Trusted frameworks sought for e-government

The foundation for security and enterprise management

I've got to put off for at least one more issue the major events from the Catalyst Conference so I can point out some interesting things that happened last week -- in Washington, D.C., of all places. And healthcare was only tangentially involved.

The General Services Administration (GSA) sponsored a one-day workshop ("Open Government Identity Management Solutions Privacy Workshop") last week, which I gather from those who attended was an exciting event. Among the speakers were representatives from the OpenID Foundation, the Information Card Foundation, the Kantara Initiative, InCommon and the federal government. The general theme of the meeting was to explore the "Trust Framework Provider Adoption Process (TFPAP) For Levels of Assurance 1, 2, and Non-PKI 3" document, which was released as a draft last month.

The intent is to leverage existing industry-created credentials and credentialing processes to support e-government activities. To that end, representatives of various non-governmental bodies made presentations about existing frameworks for trusted identity systems in order to show that they satisfied federal requirements as codified by Office of Management and Budget, National Institute of Standards and Technology, and, of course, the GSA. These Trust Frameworks include requirements for trust framework provider (TFP) auditing qualifications and processes, TFP organizational maturity, TFP member identity provider organizational maturity, TFP member identity provider credentials and their issuance, and TFP member identity provider privacy policies.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

I've got to put off for at least one more issue the major events from the Catalyst Conference so I can point out some interesting things that happened last week -- in Washington, D.C., of all places. And healthcare was only tangentially involved.

The General Services Administration (GSA) sponsored a one-day workshop ("Open Government Identity Management Solutions Privacy Workshop") last week, which I gather from those who attended was an exciting event. Among the speakers were representatives from the OpenID Foundation, the Information Card Foundation, the Kantara Initiative, InCommon and the federal government. The general theme of the meeting was to explore the "Trust Framework Provider Adoption Process (TFPAP) For Levels of Assurance 1, 2, and Non-PKI 3" document, which was released as a draft last month.

The intent is to leverage existing industry-created credentials and credentialing processes to support e-government activities. To that end, representatives of various non-governmental bodies made presentations about existing frameworks for trusted identity systems in order to show that they satisfied federal requirements as codified by Office of Management and Budget, National Institute of Standards and Technology, and, of course, the GSA. These Trust Frameworks include requirements for trust framework provider (TFP) auditing qualifications and processes, TFP organizational maturity, TFP member identity provider organizational maturity, TFP member identity provider credentials and their issuance, and TFP member identity provider privacy policies.

One of the more interesting presentations was a joint effort of the OpenID Foundation and the Information Card Foundation called "Open Trust Frameworks for Open Government: Enabling Citizen Involvement through Open Identity Technologies" (see here).  

This presentation explored the existing model for trust created by the InCommon Federation for higher education institutions. InCommon is an outgrowth of the Shibboleth open source single sign-on (SSO)/federation project which has featured (favorably) in our discussions of SSO in the past. Participants in Shibboleth realized that while SAML gave them the technical ability to share identity credentials, they still needed a way to verify these SAML messages were coming from a participating institution. They also needed to ensure participating institutions were maintaining minimum levels of security and privacy practices to keep all participants protected -- every trust network is only as strong as its weakest link. So they created InCommon, a trust framework that covers 3 million users, with 110 higher education participants, six government and non-profit agencies, and 41 sponsored service provider partners, and is growing at the rate of 100 percent per year.

You should read the paper and investigate InCommon to learn more because something like this will be on the government's plate (and, therefore, on industry's plate) in the coming year.

Read more about security in Network World's Security section.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.