflect GSA feedback and OIDF and ICF member review

14. 14 Core Design Principles of the Open Trust Framework 1) Open to all identity providers 2) Open to any qualified auditor 3) Open to provider self-certification 4) Open to change and evolution

15. 15 Participant Roles  Trust Framework Provider OIDF and ICF in collaboration  OTF Administrator Contractor to OIDF and ICF  Identity Providers OpenID or Information Card providers desiring to serve the applicable trust communities  Auditors Organizations who offer technology auditing and certification services as part of their business  Relying Parties Do not participate directly in the first version of the Open Trust Framework, but may be involved in future versions

16. 16 The Basic Workflow  Auditor Registration OTF Administrator verifies qualifications  Identity Provider Certification Provider self-certification is available to all provider Self-certification is audited OTF Administrator verifies the authenticity of the application OTF Administrator provisions the certification metadata  Ongoing Operations Updates to certification metadata Quality assurance and quality control Renewals Trust framework revisions  Dispute Resolution

17. 17 Components of a Specific Trust Framework  Purpose Statement  Auditor Registration Requirements  Identity Provider Certification Requirements  Identity Provider Self-Certification Form  Dispute Resolution Supplement

18. 18 Next Steps  A pilot of both the ICAM OpenID and Information Card identity schemes is underway with the National Institute of Health  The two foundations are expanding our circle of collaboration on the Open Trust Framework Harvard Berkman Center Center for Democracy and Technology  We invite NIST and industry’s continued participation Please contact us for more information www.openid.net www.informationcard.net