Open Identity for Open Government Initiative FAQ
See also the Open Identity for Open Government joint press release.
Q. What is Open Government?
A. Open government is government that is transparent, participatory, and collaborative-where citizens can be involved directly, get their questions answered, and have their voices heard. In the United States, President Obama has directed his Chief Technology Officer, in coordination with the Director of the Office of Management and Budget (OMB) and the Administrator of General Services (GSA), to make open federal government a reality. To that end, the GSA has established an Identity Scheme Adoption Process (ISAP) and a Trust Framework Provider Adoption Process (TFPAP) to allow citizens to use their own choice of digital identity credential to more easily interact with government websites and services.
Q. What is the role of the OpenID Foundation and the Information Card Foundation in the administration's Open Government initiative?
A. OpenID and Information Cards are open identity technologies - open standards for digital identity that make it easier and safer for user to register, login, and when necessary, share personally identifiable information across different websites and services. To bring open identity technologies and open government together, the OpenID Foundation (OIDF) and the Information Card Foundation (ICF) are working with the GSA to create an open trust framework for open identity technologies. For details please see our joint white paper, Open Trust Frameworks for Open Government.
Q. Why are the OIDF and ICF collaborating on this initiative?
A. Although there are differences between OpenID and Information Cards, both are overseen by community-based foundations and both enable websites to accept identity credentials from third parties without a pre-existing direct trust relationship. This means they are ready for adoption by government websites as soon as there is a mechanism to verify that an OpenID or Information Card provider is certified to meet the U.S. government's standards for identity assurance. This mechanism - an open trust framework - is what OIDF and ICF are collaborating to provide.
Q. What are the milestones for this initiative?
A.The first milestone was the publication of the Identity Scheme Adoption Process (ISAP) and Trust Framework Provider Adoption Process (TFPAP) on the IDManagement.gov website, as well as initial drafts of the OpenID and Information Card identity schemes. The second milestone was holding the Open Government Identity Management Solutions Privacy Workshop in Washington D.C. on 10 August 2009 to gather input and feedback from the privacy community. The third milestone was the announcement at the Gov 2.0 Summit on 9 September 2009 of the first pilot programs for the Open Identity for Open Government initiative. These will test the proposed identity schemes and Open Trust Framework architecture. The fourth milestone will be formal approval of the OIDF/ICF Open Trust Framework, expected in October 2009, and commencement of formal certification of OpenID and Information Card identity providers.
Q. What companies are applying to be certified as identity providers under the OIDF/ICF Open Trust Framework?
A. This list is dynamic, so both the OIDF and the ICF websites maintain pages listing the providers who areparticipating in the current U.S. government pilot program as the first step in certification. See the OIDF Government page and the ICF Participating Providers page.
Q. What government agencies are initially participating in the pilot program as relying parties?
The first U.S. government agencies participating in the pilot program are the Center for Information Technology (CIT), the National Institutes of Health (NIH), the U.S. Department of Health and Human Services (HHS), and related agencies. Additional government agencies will be announced as the pilot program proceeds.
Q. Has the government established a timeline for adoption of open identity technologies across all of its sites/agencies?
A. The OMB and GSA would like to enroll additional agencies as quickly as possible, however no specific timeline has been set.
Q. Why is this happening now?
A. The convergence of several major forces is transforming the way citizens participate in and communicate with government:
- Top-down support for open government in the Obama adminstration.
- The proliferation of social media ("Web 2.0").
- The availability of open identity technologies (OpenID and Information Cards).
The U.S. government is embracing the principals of social media and leveraging cutting-edge technology to engage with its citizens. This means people will be able to more easily and securely contact their legislators, provide input on public policy, and access their own tax and Social Security records - all without sacrificing their privacy.
Q. What are the broader implications for the identity industry?
A. The OIDF and ICF believe an open trust framework will lead to an open ecosystem for identity and trust on the Internet. This will not only meet the needs of many other governments besides the United States, but also the needs of many other websites, applications, communities, and industries. In short, it has the potential to become an essential part of the trust fabric of the Web. For more information please see our joint white paper, Open Trust Frameworks for Open Government.
Q. What is a trust framework?
A. In digital identity systems, certification programs that enable a relying party to trust the identity, security, and privacy assurances from an identity provider are called identity assurance frameworks, or more generally trust frameworks.
The open trust framework set forth by the OIDF and the ICF is based on the model developed by the InCommon federation for higher education institutions. For a detailed explanation of this model, see our joint white paper, Open Trust Frameworks for Open Government. For details about the U.S. government requirements for adoption of non-governmental trust frameworks, see the ICAM Trust Framework Provider Adoption Process (TFPAP).
Q. What is a relying party?
A. Relying parties (also called service providers) are websites or services that require a security credential from a user before granting access to protected resources. In the case of open government, the relying party is a federal government website, service, or application.
