US Government moves towards OpenID

Jason Miller reports for Federal News Radio about the US government’s attempts to consolidate logins and potentially integrate current PIV card holders into a unified authentication and identity repository for accessing government services. It will be interesting to see where this goes but I have the feeling that this is a step closer to what a number of other countries are attempting. In one corner, you have cost saving measures by reducing redundancy and in the other, you have the paranoia and potential misuse of having just one repository of your federal identity. Of course, having numerous repositories of your identity spread amongst different government agencies is no more secure…

From the article:

The National Institutes of Health will kick off a pilot in the next few weeks to test how it would use commercial applications, such as Yahoo or Google, to let employees and citizens sign up for services.

Federal chief information officer Vivek Kundra says the goal is to show how the government could do away with the need for multiple usernames and passwords for government services and use existing commercial infrastructure.

"One of things we have to recognize is the U.S. government continues to invest in platforms we shouldn't be investing in," says Kundra today at the Gov 2.0 Summit in Washington sponsored by O'Reilly Media and TechWeb.

"If you wanted to go out there today and make a reservation for a camping site, the Department of Interior, through, would force you to create an account and you would use once or a couple of times, and you would never use it again. The same thing if you went to the NIH, GSA and every other agency. It leads to poor service and higher costs because a lot of that infrastructure is disposable."

Kundra says the goal is to use existing platforms for services that are not sensitive.

"We've been working with the OpenID foundation to look at how we could create a trust framework across the federal government with the providers of Open ID to be able to authenticate and allow people to have access to some of the government services," he says.

"What this will allow to do is move from Web sites on the federal government's end that are brochureware to actually be very interactive, service driven sites that American people can use within their own context."

Kundra says one of the biggest issues for the pilot is the security and privacy issues.

"We want to make sure that if you signed up for those accounts that you as the consumer have full consent of what is happening with the data, how you authenticate and opting in," he says.

"At the NIH level, if you want to sign up for a conference, why not use one of those platforms instead of building an entire new infrastructure. Most people have accounts that could be used."

Don Thibeau, executive director of the OpenID Foundation, says the NIH pilot will show how interactions with researchers and scientists worldwide can be easier.

"If you are looking for information on the latest information on cancer research, OpenID is an onramp to engage NIH so they can remember who you are," he says.

"It also allows you to on your choice give permissions for NIH to know more about you. It begins that relationship so they can tailor the kind of content that you have access to or the kind of information they would like to recommend to you at a level of assurance that the citizen is comfortable with."

Judy Spencer, the chairwoman of the Federal Public Key Infrastructure Policy Authority, says the CIO Council and Federal Identity Credentialing Committee are trying to allay some security and privacy concerns about using commercial sites.

She says they have adopted six privacy principles for this and other pilots:

  • The user only can opt in;
  • The government will accept only a minimal amount of personal information;
  • The government will not track the user's activity online;
  • The government will not accept any personal identifiable information;
  • Users will receive adequate notice that the government is collecting certain information;
  • If the service is terminated, the data remains protected.

Kundra says this concept could be extended to the internal government operations.

He says because more and more federal employees, and contractors, have secure identity cards under Homeland Security Presidential Directive 12, there are opportunities there as well.

As of June 1, almost 2.7 million federal employees and 745,000 contractors have HSPD-12 compliant cards.

The NIH pilot is part of a broader initiative by the Obama administration to better integrate federal identity management, which includes the federal public key infrastructure efforts, HSPD-12 and the E-Authentication initiative.

The CIO Council's Information Security and Identity Management Committee is updating the federal ID management handbook.

"We are trying to develop a government-wide credential and access management framework or landscape that all of these other initiatives will be able to take advantage of," Spencer says.

"If we do our job right, then these other entities will be able to leverage that and not have to silo or reinvent these things."

Spencer, who also spoke at the Gov 2.0 Summit, says the government's success in tackling identity management has been mixed. She says since the early 2000s, initiatives such as e-authentication and HSPD-12 have made identity management easier.

"We have been stymied in reaching the 300 million American citizens who want to do business with the government," she says.

"That is why we have started to look at open solutions and leverage those companies that already are doing business with the government."

The OpenID Foundation says this includes 10 companies, including Yahoo!, PayPal, Google, Equifax and AOL.

Thibeau says this initiative builds on past strategies.

"This time the government has deliberately reached out to the private sector for [several] things: to meet citizens where they are today, this opportunity brings the citizen identity to the government so unlike previous accounts this doesn't require the citizen or user to do anything new," Thibeau says.

"It says you will have access to government sites with the identity you have today through the identity provider you have chosen."

Thibeau says the open ID standard is not owned by any one company, but it is a set of protocols many companies have agreed to follow.

Spencer says from this pilot citizens will grow more comfortable with using federal services online, and more complex transactions can happen once that trust is establish.

Michael Mongold

*** This is a Security Bloggers Network syndicated blog from Michael Mongold's Technology Security authored by Michael Mongold. Read the original post at: