From IIW

Session: Tuesday Session 3 Space E

Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes

Convener: Don Thibeau, Drummond Reed

Notes-taker(s): Christie Grabyan

A) Tags for the session - technology discussed/ideas considered

Catch up on what has happened in the last 6 months, plus review of what OIX is today.

B) Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion
action items, next steps:

Defined: OIX is a community-developed solution to the problem of how open identity credential (Open ID, Info Cards) can be trusted online. Up-to-date: 6 months ago the discussion was primarily around terminology and getting everyone on the same page.

Recent developments include: (March 2010)

  • OIX launched at RSA
  • Approved as US ICAM TFP
  • First 3 ICAM IdPs certified
  • Open Identity Trust Framework Model paper published

(May 2010)

  • Working groups commence
  • Expanded membership doc approved

Review of the OITFP Model

Under the OITF Model, the Trust Framework Provider (TFP) communicates with the Identity Service Provider (IdP), the Relying Party (RP) and the Assessor. The IdPs and the RPs interact directly with the Users. The IdP provide levels of assurance to users and assessors, and the RPs provide levels of protection to users and assessors.

The feedback from the industry and the priority was to make OIX: simple, lightweight and extensible. Deliberately designed for global scalability, with enough room for policymakers and other trust framework providers to enter. Data protection notions are already well-defined, therefore it is anticipated that there will be objectively testable levels of protection that could be defined, tested, and assessed.

For example, NIST levels can be leveraged as a framework.

The role of ICAM has bridged both technical and policy requirements. ICAM is Identity Credential Access Management: a committee of committees in the US government with a co-chair from the DoD (Dept of Defense).

In the UK, there are also notions of registration authority, credential providers, and identity providers that all fit into OIX’s sense of “Identity Service Provider”

Question was posed as to who accredits the assessor? Accreditation could be provided by the TFP. Pr, a role called a Special Assessor could be designated by the TFP (maybe it will become a government agency, or some of the Big5 firms, etc).

In the health sector, there is a problem with the identity side of the equation, but there are also problems with the RP side. The challenge is does that RP qualify to offer services in the health sector (or other sector)?

Question around Liability: Does the TFP provide direct indemnification? Are they are rating agency or a guarantor?

Answer: The liability issue is being explored right now, including where are the balance of duties, what kind of contractual elements need to be put in place, if legislation is required, etc. There is a desire to have an industry-lead discussion around liability, rather than wait for the government to tackle it. The intention of lightweight assessor responsibilities in the first phase is a placeholder to allow for working groups and other trust frameworks to chime in and provide more context so that decisions can be made to further define the responsibility of assessors.

Questions: Who accredits TFPs? Answer: The policymakers themselves. TFPs will multiply. It is not designed to produce a TFP monopoly.

Other trust frameworks are coming…..

  • Line Information Database (LIDB) - To safeguard access to telco subscriber data
  • PBS Public Media – To connect public TV stations, users, and sites
  • XAuth – To simplify movement between social sites
  • PDX (Personal Data Exchange) – To support individual data on their terms

Question: What is the sustainable model for these trust providers, particularly for OIX which is solely in the trust business, and doesn’t have other revenue streams to rely on?

Answer: With OIX, the business model is based on membership fees (by assessors, RPs, etc). Longer term, the goal is to support the cost of maintaining the listing cost.

The listing service (meta-federation) needs to be designed before further decisions can be made about how to operate and maintain it.

Credit card operating rules model is already established in this space.

There will be a session on Wednesday to discuss the PCI trust model and terminology.

There are OIX TF Working Groups to join to further the discussion.