OIDF board members have interacted with The US NIST on a variety of topics over the years. For example, last year ago several IdPs collaborated and published a best practices document for CAPTCHA, that NIST used with regard to their ongoing study of online identity proofing. At NIST's request, two days ago Eric Sachs and I briefed the NIST Board on latest developments with OpenID, OIX, etc. My notes for that briefing are below:
National Strategy for Secure Online Transactions There is an ongoing dialogue between the OpenID Foundation and Open Identity Foundation (OIX) and the White House team drafting the National Strategy for Secure Online Transactions. The current White House draft calls for a "national trust framework" as one of several initiatives. One OIX objective is to provide the strategy team further information on the role OIX can play as a neutral, nonprofit "utility" for the certification of participants in multiple trust frameworks for both internet and phone channels in the US and international markets. OIX is importantly differentiated by the board level representation of companies that enable secure online transaction services as a core competency of their business operations on a global scale for hundreds of millions users on a daily basis. The Open Identity Exchange OIX The OpenID Foundation and ICF, together with companies like Google, PayPal, Equifax and others help found the OIX. The most important aspect to understand about the model OIX is following (which is explained in detailed in the <http://www.openidentityexchange.org/sites/default/files/the-open-identity-t rust-framework-model-2010-03.pdf> Open Identity Trust Framework Model white paper) is that it is not necessary for the US or any government to amend or adapt its identity framework to work with OIX. Rather it is a matter of OIX working with the GSA ICAM and other government agencies to simply turn their requirements into an OIX trust framework. This was lightweight process we went through with ICAM in the US. Once they understood that "their trust framework was our trust framework", it was easy to complete the process. Unlike the other pre-existing trust frameworks developed by third parties outside the government, OIX does not have its own "native" trust framework to which others must map their requirements. OpenID and NIST related information There are two tracks one is the E-Authentication Risk Assessment based on OMB-04-04 and relating directly to the NIST levels; <http://www.whitehouse.gov/OMB/memoranda/fy04/m04-04.pdf> http://www.whitehouse.gov/OMB/memoranda/fy04/m04-04.pdf The requirements for implementation are found in: <http://www.whitehouse.gov/omb/assets/omb/memoranda/fy04/m04-25.pdf> http://www.whitehouse.gov/omb/assets/omb/memoranda/fy04/m04-25.pdf There is OMB Circular A-130 <http://www.whitehouse.gov/omb/Circulars_a130_a130trans4/> http://www.whitehouse.gov/omb/Circulars_a130_a130trans4/ The GSA provides assessment tools for agencies reporting at: <http://www.idmanagement.gov/drilldown.cfm?action=era> http://www.idmanagement.gov/drilldown.cfm?action=era AS John Bradley outlined at the OpenID Technology Summit this week, the OMB-04-04 and the risk assessment allow the RP to collect the information, but lays out what security requirements are required for the protection of that information including the strength of the credentials. Then on the privacy side we deal with the privacy act of 1974 and the E-Government act of 2002. This requires agencies to have systems of record, so that people can make requests under the Privacy Act for information about them. Eric and I noted that there likely will be multiple levels of identity proofing, one of which would be in-person like what Verizon could do, and another would be online verification of credit card information or phone # such as PayPal/Google/Yahoo/etc. could do. I will be representing the OIDF at the IDTrust 2010 workshop is will be held at NIST in Gaithersburg MD, US on April 13-15 2010. NIST will announce today Friday that ANSI/NASPO are starting a project to define standards for identity proofing. http://www.naspo.info/ I plan to keep an eye on how it progresses, and update the board. From: Don Thibeau Sent: Monday, April 05, 2010 6:18 PM Subject: Information Security and Privacy Advisory Board Meeting Agenda for April 7-9, 2010 When: Wednesday, April 07, 2010 6:30 PM-7:00 PM (GMT-05:00) Eastern Time (US & Canada). Where: ------------ From: Bowen, Pauline [[email protected]] Sent: Monday, April 05, 2010 4:27 PM To: Eric Sachs; [email protected]; Newton, Elaine M. Subject: Information Security and Privacy Advisory Board Meeting Agenda for April 7-9, 2010 Attachments: ISPAB Meeting Agenda 2010-040710.doc; Directions to Washington Marriott Wardman Park.doc 1:30 P.M. - 2:30 P.M. NIST Update on FY10 Activities Patrick Gallagher, NIST Director 2:30 P.M. -3:30 P.M. OMB Update/Metrics Vivek Kundra, Federal CIO, OMB 3:30 P.M. - 4:30 P.M. OpenID Elaine Newton, NIST Don Thibeau, Executive Director, The OpenID Foundation Eric Sachs, Google Don Thibeau [email protected] Executive Director The OpenID Foundation <http://openid.net> http://openid.net
_______________________________________________ board mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-board
