Online Identity Trust
23
Introduction to OIX: A Market Introduction to OIX: A Market Solution to Online Identity Trust Solution to Online Identity Trust Don Thibeau
-
Upload
strokenfilled -
Category
Documents
-
view
219 -
download
0
description
This document describes about digital identity trust
Transcript of Online Identity Trust
Introduction to OIX: A Market Solution Introduction to OIX: A Market Solution to Online Identity Trustto Online Identity Trust
Don Thibeau
Commerce Requires TrustCommerce Requires Trust
The Internet presents countless The Internet presents countless market opportunities limited only by market opportunities limited only by
the confidence to trust the confidence to trust digital identity exchanges.digital identity exchanges.
"Trusted identities and consumer control of personal "Trusted identities and consumer control of personal information are essential to the effectiveness of information are essential to the effectiveness of transactions on the Internet.transactions on the Internet.
Trusted frameworks that provide identity assurance Trusted frameworks that provide identity assurance are a critical factor in the success of the digital are a critical factor in the success of the digital identity ecosystem."identity ecosystem."
-- Andrew Nash, Senior Director of Identity Services for PayPal Inc-- Andrew Nash, Senior Director of Identity Services for PayPal IncOIX Founding Board Member OIX Founding Board Member . .
4
We live in a world of “trust frameworks”We live in a world of “trust frameworks”
• Most are closed:– Visa, MasterCard, AMEX credit card networks– Phone networks– ATM networks
• Some are open:– Political, social, religious organizations
• Some are explicit: (legal agreements)• Some are implicit: (social contracts)
The Basic “Trust Triangle”The Basic “Trust Triangle”
• The user has a direct trust relationship with both the identity service provider and the relying party
• The problem is: How can the identity service provider and relying party trust each other?
A Matter of TrustA Matter of Trust• Relying Parties (RP) must be able to trust that the
Identity Provider can reliably provide accurate user data
• Identity Providers (IDP) must be able to trust that the Relying Party is legitimate (i.e., not a hacker, phisher, etc.)
• Direct RP-to-IDP agreements are a common solution, but are impossible to manage at Internet scale
Builds Trust Builds Trust
OIX is an Internet-scale solution OIX is an Internet-scale solution to the problem of how digital to the problem of how digital
identities can be trusted onlineidentities can be trusted online
BackgroundBackground• OIX was founded by leading identity
providers and relying parties in the internet and telecommunications industries
• Prompted by the US government’s need to accept identity credentials from certified providers at known levels of assurance
– The US government did not want to become an identity provider for citizens
– It wanted to consume credentials citizens already had from third-party identity providers
The OIX Identity Trust Framework ModelThe OIX Identity Trust Framework Model
Open Identity Exchange
Trust framework agreements
IdentityServiceProvider
RelyingParty
user
(or Yahoo, PayPal and many others)
Technical & Policy Technical & Policy Interoperability Interoperability
OIX Trust Frameworks reduce friction of using the web through OIX Trust Frameworks reduce friction of using the web through interoperability of digital identities interoperability of digital identities Interoperability increases market opportunities and converts more Interoperability increases market opportunities and converts more sales with easier user experiencessales with easier user experiencesInteroperable digital identity eases user experience, increases Interoperable digital identity eases user experience, increases user confidence and strengthens privacyuser confidence and strengthens privacy
"OIX is the organization where different parties across "OIX is the organization where different parties across verticals such as federal, Telco, and healthcare, can verticals such as federal, Telco, and healthcare, can come together to address policy challenges through come together to address policy challenges through the creation of vertical trust frameworks. the creation of vertical trust frameworks.
The immediate need is to tailor to each eco-system The immediate need is to tailor to each eco-system while providing a consistent approach that in the long while providing a consistent approach that in the long run, will allow us to link all the identity networks run, will allow us to link all the identity networks together through infrastructure and policy together through infrastructure and policy interoperability."interoperability."
-- Nico Popp, VP Identity and Authentication Services, Symantec-- Nico Popp, VP Identity and Authentication Services, Symantec
OIX Founding Board Member OIX Founding Board Member
The US ICAM Trust FrameworkThe US ICAM Trust Framework
First example of OIX Trust Frameworks developed in conjunction First example of OIX Trust Frameworks developed in conjunction with the U.S. GSA on behalf of the Identity Credential, and Access with the U.S. GSA on behalf of the Identity Credential, and Access Management (ICAM) subcommittee of the U.S. CIO Council.Management (ICAM) subcommittee of the U.S. CIO Council.
