Toward a Modern Magna Carta for Internet Identity

Many have noted similarities in the work of the US National Strategy on Trusted Identity in Cyberspace’s via its Identity Ecosystem Steering Group, and in the UK via HMG Cabinet Office Identity Assurance Program via its Identity Steering Group.

After the recent US National Strategy on Trusted Identity in Cyberspace Plenary in Atlanta, I attended meetings in London that focused on how the progress and precedents in GOV.UK Verify can inform business cases for identity services across both public and private sectors. The common denominator is a need for a private sector led, public private partnership, that helps accelerate the volume, velocity and variety of Internet transactions while recognizing government’s role in protecting the security and privacy of its citizens.

At an Open Identity Exchange (OIX) speaker’s dinner preceding a big tech entrepreneurs’ conference at the Royal Institute of Great Britain, industry leaders and investors from British banks and Silicon Valley talked about how best to grow bespoke services in the UK that interoperate with global identity ecosystems. There was begrudging acknowledgement that emerging UK identity services markets risk being dominated by a small group of US companies whose “walled gardens” and proprietary standards limit the upside and expansion for established and entrepreneurial enterprises alike in Britain.

All the attendees acknowledged that leveraging GOV.UK Verify as a catalyst for commercial services pivots on issues around how identity services that serve government might be repurposed for commercial applications. Put another way; what are the rules of the road in the UK for the reuse of government approved identity services?

The need for guidelines for the Internet—a Magna Carta, of sorts—was part of a discussion with Baroness Martha Lane Fox and others on the BBC recently. (http://www.bbc.co.uk/programmes/b048l00t). A week later in Silicon Valley, President Obama called for new cooperation to wrangle the Wild West of the Internet. (http://www.nytimes.com/2015/02/14/business/obama-urges-tech-companies-to-cooperate-on-internet-security.html?_r=0)

Francis Maude, the Minister for Cabinet OfficeHMG Minister for Cabinet Office Francis Maude reminded us before the dinner that all stakeholders have much to gain by a public-private partnership like OIX. It can help develop, deploy and govern a set of scheme rules that clarify and articulate the business, technical and legal interoperability requirements needed for robust business cases. The Right Honorable Francis Maude’s remarks  reminded many of us of his “JFDI” reference at the first Economics of Identity conference held last June in London.

Minister Maude eschewed that particular exhortation in his keynote last week, but his message was clear: British taxpayers will be well served by the efficiencies of the Government Digital Service (GDS) GOV.UK Verify program, as well as the catalyst it can provide to the emerging identity services in the UK private sector.

During the OIX member meetings that followed, GDS leader Chris Ferguson pointed to the challenge of starting with government procurement language to inform a public and private sector set of scheme rules.

The OIX Advisory Board noted the success of trust frameworks underway via the Transglobal Secure Collaboration Participation (TSCP) in defense and aerospace, and with the SAFE-BioPharma Association in the biopharmaceutical and healthcare sectors. Today these organizations provide identity federation services that are the rules of the road necessary to govern their sectors’ commercial Internet identity systems.

OIX UK is beginning to organize what we call a “scheme rules sprint” using a proven multi-stakeholder collaboration process that solves a specific and common problem. The process is key, as we take on the forcing-functions of transparency and a second annual Economics of Identity Conference on Canary Wharf on June 30 of this year. This work, like all others, will follow the now time-tested process set out in the UK Identity Steering Group, ensuring transparency and deliverables as we would expect with any government and Open Identity Exchange led project.

It is terribly presumptuous to compare our modest scheme rules or trust framework development efforts to a modern Magna Carta. But as they say in the UK, it’s a direction of travel, a way to honor the original Magna Carta on its anniversary and a road worth taking.

Don Thibeau
The Open Identity Exchange

Industry Leaders Lead: Google Asks Developers to Migrate from OpenID 2.0 to OpenID Connect

In 2015, waves of disruption are coursing through the Internet identity ecosystem as standard development organizations, companies and governments look to bolster the security and privacy of the information they are charged with protecting.

Implementing the latest open standards is one of the many practical steps identity providers and relying parties can take now to secure the identities of people accessing websites and apps. Industry leaders like Google are adopting the OpenID Connect protocol and migrating away from OpenID 2.0 to enable better privacy controls and stronger authentication. Released last year, OpenID Connect helps website and application developers get out of the business of storing and managing passwords – especially in the face of the increasing attacks that have compromised the identities of hundreds of millions of people worldwide.

Google recently announced to its developer ecosystem that they should migrate to OpenID Connect by April 20, 2015, the deadline when OpenID 2.0 will no longer work for Google Accounts.

Along with Google, other OpenID Foundation members including Microsoft, Salesforce, Ping Identity, and ForgeRock as well as companies such as Amazon, are adopting and deploying OpenID Connect. This is a signal to organizations worldwide that the tide is turning in the fight against identity theft and cybercrime. OpenID Connect will increase the security of the whole Internet by putting the responsibility for user identity verification in the hands of the most expert service providers.

For questions and information on OpenID Connect please turn to the following resources:

2015 Board of Directors Election Results

Thanks to all who voted for those who will represent corporate members and the community at large on the OpenID Foundation Board of Directors. John Bradley and Mike Jones have been elected to two year terms and George Fletcher to a one year term.

The returning board members help ensure the leadership, continuity and deep technical expertise that is the lifeblood of the Foundation. Those reelected will join current sustaining board representatives: Pam Dingle of Ping Identity, Raj Mata of PayPal, Tony Nadalin of Microsoft, Roger Casals of Symantec, Tracy Hulver of Verizon, Dylan Casey of Yahoo!, Debbie Bucci of the US Department of Health and Human Services, Office of the National Coordinator and Adam Dawes of Google on the board.

Corporate Members of the OpenID Foundation elect a member to represent them on the OIDF board.  All corporate members were eligible to nominate themselves, second the nominations of others, and vote for candidates. I am very pleased to announce the reelection of Torsten Lodderstedt of Deutsche Telekom as the Corporate member representative to the Board of Directors. In addition to his service on the Board, Torsten chairs the Mobile Profile for OpenID Connect WG. Torsten’s leadership in profiling OpenID Connect on the platform of choice, mobile, together with Deb Bucci’s focus on a particularly ‘wicked’ problem space, medical patient records permissioning demonstrates the importance of the work we have set out to do.

I am very pleased to announce a OpenID Foundation corporate member Nomura Research Institute, represented by Nat Sakimura, our long standing board Chairman, has stepped up its membership.  Sustaining membership requires a significant financial and resource commitment. I am delighted that NRI’s increased investment and Nat’s global thought leadership continues to inform our work.  Nat’s Chairmanship of the OpenID Foundation and liaison with OpenID Foundation Japan helps coordinate working groups with a vibrant community of developers in Asia.

There is a special place in heaven, or at least in the identity ecosystem, for those that lead by example.

Please join me in thanking all OpenID Foundation Board members for their leadership.

Regards,
Don