On Feb 12, 2010, at 1:55 PM, Popowycz, Alex wrote:
The US government is making a big push for adoption of open identity technologies with their Identity, Credential, and Access Management (ICAM) initiative. The government saves money by not having to issue and manage credentials for citizens wanting to access online government services.
Yes.
A number of big players (Paypal, Yahoo, Verisign, Google, AOL) have stepped up to the plate to act as OpenID providers, so that people with credentials from these identity providers can use them to access government services. But these initial ICAM services are low assurance, LOA-1, services, meaning that these identity providers will not need to verify the identities of those to whom it issues OpenIDs, and those OpenIDs are usable with only a username and password.
Yes OpenID will be certified for LOA-1. And that's the level that the first pilots will operate at.
For higher assurance services, stronger authentication methods and technologies will be needed, and some degree of identity proofing prior to issuance of the credentials will also be required. The costs of these things will not be zero, and presumably identity providers will want to recoup their costs and earn a profit by providing these identity services.
Agreed. For LOA-2+ other (non-OpenID) methods (e.g. InfoCard) will be certified. A number of vendors (Equifax, PayPal, etc. ) announced they will be infocard IdPs. I expect there'll be demos by the GSA (and other) folks at RSA of this kind of thing.
The missing piece of the puzzle is what business model(s) will support higher assurance identity services.
Actually the missing piece turned out not to be tech, nor business. It is the lack of the right kind of trust frameworks (white lists, certification, auditing, etc.) that the US government is waiting for. WRT business models, the higher the assurance level, the more money this stuff costs. And thus the better the business case for "outsourcing" especially if a competitive market emerges. Or at least that's the theory.
Will relying parties pay identity providers for identity assertions?
I sure hope so. If we generalize a bit from "identity assertions" to "personal data", we see a robust, competitive market wherein "relying parties" (merchants, advertisers, etc.) pay IdPs. They just do it using closed, proprietary "protocols" and APIs (behind the user's back). But money and data do flow.
Will consumers pay something if the use of high assurance identity credentials can help protect them against identity theft?
Consumers don't pay for anything. At least in the US.
Or will identity providers eat the costs of providing high assurance identity services if it can help them to attract customers for other services they provide?