The US ICAM Trust FrameworkThe US ICAM Trust Framework
Designed to meet the first of the four LOAs defined by the ICAM Designed to meet the first of the four LOAs defined by the ICAM Trust Framework Provider Adoption Process (TFPAP), the OIX US Trust Framework Provider Adoption Process (TFPAP), the OIX US ICAM LOA 1 trust framework was approved by ICAM on 15 February ICAM LOA 1 trust framework was approved by ICAM on 15 February 2010 and went operational on 3 March 2010.2010 and went operational on 3 March 2010.
The US ICAM Trust FrameworkThe US ICAM Trust Framework
The US ICAM LOA 1 trust framework The US ICAM LOA 1 trust framework enables U.S. federal agency websites, such enables U.S. federal agency websites, such as the National Institute of Health (NIH), the as the National Institute of Health (NIH), the National Library of Medicine (NLM), and the National Library of Medicine (NLM), and the Library of Congress (LOC), to begin Library of Congress (LOC), to begin accepting OpenID and Information Card accepting OpenID and Information Card credentials from OIX certified private-industry credentials from OIX certified private-industry providers.providers.
Milestone of note: Milestone of note: July 27, 2010, OIX announced formation of the July 27, 2010, OIX announced formation of the US ICAM Trust Framework Working Group US ICAM Trust Framework Working Group to extend the OIX US to extend the OIX US ICAM Trust Framework specification to LOA 2 and Non-PKI 3. ICAM Trust Framework specification to LOA 2 and Non-PKI 3.
Telco Data Trust FrameworkTelco Data Trust Framework
The intent is to specify a consistent, provider-agnostic set of information The intent is to specify a consistent, provider-agnostic set of information exchange protocols and policies for the purpose of facilitating identity exchange protocols and policies for the purpose of facilitating identity verification, digital identity management and fraud prevention. verification, digital identity management and fraud prevention. These “rules and tools” would allow for access to necessary subscriber These “rules and tools” would allow for access to necessary subscriber information without interfering in, risking, or devaluing the primary relationship information without interfering in, risking, or devaluing the primary relationship between the subscriber and the Telecom Service Provider who is holding between the subscriber and the Telecom Service Provider who is holding private subscriber data “in trust”.private subscriber data “in trust”.
16
Where trust frameworks fitWhere trust frameworks fit
Technology Interoperability (Identity Protocols)
Usability (User Experience Ceremonies)
Market Expansion & Adoption
Hardware Devices (Security Capabilities)
InternetIdentityLayer
Policy Interoperability (Trust Frameworks)
OIX Drives AdoptionOIX Drives Adoption
By Enabling Improved User
Trust
Through Openness and Transparency
By Ensuring Credibility and Accountability
Improving Market
Efficiency
Who Should Join OIX?Who Should Join OIX? All organizations engaged
in the digital identity market who want to become certified identity providers, relying parties, or assessors.
Governments, professional associations, non-profit networks, and other communities who want to develop their own trust frameworks.
Benefits of Joining OIXBenefits of Joining OIX “OIX Certified” brand Access to a worldwide network of leading organizations
and individuals in the identity assurance industry. Ability to lead in developing trust frameworks, advisory
committees and working groups Achieve a level playing field with the global players in the
market Influence the strategy, direction and policies of OIX
20
Why do this together?Why do this together?
• Cost efficiencyLowers legal, design, and operations costsLowers overhead for assessors, IdPs, and RPs who
need to be certified
• Process efficiencySingle entity for negotiation of MOAs with trust
communitiesWill attract other trust communities
• Effectiveness1+1=3
• OIX enables cross-industry certification that builds trust through technical and policy interoperability
• OIX is a neutral, non profit, technology agnostic, global internet utility.
• OIX reduces friction and expands market opportunities to Internet scale
Learn more at http://openidentityexchange.org
Learn more at http://openidentityexchange.org
Go to the website to learn more:
http://openidentityexchange.org
Are you interested in getting involved in the OIX community to help shape the future of digital identity?
