Two developments involving consumer identity, which could have some bearing on the Consumer Identity WG, were in the news recently. The Information Card Foundation and the OpenID Foundation announced a joint whitepaper that discusses open trust frameworks for open government applications, including how these trust frameworks will play an important role in enabling OpenID and Information Cards to authenticate consumers/citizens for open government applications. Here is the announcement, with a link to the whitepaper:http://informationcard.net/blog/open-trust-frameworks-paper.
Closely following this, a pilot program was announced involving ten big companies who will act as Identity Providers, using OpenID and Information Cards, for open government applications. These ten companies - Yahoo!, PayPal, Google, Equifax, AOL, VeriSign, Acxiom, Citi, Privo and Wave Systems - will issue OpenIDs and Information Cards to consumers/citizens for use in accessing these government applications. The advantage of this approach is that citizens do not need to obtain separate credentials (i.e., usernames and passwords) from the government at each of the websites providing these government services. Instead, citizens can access services across multiple government websites using the same OpenID or Information Card. [The announcement is here: http://informationcard.net/blog/open-identity-initiative-2009-09-09]
The US federal government agencies participating in this pilot include the Center for Information Technology (CIT), National Institutes of Health (NIH), and U.S. Department of Health and Human Services (HHS). What kinds of open-government services will be provided in this pilot program? According to the announcement, "in the coming months the NIH intends to use OpenID and Information Cards to support a number of services including customized library searches, access to training resources, registration for conferences, and use of medical research wikis, all with strong privacy protections."
The open government services provided in the pilot are all Assurance Level 1 services, meaning that these services do not require that the actual identities of the citizens using them be known, and that password authentication is deemed acceptable. So consumers obtaining these OpenIDs and Information Cards will not have to identify themselves, and the Identity Providers will not have to verify anyone's identity. And even though consumers will not need to obtain separate passwords for each of the government sites, use of a particular OpenID or Information Card will require password authentication to the Identity Provider, which provides a low assurance that the same person is coming back each time to use the service.
So will this have any impact on the Consumer Identity WG? I recently was able to obtain (and distribute here with permission) a presentation made at this year's Catalyst conference by Andrew Nash of PayPal, entitled "A Billionth of a Second After the Big Bang." No, this is not a treatise on astrophysics, but an attempt to address the question of how we get from here (shortly after the "big bang" of identity, where all this identity stuff like OpenID and Information Cards is floating around) to the "steady state" of identity, where things have coalesced and everyone has some sort of digital identity. The presentation hints at some answers, but the very fact that the government has chosen to rely on credentials issued by non-government entities for access to consumer/citizen applications is a watershed moment in helping to bring about the greater use of privacy-protecting digital identity credentials for use by consumers in a variety of online transactions.
But the open government applications require only low assurance identity services, and this WG is about high assurance consumer identity. Will governments also provide online services to citizens that require high assurance of the individual's identity, or that require stronger authentication technologies such as digital certificates to be used in conjunction with OpenID or Information Cards? Will the ten Identity Providers in the current pilot choose to provide these higher assurance credentials to consumers? And if so, will other non-government businesses and service providers such as financial institutions and healthcare providers adopt the same trust frameworks so that consumers can use the same high-assurance credentials with these applications as well?
These are unanswered questions, and if anyone has any opinions or insights they want to contribute, please do! In the meantime, OASIS, the open standards consortium, is sponsoring Identity Management 2009 at NIST, Gaithersburg, MD, on September 29-30. This conference will address open identity technologies as they apply to open government. Is anyone planning to attend?
I should also mention that the Kantara IDDY awards were announced today (Sept. 15, 2009). One of the winners, Signicat, won an IDDY Deployment award for the development of an online hosted Identity Provider that is offered as a managed service to private and public sector enterprises and organizations in the Nordic Region (Norway, Sweden, Denmark and Finland). Signicat also has a service, Signicat ID, that provides secure authentication of individuals to websites that require high assurance of a user's identity. Understanding how this works, and how it might relate to these other open identity technologies, is something the WG should look into further.
Bob Pinheiro
Chair, Consumer Identity WG