Open Identity Exchange Launches at RSA

March 3, 2010

The Open Identity Exchange (OIX) is a non-profit organization dedicated to building trust in the exchange of online identity credentials across public and private sectors. With initial grants from the OpenID Foundation (OIDF) and Information Card Foundation (ICF), OIX has been approved as a trust framework provider by the United States Government to certify online identity management providers to U.S. federal standards for identity assurance.

Trust frameworks are a new way for one site to trust the identity, security, and privacy assurances from another site (the "identity provider") acting on behalf of a user. Google, Paypal, and Equifax are the first three identity providers certified by OIX to issue digital identity credentials that will be accepted for privacy-protected registration and login at U.S. government websites. Verizon is currently in the certification process and is expected to be completed shortly.

The National Institutes of Health (NIH) is the first government website accepting these credentials, including OpenID and Information Card logins, a capability it demonstrated today at the RSA Conference. Citizens can use open identity technologies to support a number of online services across websites, including customized library searches, access to training resources, conference registration, and medical research wikis, with strong privacy protections, all designed to ensure accessible and transparent communication between the government agency and U.S. citizens.

"We want to acknowledge the critical role NIH has played as a pioneer in the government's use of open identity standards. The impact of the NIH iTrust pilots is reflected not only in the formation of Open Identity Exchange in the marketplace but also in the groundbreaking leadership NIH has demonstrated in new public sector applications," said Dr. Peter Alterman, Senior Advisor to the NIH Chief Information Officer for Strategic Initiatives.

"OIX grew out of a public/private industry partnership initiated by the U.S. government at this conference last year," said Don Thibeau, OIDF Executive Director and OIX Board Chair. "OpenID and Information Card technologies can solve the technical problem of using identity credentials across different websites, but can't solve the problem of how those credentials can be trusted at different levels of assurance. OIX is a solution to this problem not just for the U.S. government, but for many different governments, industry alliances, non-profit associations, telcos, academic networks, and others all over the world who need to establish trust across a wide online population."

The first official OIX trust framework meets the requirements set forth by the U.S. Identity, Credential, and Access Management (ICAM) Trust Framework Provider Adoption Process (TFPAP) established by the U.S. General Services Administration (GSA). This trust framework will enable the American public to participate in open, transparent and participatory government while maintaining full control of how much or how little personal information they share with federal websites at all times. "OIX means there is now a safe way to use an OpenID or an Information Card to register and login at any number of federal websites without needing a new username and password for each," said Drummond Reed, ICF Executive Director and Acting Executive Director of OIX. "As we roll out progressively stronger levels of certification, this will empower U.S. citizens to access and mange their tax records, Social Security records, veteran's benefits, and many other government services online."

"Before organizations can confidently consume identity information produced by third parties, they need to have confidence in those third parties' business processes and practices, and in the quality of the information they provide,” said Bob Blakley, Research Director, Burton Group Identity and Privacy Strategies, Gartner. “Before individuals can confidently provide information to third parties, they need to have confidence that their privacy will be protected by those third parties. The process of gaining confidence in a third party organization's processes for collecting, verifying, handling, using, and disclosing identity information is called 'identity assurance'. Identity assurance is a key building block for the production and consumption of identity information in open networks like the internet."

OCLC Online Computer Library Center is another founding member of OIX because it wants to develop a cooperative trust framework for libraries and their users. "More than 72,000 libraries in 112 countries and territories around the world have used OCLC services to locate, acquire, catalog, lend and preserve library materials," said Mike Teets, OCLC Vice President, Innovation. "An OCLC trust framework could broaden online access to those library materials, and make it easier for libraries to connect people to the knowledge they seek in any format—digital or print."

OIX is currently working on development of trust frameworks for public media, telecommunications, library services, state and local governments, and professional associations. "We look forward to facilitating trusted transactions throughout the government and eventually Internet channels," said Thibeau. "True trust requires the participation of a broad community so we are engaging industry, government, legal and academia leaders in how best to resolve challenges in usability, security and privacy."

OIX Members and Industry Experts Discuss Open Trust Frameworks

"We're pleased to be among the first organizations to be certified by the newly created OIX," said Eric Sachs, Senior Product Manager at Google. "We've already seen encouraging implementations of identity technologies in the industry, and our hope is that the work of the OIX will expand on this progress to help facilitate more open government participation, as well as improve security on the Internet by reducing password use across websites."

"Trusted identities and consumer control of personal information are essential to the effectiveness of transactions on the Internet," said Andrew Nash, Senior Director of Identity Services for PayPal Inc. "Trusted frameworks that provide identity assurance are a critical factor in the success of the digital identity ecosystem."

“We are honored to support this critical initiative and work with thought leaders of such a broad range of industry expertise,” said Ron Carpinella, Equifax’s Vice President of Identity Management. “As an innovator of knowledge-based authentication technology and the only information solutions company on this board, we look forward to advancing the development of an open trust platform initiative that will enable more secure and simplified interaction between consumers and the digital world.”

"VeriSign is excited to participate in the next phase in the creation and standardization of high assurance identity systems," said Nicolas Popp, Vice President of Product Development at VeriSign. "Drawing from our experience in bringing trust to the Internet, we look forward to contributing to the development of a multichannel identity trust framework that will enable citizens to communicate openly with confidence."

“Verizon shares OIX’s vision for establishing a framework for trust on the Internet,” said Peter Tippett, Vice President of Security Solutions and Enterprise Innovation at Verizon Business. “As a founding member of OIX, Verizon is working with other key Internet players to push for industry-wide reform that will forever change the way consumers and businesses interact on the Internet.”

"Trust, privacy and security are critical to the safe adoption of an identity based digital infrastructure. The formation of the Open Identity Exchange is an important step forward in creating the necessary framework to establish these criteria," said Tim Brown, CA Chief Security Architect and Distinguished Engineer. "With the support of industry leading companies and the OpenID and Information Card Foundations, our efforts will help solve the digital trust problems that our governments and industry face."

"With more people expecting to access services and information online, federal agencies need an easier, more secure approach when interacting with the public," said Patrick Peck, Executive Vice President of Booz Allen Hamilton. "Trust Frameworks can provide this solution for more than 20,000 federal websites through streamlined registration and simplified logins, and we are excited about supporting this public-private partnership to bring operational benefits to service providers and better access to the citizens they support."

Mike Teets from OCLC explains, "There is a surprising amount of valuable content available online through libraries that many consumers are not even aware of. Many states and national governments license a vast amount of resources for their citizens, and these could be made even more readily accessible through this initiative. OIX will put a key piece of the infrastructure puzzle in place to help libraries further reduce barriers of access to content, which is what OCLC is all about."

"Digital trust should originate from the location where it naturally occurs, be it my municipality to validate my residency, my professional affiliations, my educational institutions, my family affiliations, my religious affiliations, etc.," said Hal Warren, President of the OpenID Society, a chapter of the OIDF. "This requires a complex multi-faceted framework through which trusted claims can be transmitted and validated. This is the objective of the OIX. "Simplicity is complexity well done."

"We look forward to facilitating trusted transactions throughout the government and eventually Internet channels," said Thibeau. "True trust requires the participation of a broad community so we are engaging industry, government, legal and academia leaders in how best to resolve challenges in usability, security and privacy."