-----Original Message----- From: community-bounces@kantarainitiative.org [mailto:community- bounces@kantarainitiative.org] On Behalf Of Paul Trevithick Sent: Monday, February 15, 2010 10:34 AM To: Popowycz, Alex Cc: community@kantarainitiative.org Subject: Re: [Kantara - Community] An observation: SSO's are consolidating and/or collaborating more
On Feb 12, 2010, at 1:55 PM, Popowycz, Alex wrote:
The US government is making a big push for adoption of open identity technologies with their Identity, Credential, and Access Management (ICAM) initiative. The government saves money by not having to issue and manage credentials for citizens wanting to access online government services.
Yes.
A number of big players (Paypal, Yahoo, Verisign, Google, AOL) have stepped up to the plate to act as OpenID providers, so that people with credentials from these identity providers can use them to access government services. But these initial ICAM services are low assurance, LOA-1, services, meaning that these identity providers will not need to verify the identities of those to whom it issues OpenIDs, and those OpenIDs are usable with only a username and password.
Yes OpenID will be certified for LOA-1. And that's the level that the first pilots will operate at.
For higher assurance services, stronger authentication methods and technologies will be needed, and some degree of identity proofing prior to issuance of the credentials will also be required. The costs of these things will not be zero, and presumably identity providers will want to recoup their costs and earn a profit by providing these identity services.
Agreed. For LOA-2+ other (non-OpenID) methods (e.g. InfoCard) will be certified. A number of vendors (Equifax, PayPal, etc. ) announced they will be infocard IdPs. I expect there'll be demos by the GSA (and other) folks at RSA of this kind of thing.
The missing piece of the puzzle is what business model(s) will support higher assurance identity services.
Actually the missing piece turned out not to be tech, nor business. It is
Thanks Paul, My comments in-line. the
lack of the right kind of trust frameworks (white lists, certification, auditing, etc.) that the US government is waiting for.
WRT business models, the higher the assurance level, the more money this stuff costs. And thus the better the business case for "outsourcing" especially if a competitive market emerges. Or at least that's the theory.
Again, I point to the PKI world as an old example. Certain CAs charge over $700 for an SSL server cert, yet very few companies/organizations who pay for such an SSL cert actually make use of it. At best, it's a tick off the list for their security auditors. And the PKI world already has some degree of "trust framework" in the form of the Certificate Practices Statement (CPS). But you are right, just the complexity of operating a trust infrastructure makes it attractive to outsource it.
Will relying parties pay identity providers for identity assertions?
I sure hope so. If we generalize a bit from "identity assertions" to "personal data", we see a robust, competitive market wherein "relying parties" (merchants, advertisers, etc.) pay IdPs. They just do it using closed, proprietary "protocols" and APIs (behind the user's back). But
money
and data do flow.
Will consumers pay something if the use of high assurance identity credentials can help protect them against identity theft?
Consumers don't pay for anything. At least in the US.
Hmm, being a US consumer I kinda think I have to pay for everything -- directly or indirectly :) Think of credit cards and its financial infrastructure behind it. Either I pay the $$ annual fee to the bank or Issuer, or the merchant will simply pass the cost to me as a consumer. It will be difficult for the Gov to say to citizens: hey, in order to access your records (eg. tax, medical, etc) you will have to pay $$ annually for strong authentication to an IdP. PS. Another example is the smartcards built into the new US passports (in the middle pages)). I believe that does not come free -- we have to pay for that "feature". Regards. /thomas/ hardjono[at]mit.edu