Q. What is an identity provider?
A. Identity providers are sites or services that provide a security credential (such as an authentication or authorization assertion) on behalf of a user. In some cases this security credential may contain a set of attributes (also called claims) that the identity provider asserts about the user, e.g., name, address, age, gender, etc. However in other cases the credential may not include any personally-identifiable information (PII), and may include only a pseudononymous identifier, i.e., one that only identifies the user at that one site.
Q. What is OpenID?
A. OpenID is a Web registration and single sign-on protocol that lets users register and login to OpenID-enabled websites using their own choice of OpenID identifier. With OpenID, a user can operate their own OpenID service (such as on their blog), or they can use the services of a third-party OpenID provider (for example, most major Web portals, such as AOL, Google, Yahoo, and MySpace now offer OpenID service). One key advantage of OpenID is that it requires no client-side software-it works with any standard Internet browser. OpenID is a community-developed open standard hosted by the non-profit OpenID Foundation.
Q. What are Information Cards?
A. Information Cards are a new approach to Internet-scale digital identity in which all of a user's identities, whether self-created or from third party identity providers (e.g., employer, financial institution, school, government agency, etc.) are uniformly represented as visual "cards" in a software application called a card selector. The cards themselves may be securely stored on the same computer as the card selector, or on a mobile device, or "in the cloud". Cards may be exchanged with websites using a variety of protocols and formats. All card selectors support at least the IMI protocol developed by the OASIS IMI Technical Committee, however Information Cards are now being adapted to other protocols (including OpenID). Information Card technology is developed and promoted by the non-profit Information Card Foundation.
Q. What are the key differences between OpenID and Information Cards?
OpenID does not require any client software, offers a strong installed base of relying parties and enabled users, and is already popular among user-generated content (blogs, wikis, discussion forums) and other managed content applications (media, sports, news, entertainment, music, product information, etc.)OpenID is developing additional functionality to enhance applicability for commerce and other higher assurance applications.Information Cards leverage client side software that can allow scaling to higher Levels of Assurance, provide additional protection from phishing, and can share third-party verified credentials (e.g., proof of your age, credit rating, employer, etc.) Note that both OpenID and Information Cards can give users the ability to review when, where, and why they have shared personal information, and potentially to correct and/or withdraw it.
Q. What is the OpenID Foundation?
A. The OpenID Foundation (OIDF) was formed in June 2007 to help promote, protect and enable the OpenID technologies and community. The OIDF does not dictate the technical direction of OpenID; instead ot helps enable and protect the work of the OpenID community, performed primarily via mailing lists, wikis, and working groups. The OpenID board consists of both community directors (elected annually by the community) and corporate directors, however community directors are a majority.
Q. What is the Information Card Foundation?
A. The Information Card Foundation (ICF) is a non-profit community of individuals and companies formed in May 2008 to evolve the Information Card ecosystem. The ICF hosts mailing lists, wikis, and working groups but does not create technical standards; its work product is contributed to standards-setting organizations such as OASIS. Like the OIDF, the ICF board consists of both community and corporate directors, with the former a majority.
Q. What is the InCommon Federation?
A. The InCommon Federation creates and supports a common trust framework for shared management of access to on-line resources in support of higher education and research in the United States. InCommon facilitates development of a community-based trust fabric sufficient to enable participants to make appropriate decisions about the release of identity information and the control of access to protected online resources such as university libraries, course information, research papers, etc.
Q. What is ICAM?
A. ICAM is the U.S. Federal Identity, Credential, and Access Management Committee that oversees identity management technology and policy on a government-wide basis. For more information on ICAM and related activities, see the IDManagement.gov website.
About the U.S. Government Trust Framework Adoption Process
Q. Why has the Federal Government proposed the development of non-governmental trust frameworks?
A. By authority of the U.S. Congress, the General Services Administration (GSA) Office of Government wide Policy (OGP) is responsible for government-wide coordination of a variety of activities aimed at improving electronic government services for all audiences - internally, with other government partners, with business partners, and with the American Public.In pursuit of this mandate, OGP has pursued an interagency governance model that encourages agency innovation.The long-range vision is for identity management in government to take advantage of a broad spectrum of solutions, including solutions from private industry that deliver broader online access, improved user experience, high assurance, and strong cybersecurity.
One outcome of this move has been a transition away from a traditional "federation" model to an open model that promotes multiple solutions that comply with Office of Management and Budget (OMB) M-04-04 (the U.S. government requirements for identity assurance). In particular, the Federal Identity, Credential, and Access Management (ICAM) Committee would like to leverage industry-based credentials that citizens already have. To do this requires trust frameworks that can assess the trustworthiness of these electronic credentials.Adoption of non-governmental trust frameworks can provide a scalable model for extending identity assurance across a broad range of citizen and business needs as described in the Trust Framework Provider Adoption Process (TFPAP).
