The Open Identity Framework

1. The Open Identity Framework Don Thibeau,Executive Director, OpenID Foundation (OIDF) Drummond Reed,Executive Director, Information Card Foundation (ICF) V2 2009-12-06

2. Overview • This presentation introduces the Open Identity Framework, a new open source model for trust frameworks created by the OIDF & ICF • It covers: • Why such a model is needed • What principles underlie its design • How the model works • How it will drive adoption of open identity • What next steps the foundations are taking

3. Third-party identity management • Both OpenID and Information Cards address the need for Internet-scale digital identity management • Both solve the problem using a third party to assist end-users in identity transactions • Called an “identity service provider” (also “identity provider”, “IdP”, “IP”, “OP”) • This sets up the following “trust triangle” for Internet identity transactions

4. The “trust triangle” relyingparty identityserviceprovider Optional direct trust agreement Terms of Service (TOS) agreement Terms of Service (TOS) agreement user

5. The trust problem • The user has a direct trust relationship with both the identity service provider and the relying party • The problem is: how can the identity service provider and relying party trust each other? • This problem is especially acute: • At Internet scale, where identity service providers and relying parties may not have any pre-existing relationship • With high-value data • With high-assurance transactions

6. Direct trust agreements do not scale • Direct trust agreements are common when an identity service provider and a relying party are close business partners • Airlines and rental car companies • They do not scale to large networks, e.g., credit card networks, ATM networks • Requires n2 trust agreements • The solution is often a trust framework • A shared set of policies and agreements

7. A trust framework “umbrella” TrustFramework identityserviceprovider relyingparty user Trust Community

8. Trust framework providers • Other industries (credit cards, ATMs) have created global trust frameworks • They each use a shared trust framework provider • Visa, Mastercard, AMEX • Cirrus, PLUS • The same model can be used for identity

9. A trust framework for identity Trust Community(source of a trust framework) relyingparty identityserviceprovider Trust Framework Provider(TFP) assessors& auditors disputeresolvers Trust framework agreements TOS agreements user

10. Example #1: the US ICAM trust framework US GSA Trust Framework Provider Private-sector identity providers assessors& auditors disputeresolvers US government websites user

11. Example #2: the OpenID Society trust framework US GSA Trust Framework Provider ? Professionalassociations Academicpublishers assessors& auditors disputeresolvers user

12. Example #3: the PBS trust framework US GSA Trust Framework Provider assessors& auditors disputeresolvers Websites forPBS shows PBS affiliatestations user

13. The Open Identity Framework This model is an Internet-scale, open source trust framework model for identity It is a meta-framework where each trust community can specify the requirements of their own trust framework This approach leverages market forces to: Drive adoption Drive convergence of specifications for LOA Introduce specifications for LOP (Levels of Protection) Engage market pricing for services from assessors, auditors, and dispute resolution service providers 13

14. The Open Identity Framework Model Trust Community Trust Community Trust Community 1 1 1 relyingparties Identityserviceproviders OIF Trust Framework Provider 2 3 4 5 assessors& auditors disputeresolvers Trust framework agreements TOS agreements user

15. Range of OIF certification options

16. OIF technical interoperability trust communities relyingparties identityserviceproviders Technical InteropRequirements Technical CertificationListings assessors& auditors assessors& auditors Self-certification OIF Trust Framework Provider Third-party certification

17. OIF policy matching trust communities relyingparties identityserviceproviders Policy MatchingRequirements Policy CertificationListings assessors& auditors assessors& auditors Technical CertificationListings Self-certification OIF Trust Framework Provider Third-party certification

18. Why will the OIF drive adoption? Efficiency Openness/Transparency Credibility/Accountability Improved user experience

19. Efficiency The OIF makes it easy for anyone of any size to ensure technical interop or policy matching with their choice of profiles Eliminates the n-squared problem of multi-lateral interop or trust agreements Grows the market for everyone The “network effect for trust”

20. Openness/Transparency Properly implemented, the OIF provides an open, transparent process for trusted identity transactions Both within and between trust communities Helps protect participants from collusion or anti-trust concerns Anticipates cross-border data protection issues

21. Credibility/Accountability Each participant (trust community, identity service provider, relying party, assessor, auditor, dispute resolver) reinforces the credibility of the entire ecosystem Mutual accountability of all participants Enhanced by government participation Governments serve as the initial “trust anchors”

22. User experience improvements Increased interoperability of Internet identity across websites More consistent ceremony leads to lower login or transaction abandonment at relying parties Consistent trust mark raises user confidence

23. Thank you • We look forward to working with you • don@oidf.org • director@informationcard.net