The Open Identity FrameworkThe Open Identity FrameworkThe Open Identity FrameworkThe Open Identity Framework
Don Thibeau,Executive Director, OpenID Foundation (OIDF)
Drummond Reed,Executive Director, Information Card Foundation (ICF)
V2 2009-12-06
2
OverviewOverviewOverviewOverview
• This presentation introduces the Open Identity Framework, a new open source model for trust frameworks created by the OIDF & ICF
• It covers:– Why such a model is needed– What principles underlie its design– How the model works– How it will drive adoption of open identity– What next steps the foundations are taking
Third-party identity managementThird-party identity managementThird-party identity managementThird-party identity management
• Both OpenID and Information Cards address the need for Internet-scale digital identity management
• Both solve the problem using a third party to assist end-users in identity transactions– Called an “identity service provider” (also “identity provider”,
“IdP”, “IP”, “OP”)
• This sets up the following “trust triangle” for Internet identity transactions
3
4
identityserviceprovider
relyingparty
user
Terms of Service (TOS) agreement
Terms of Service (TOS) agreement
Optional direct trust agreement
The “trust triangle”The “trust triangle”The “trust triangle”The “trust triangle”
5
The trust problemThe trust problemThe trust problemThe trust problem
• The user has a direct trust relationship with both the identity service provider and the relying party
• The problem is: how can the identity service provider and relying party trust each other?
• This problem is especially acute:– At Internet scale, where identity service providers and relying
parties may not have any pre-existing relationship– With high-value data– With high-assurance transactions
Direct trust agreements Direct trust agreements do not scaledo not scale
Direct trust agreements Direct trust agreements do not scaledo not scale
• Direct trust agreements are common when an identity service provider and a relying party are close business partners– Airlines and rental car companies
• They do not scale to large networks, e.g., credit card networks, ATM networks– Requires n2 trust agreements
• The solution is often a trust framework– A shared set of policies and agreements
6
7
A trust framework “umbrella”A trust framework “umbrella”A trust framework “umbrella”A trust framework “umbrella”
TrustFramework
Trust Community
identityserviceprovider relying
party
user
8
Trust framework providersTrust framework providersTrust framework providersTrust framework providers
• Other industries (credit cards, ATMs) have created global trust frameworks
• They each use a shared trust framework provider– Visa, Mastercard, AMEX– Cirrus, PLUS
• The same model can be used for identity
A trust framework for identityA trust framework for identityA trust framework for identityA trust framework for identity
9
Trust framework agreements
TOS agreements
Trust Framework Provider(TFP)
Trust Community(source of a trust framework)
assessors& auditors
disputeresolvers
identityserviceprovider
relyingparty
user
Example #1: the US ICAM trust Example #1: the US ICAM trust frameworkframework
Example #1: the US ICAM trust Example #1: the US ICAM trust frameworkframework
10
Trust Framework Provider
US GSA
Private-sector identity providers
US government websites
assessors& auditors
disputeresolvers
user
US GSA
Example #2: the OpenID Society Example #2: the OpenID Society trust frameworktrust framework
Example #2: the OpenID Society Example #2: the OpenID Society trust frameworktrust framework
11
Trust Framework Provider
??
user
Professionalassociations
Academicpublishersassessors
& auditorsdispute
resolvers
12
Websites forPBS shows
Example #3: the PBS trust frameworkExample #3: the PBS trust frameworkExample #3: the PBS trust frameworkExample #3: the PBS trust framework
Trust Framework Provider
US GSA
user
PBS affiliatestations
assessors& auditors
disputeresolvers
13
The Open Identity FrameworkThe Open Identity FrameworkThe Open Identity FrameworkThe Open Identity Framework
• This model is an Internet-scale, open source trust framework model for identity
• It is a meta-framework where each trust community can specify the requirements of their own trust framework
• This approach leverages market forces to:– Drive adoption– Drive convergence of specifications for LOA– Introduce specifications for LOP (Levels of Protection)– Engage market pricing for services from assessors, auditors,
and dispute resolution service providers
The Open Identity The Open Identity Framework ModelFramework ModelThe Open Identity The Open Identity Framework ModelFramework Model
14
Trust framework agreements
TOS agreements
OIF Trust Framework ProviderIdentityservice
providers relyingparties
Trust Community
3322
assessors& auditors
44
disputeresolvers
55
Trust Community Trust Community
user
1111 11
15
Range of OIF certification optionsRange of OIF certification optionsRange of OIF certification optionsRange of OIF certification options
Self-certification
Third-party
certification
Policymatching Technical
interoperability
OIF technical interoperability OIF technical interoperability OIF technical interoperability OIF technical interoperability
16
Third-party certificationSelf-certification
identityservice
providers
Technical CertificationListings
Technical CertificationListings
OIF Trust Framework Provider
trust communities
relyingparties
assessors& auditors
assessors& auditors
Technical InteropRequirements
OIF policy matching OIF policy matching OIF policy matching OIF policy matching
17
identityservice
providers
Technical CertificationListings
Technical CertificationListings
OIF Trust Framework Provider
Policy CertificationListings
Policy CertificationListings
relyingparties
assessors& auditors
assessors& auditors
trust communities
Policy MatchingRequirements
Third-party certificationSelf-certification
18
Why will the OIF drive adoption?Why will the OIF drive adoption?Why will the OIF drive adoption?Why will the OIF drive adoption?
1. Efficiency
2. Openness/Transparency
3. Credibility/Accountability
4. Improved user experience
19
EfficiencyEfficiencyEfficiencyEfficiency
• The OIF makes it easy for anyone of any size to ensure technical interop or policy matching with their choice of profiles
• Eliminates the n-squared problem of multi-lateral interop or trust agreements
• Grows the market for everyone– The “network effect for trust”
20
Openness/TransparencyOpenness/TransparencyOpenness/TransparencyOpenness/Transparency
• Properly implemented, the OIF provides an open, transparent process for trusted identity transactions– Both within and between trust communities
• Helps protect participants from collusion or anti-trust concerns
• Anticipates cross-border data protection issues
21
Credibility/AccountabilityCredibility/AccountabilityCredibility/AccountabilityCredibility/Accountability
• Each participant (trust community, identity service provider, relying party, assessor, auditor, dispute resolver) reinforces the credibility of the entire ecosystem
• Mutual accountability of all participants• Enhanced by government participation
– Governments serve as the initial “trust anchors”
22
User experience improvementsUser experience improvementsUser experience improvementsUser experience improvements
• Increased interoperability of Internet identity across websites
• More consistent ceremony leads to lower login or transaction abandonment at relying parties
• Consistent trust mark raises user confidence
Thank youThank youThank youThank you
• We look forward to working with you– [email protected]– [email protected]
23