Q. What is a Trust Framework Provider (TFP)?
A. A Trust Framework Provider is an organization that defines or adopts an online identity trust model involving one or more identity schemes, has it approved by an government or community such as ICAM, and certifies identity providers as compliant with that model.The OIDF and ICF will jointly serve as a TFP operating an Open Trust Framework as defined in their joint white paper, Open Trust Frameworks for Open Government. Certifications are for specific levels of assurance comparable with the four OMB Levels of Assurance (see question below). Once an identity provider is certified by a TFP at one or more assurance levels for one or more identity schemes, the provider is qualified to provide identity assertions to relying parties using that trust framework for those levels of assurance -- in this case U.S. government agencies.
Q. What is an Identity Scheme?
A. An identity scheme is a specific subset or profile of an open identity management standard. ICAM has produced identity schemes for SAML (Security Assertion Markup Language), OpenID, and Information Cards.
Q. How will ICAM adopt Identity Schemes?
A. Critical to the success of ICAM is the assessment and adoption of identity schemes that best serve the interest of the Federal Government.Based on guidance from OMB, NIST, and review from private sector partners, ICAM has proposed an Identity Scheme Adoption Process (ISAP).The ISAP provides a consistent, standard, structured means of identifying, vetting, and approving identity schemes that meet all ICAM requirements, as well as those of other Federal statutes, regulations, and policies.
Q. How will ICAM assess TFPs and adopt Trust Frameworks?
A. ICAM has defined the Trust Framework Provider Adoption Process (TFPAP) whereby the government can assess how well a proposed Trust Framework meets the federal requirements discussed above.Trust Frameworks adopted through this process will allow federal Relying Parties (RPs) to trust credential services from identity providers certified by the approved Trust Framework Provider (TFP).
Q. What are the four OMB Levels of Assurance and how are they assessed?
A. Each of the four Levels of Assurance is assessed against the same five (5) trust categories:
- Registration and Issuance: how well does the credential service provider (Identity Provider) register and proof the identity of the credential applicant, and issue the credential to the approved applicant?
- Tokens: what is the Identity Provider's token technology and how well does the technology intrinsically resist fraud, tampering, hacking, and other such attacks?
- Token and Credential Management: how well does the Identity Provider manage and protect tokens and credentials over their full life cycle?
- Authentication Process: how well does the Identity Provider secure its authentication protocol?
- Assertions: how well does the Identity Provider secure Assertions, if used, and how much information is provided in the Assertion?
Each TFP must demonstrate to the Identity, Credential, and Access Management Subcommittee (ICAMSC) comparable trust in each of the above categories for each LOA at which it wishes to certify identity providers under its Trust Framework. For their part, each Identity Providers must demonstrate comparability to a TFP for each LOA at which it wishes to be certified by the TFP.
Q. How will the ICAM Assessment Teams ensure that TFPs require adequate comparability by an Identity Provider in the assessment process?
A. The ICAM Assessment Team will determine whether the criteria applied by the TFP to its member Identity Providers (referred to variously as "IdPs" for Information Cards or SAML, or "OPs" for OpenID Providers) are comparable to ICAM criteria through a process that includes two parts:
- Technical and policy comparability review based upon the criteria set forth in Appendix A of the TFAP; and
- Opt In: Identity Provider must obtain positive confirmation from the End User before any End User information is transmitted to any government applications. The End User must be able to see each attribute that is to be transmitted as part of the Opt In process. Identity Provider should allow End Users to opt out of individual attributes for each transaction.
- Minimalism: Identity Provider must transmit only those attributes that were explicitly requested by the RP application or required by the Federal profile. RP Application attribute requests must be consistent with the data contemplated in their Privacy Impact Assessment (PIA) as required by the E-Government Act of 2002.
- Activity Tracking: Commercial Identity Provider must not disclose information on End User activities with the government to any party, or use the information for any purpose other than federated authentication. RP Application use of PII must be consistent with RP PIA as required by the E-Government Act of 2002.
- Adequate Notice: Identity Provider must provide End Users with adequate notice regarding federated authentication. Adequate Notice includes a general description of the authentication event, any transaction(s) with the RP, the purpose of the transaction(s), and a description of any disclosure or transmission of PII to any party. Adequate Notice should be incorporated into the Opt In process.
- Termination: In the event an Identity Provider ceases to provide this service, the Provider shall continue to protect any sensitive data including PII.
- Stability: Determination of whether the Applicant sufficiently reviews member identity provider bona fides to ensure member identity provider organizational maturity, legitimacy, stability, and reputation.
Q. What are some real-world examples of what members of the public will now be able to do at government websites that they could do previously?
A. Although many government websites currently offer the ability for individuals to create accounts in order to personalize the site, gain access to protected resources, and manage interactions, this capability is different at each site, and requires manual effort on the part of the user, i.e., creation and maintenance of a new username/password. With OpenID and Information Cards, individuals will be able to register and login to government websites in the same way everywhere in as little as one click. In addition, individuals can control what personal information is shared with the site -- without any typing. Finally, individuals can choose to participate anonymously at certain government sites while still being able to verify their authenticity. This is important for public forums, discussion lists, and other sites where it is vital for you to be ableto share your opinion with the government without fear of repercussion.