The Open Identity FrameworkThe Open Identity FrameworkThe Open Identity FrameworkThe Open Identity Framework

Don Thibeau,Executive Director, OpenID Foundation (OIDF)

Drummond Reed,Executive Director, Information Card Foundation (ICF)

V2 2009-12-06

2

OverviewOverviewOverviewOverview

• This presentation introduces the Open Identity Framework, a new open source model for trust frameworks created by the OIDF & ICF

• It covers:– Why such a model is needed– What principles underlie its design– How the model works– How it will drive adoption of open identity– What next steps the foundations are taking

Third-party identity managementThird-party identity managementThird-party identity managementThird-party identity management

• Both OpenID and Information Cards address the need for Internet-scale digital identity management

• Both solve the problem using a third party to assist end-users in identity transactions– Called an “identity service provider” (also “identity provider”,

“IdP”, “IP”, “OP”)

• This sets up the following “trust triangle” for Internet identity transactions

3

4

identityserviceprovider

relyingparty

user

Terms of Service (TOS) agreement

Terms of Service (TOS) agreement

Optional direct trust agreement

The “trust triangle”The “trust triangle”The “trust triangle”The “trust triangle”

5

The trust problemThe trust problemThe trust problemThe trust problem

• The user has a direct trust relationship with both the identity service provider and the relying party

• The problem is: how can the identity service provider and relying party trust each other?

• This problem is especially acute:– At Internet scale, where identity service providers and relying

parties may not have any pre-existing relationship– With high-value data– With high-assurance transactions

Direct trust agreements Direct trust agreements do not scaledo not scale

Direct trust agreements Direct trust agreements do not scaledo not scale

• Direct trust agreements are common when an identity service provider and a relying party are close business partners– Airlines and rental car companies

• They do not scale to large networks, e.g., credit card networks, ATM networks– Requires n2 trust agreements

• The solution is often a trust framework– A shared set of policies and agreements

6

7

A trust framework “umbrella”A trust framework “umbrella”A trust framework “umbrella”A trust framework “umbrella”

TrustFramework

Trust Community

identityserviceprovider relying

party

user

8

Trust framework providersTrust framework providersTrust framework providersTrust framework providers

• Other industries (credit cards, ATMs) have created global trust frameworks

• They each use a shared trust framework provider– Visa, Mastercard, AMEX– Cirrus, PLUS

• The same model can be used for identity

A trust framework for identityA trust framework for identityA trust framework for identityA trust framework for identity

9

Trust framework agreements

TOS agreements

Trust Framework Provider(TFP)

Trust Community(source of a trust framework)

assessors& auditors

disputeresolvers

identityserviceprovider

relyingparty

user

Example #1: the US ICAM trust Example #1: the US ICAM trust frameworkframework

Example #1: the US ICAM trust Example #1: the US ICAM trust frameworkframework

10

Trust Framework Provider

US GSA

Private-sector identity providers

US government websites

assessors& auditors

disputeresolvers

user

US GSA

Example #2: the OpenID Society Example #2: the OpenID Society trust frameworktrust framework

Example #2: the OpenID Society Example #2: the OpenID Society trust frameworktrust framework

11

Trust Framework Provider

??

user

Professionalassociations

Academicpublishersassessors

& auditorsdispute

resolvers

12

Websites forPBS shows

Example #3: the PBS trust frameworkExample #3: the PBS trust frameworkExample #3: the PBS trust frameworkExample #3: the PBS trust framework

Trust Framework Provider

US GSA

user

PBS affiliatestations

assessors& auditors

disputeresolvers

13

The Open Identity FrameworkThe Open Identity FrameworkThe Open Identity FrameworkThe Open Identity Framework

• This model is an Internet-scale, open source trust framework model for identity

• It is a meta-framework where each trust community can specify the requirements of their own trust framework

• This approach leverages market forces to:– Drive adoption– Drive convergence of specifications for LOA– Introduce specifications for LOP (Levels of Protection)– Engage market pricing for services from assessors, auditors,

and dispute resolution service providers

The Open Identity The Open Identity Framework ModelFramework ModelThe Open Identity The Open Identity Framework ModelFramework Model

14

Trust framework agreements

TOS agreements

OIF Trust Framework ProviderIdentityservice

providers relyingparties

Trust Community

3322

assessors& auditors

44

disputeresolvers

55

Trust Community Trust Community

user

1111 11

15

Range of OIF certification optionsRange of OIF certification optionsRange of OIF certification optionsRange of OIF certification options

Self-certification

Third-party

certification

Policymatching Technical

interoperability

OIF technical interoperability OIF technical interoperability OIF technical interoperability OIF technical interoperability

16

Third-party certificationSelf-certification

identityservice

providers

Technical CertificationListings

Technical CertificationListings

OIF Trust Framework Provider

trust communities

relyingparties

assessors& auditors

assessors& auditors

Technical InteropRequirements

OIF policy matching OIF policy matching OIF policy matching OIF policy matching

17

identityservice

providers

Technical CertificationListings

Technical CertificationListings

OIF Trust Framework Provider

Policy CertificationListings

Policy CertificationListings

relyingparties

assessors& auditors

assessors& auditors

trust communities

Policy MatchingRequirements

Third-party certificationSelf-certification

18

Why will the OIF drive adoption?Why will the OIF drive adoption?Why will the OIF drive adoption?Why will the OIF drive adoption?

1. Efficiency

2. Openness/Transparency

3. Credibility/Accountability

4. Improved user experience

19

EfficiencyEfficiencyEfficiencyEfficiency

• The OIF makes it easy for anyone of any size to ensure technical interop or policy matching with their choice of profiles

• Eliminates the n-squared problem of multi-lateral interop or trust agreements

• Grows the market for everyone– The “network effect for trust”

20

Openness/TransparencyOpenness/TransparencyOpenness/TransparencyOpenness/Transparency

• Properly implemented, the OIF provides an open, transparent process for trusted identity transactions– Both within and between trust communities

• Helps protect participants from collusion or anti-trust concerns

• Anticipates cross-border data protection issues

21

Credibility/AccountabilityCredibility/AccountabilityCredibility/AccountabilityCredibility/Accountability

• Each participant (trust community, identity service provider, relying party, assessor, auditor, dispute resolver) reinforces the credibility of the entire ecosystem

• Mutual accountability of all participants• Enhanced by government participation

– Governments serve as the initial “trust anchors”

22

User experience improvementsUser experience improvementsUser experience improvementsUser experience improvements

• Increased interoperability of Internet identity across websites

• More consistent ceremony leads to lower login or transaction abandonment at relying parties

• Consistent trust mark raises user confidence

Thank youThank youThank youThank you

• We look forward to working with you– don@oidf.org– director@informationcard.net

23