Yesterday, at the RSA Conference, Google, PayPal, Equifax, VeriSign, Verizon, CA, and Booz Allen Hamilton announced the formulation of the Open Identity Exchange (OIX), a non-profit organization designed to build trust in the exchange of of online identity credentials in both the public and private sectors. The Open Identity Exchange grew out of a public-private partnership formed at the same conference last year. CivSource spoke with OIX board member and executive director of the OpenID Foundation Don Thibeau about the OIX and its impact for states, municipalities and organizations of all types.
The OIX was formulated with initial grants from the OpenID (OIDF) and Information Card Foundation (ICF) and has created a trust framework that independently certifies online identity management providers according to standards for identity assurance outlined by the US government. The OIX is the first provider of the Open Identity Trust Framework allowing any entity in the public or private sector who provides identity services to work through a centralized certification process that ensures compliance with federal technology and privacy rules. The trust framework currently meets the requirements set forth by the U.S. Identity, Credential, and Access Management (ICAM) Trust Framework Provider Adoption Process (TFPAP) established by the U.S. General Services Administration (GSA).
So far, Google, PayPal and Equifax have been the first three companies certified by the trust framework, with others such as Verizon expected to come on board soon. At the federal level, the National Institutes of Health (NIH) is the first government website accepting these credentials which include Open ID and Information Card log-ins. This allows any user with an Open ID such as a Gmail account, to support a number of online services and with central log-in across websites.
Mr. Thibeau noted the importance of the Exchange and the government’s choice in picking OpenID 2.0 technology standards.
“The government went where the people already are,” he said.
Whether they realize it or not, many users already have an Open ID account through their Gmail, WordPress, or any number of online log-ins. The standards for certification are also noteworthy, “this is the big news, the government for the first time has clearly articulated the rules.” According to Thibeau, the combination of the technology and rules fully centralizes the process – users can keep the log-in they already know and entities interested in certification have a uniform pathway, “the OIX is the referee.” This overcomes the maze of rules and in-operability that often plagues other standardization initiatives.
Some States and municipalities are also starting to examine the technology, including Austin, Texas and Vancouver, B.C. Mr. Thibeau discussed the impact OIX certification can have at the state level, “the States understand because of budget and efficiency, that utilizing online tools is key.” He recognizes that adoption of these standards and other open standards will have their biggest effect as cities and states implement them over time.
The OIX approach to standardization also has a positive impact on transparency and accountability. According to Thibeau,“you can’t have accountability without transparency, and you can’t have transparency without standards.”
Mr. Thibeau also noted the challenges cities and states face when trying to implement new technology initiatives or comply with openness requirements when many of them are facing budget and staffing shortfalls. To address these realities, the OIX kept the fee schedule low – $500 to join – in the hopes of overcoming monetary hurdles to adoption.
“We wanted to make it very easy for all types of organizations to join,” Mr. Thibeau said.