Open Trust Frameworks - Identity and Access Management, Lakebridge

Long touted by the Open Source community as they way to go for managing digital identities, OpenID got some serious backing when the OpenID Federation announced, in September 2009, that it would be running a pilot to enable citizens to log in to US government websites with their existing OpenID and/or InfoCard accounts.

The pilot is a much needed shot in the arm both OpenID and InfoCard. Despite having a claimed 500m plus IDs “out in the wild”, take-up has been patchy to say the least.

But do Open Trust Frameworks break the back of the IDM problem for corporate organisations?

The OpenID pilot is regarded in US as a key step in President Obama’s initiative to make it easy for individuals to register and participate in government websites by using their OpenID or InfoCard credentials - without having to create new usernames and passwords.

The underlying principle of OpenID and InfoCard is that citizens will be able to fully control how much or how little personal information they share with the service provider (in the case of pilot, the service provider the US government).

It is the point of control that should concern organisations: who holds the keys?

Are the processes that manage the registration of citizens sufficiently robust so the identity may be unequivocal and unique (that is, properly verified) and is the integrity of the credentials such that the credentials would be difficult to compromise?

These questions, and the many ones of detail that relate to them, may have been brushed aside in the desire to provide functionality rather than security.

The basics of how OpenID and InfoCard work are that under the OpenID Foundation (OIDF) and Information Card Foundation (ICF’) open trust frameworks, any organisation that meets the technical and operational requirements of the trust framework may be certified as an identity provider (IDP).

Citizens can choose identity provider and preferred credential (only those credential types supported by the IDP). Open trust framework service providers, i.e. websites, are able to accept and trust the credential offered by the user, subject only to any rules the service provider may have regarding the minimum level of information it requires from the credential.

For some activities these credentials will enable the user to be completely anonymous; for others they may require personal information such as name, age, gender, and so on. Service Providers need to determine what they require and citizens need to accept that for some services they may be required to disclose more than they might think necessary.

Open trust frameworks create some complexity, possibly confusion, over the choice the citizen makes in handing over what they think is the appropriate level of information for authentication purposes. What happens if the service provider asks for more than seems reasonable, does the citizen walk away? The trust level is given a new dimension: the user not only has to trust the identity provider but also has to trust the service provider. It is not clear how OpenID and InfoCard set up trust relationships with service providers beyond the service provider being ‘enabled’.

OpenID and InfoCard are citizen-centric and could be at the “wrong end of the telescope” for organisations looking for a suitable approach to providing corporate identity management solution.