SlideShare a Scribd company logo

OpenID Foundation iGov Working Group Update - October 22, 2018

Download as PPTX, PDF
O
OpenIDFoundation

OpenID Foundation iGov Working Group update presented by Paul Grassi (Easy Dynamics) and Bjorn Hjelm (Verizon) at the OpenID Foundation Workshop at VMware on Monday, October 22, 2018.

1 of 8
iGov WG October 22, 2018 Paul Grassi Easy Dynamics Adam Cooper Next ID John Bradley Yubico http://openid.net/wg/igov/
Purpose Develop a security and privacy profile of the OpenID Connect and OAuth specifications. Enable standardized integration with public sector relying parties in multiple jurisdictions. Allow users to authenticate and share consented attribute information with public sector services across the globe. iGov
iGov Specifications • International Government Assurance Profile (iGov) for OAuth 2.0 – http://openid.net/specs/openid-igov-oauth2-1_0.html – Profiles the OAuth 2.0 protocol framework to increase baseline security, provide greater interoperability, and structure deployments applicable to consumer-to-government deployments. • International Government Assurance Profile (iGov) for OpenID Connect 1.0 – http://openid.net/specs/openid-igov-profile-1_0.html – Building on the OAuth 2.0 iGov profile, this spec. define an OpenID Connect profile that provides governments with a foundation for securing federated access to public services online.
iGov WG Status Both iGov Profiles out for Implementer’s Draft vote. Vote YES! Long Overdue!
Next Steps We need an implementation Vectors of Trust use cases Attribute metadata specs
Why metadata? 01 02 03 Limitations in Assurance Levels Attributes collected as part of identity proofing may not the same assurance level of other attributes. In fact, for some attributes, assurance is not even in play. Use Cases Exist Financial sector in US exploring metadata use cases for “Know your customer.” International MNO and financial use cases in pilot. Specifications Exist NISTIR 8112 - https://pages.nist.gov/NISTIR-8112/NISTIR-8112.html. UK in process of developing a metadata specification.
Issue Possible Mitigation(s) • Little to no governance. • No enforcement. • Trust framework services in doubt. • Draft NIST SP 800-53r5 changed use FICAM approved profiles to NIST approved profiles. • But, “NIST approved” isn’t defined. • OMB Draft Identity Memo could resolve this. It’s never too late to provide feedback. • NIST, or other designee, has to write a NISTIR defining the profile making process and how agencies can participate. Precedent example: https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.797 7.pdf. • Private-sector led value prop for agencies to adopt trust frameworks. • Lack of agency awareness.  Of technology.  Of open/public standards process.  Of comment process.  Of what ID an other states mean.  How/who gets to vote. Agencies are used to this type of material going through the CIO council for approval, not the private sector with a ‘single NIST’ vote. • Commitment to SAML. Opportunity(ies) • IT Modernization. • SSA transformation and S.2155 - Economic Growth, Regulatory Relief, and Consumer Protection Act, Section 215 – Reducing Identity Fraud. • IRS transformation. • Federal Student Aid loan processing RFP includes identity. Issues and Opps in US Gov iGov
Thank you http://openid.net/wg/igov/

More Related Content

OpenID Foundation iGov Working Group Update - October 22, 2018

  • 1. iGov WG October 22, 2018 Paul Grassi Easy Dynamics Adam Cooper Next ID John Bradley Yubico http://openid.net/wg/igov/
  • 2. Purpose Develop a security and privacy profile of the OpenID Connect and OAuth specifications. Enable standardized integration with public sector relying parties in multiple jurisdictions. Allow users to authenticate and share consented attribute information with public sector services across the globe. iGov
  • 3. iGov Specifications • International Government Assurance Profile (iGov) for OAuth 2.0 – http://openid.net/specs/openid-igov-oauth2-1_0.html – Profiles the OAuth 2.0 protocol framework to increase baseline security, provide greater interoperability, and structure deployments applicable to consumer-to-government deployments. • International Government Assurance Profile (iGov) for OpenID Connect 1.0 – http://openid.net/specs/openid-igov-profile-1_0.html – Building on the OAuth 2.0 iGov profile, this spec. define an OpenID Connect profile that provides governments with a foundation for securing federated access to public services online.
  • 4. iGov WG Status Both iGov Profiles out for Implementer’s Draft vote. Vote YES! Long Overdue!
  • 5. Next Steps We need an implementation Vectors of Trust use cases Attribute metadata specs
  • 6. Why metadata? 01 02 03 Limitations in Assurance Levels Attributes collected as part of identity proofing may not the same assurance level of other attributes. In fact, for some attributes, assurance is not even in play. Use Cases Exist Financial sector in US exploring metadata use cases for “Know your customer.” International MNO and financial use cases in pilot. Specifications Exist NISTIR 8112 - https://pages.nist.gov/NISTIR-8112/NISTIR-8112.html. UK in process of developing a metadata specification.
  • 7. Issue Possible Mitigation(s) • Little to no governance. • No enforcement. • Trust framework services in doubt. • Draft NIST SP 800-53r5 changed use FICAM approved profiles to NIST approved profiles. • But, “NIST approved” isn’t defined. • OMB Draft Identity Memo could resolve this. It’s never too late to provide feedback. • NIST, or other designee, has to write a NISTIR defining the profile making process and how agencies can participate. Precedent example: https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.797 7.pdf. • Private-sector led value prop for agencies to adopt trust frameworks. • Lack of agency awareness.  Of technology.  Of open/public standards process.  Of comment process.  Of what ID an other states mean.  How/who gets to vote. Agencies are used to this type of material going through the CIO council for approval, not the private sector with a ‘single NIST’ vote. • Commitment to SAML. Opportunity(ies) • IT Modernization. • SSA transformation and S.2155 - Economic Growth, Regulatory Relief, and Consumer Protection Act, Section 215 – Reducing Identity Fraud. • IRS transformation. • Federal Student Aid loan processing RFP includes identity. Issues and Opps in US Gov iGov