FAQ What is OIX? The Open Identity Exchange (OIX) is a non-profit corporation serving as an independent, neutral provider of certification trust frameworks for open identity technologies. Who is leading OIX? The founding Board of Directors includes Kennie Kwong, Lead Member of Technical Staff, AT&T; Ron Carpinella, VP Identity, Equifax; Eric Sachs, Product Manager for GoogleSecurity, Google; Andrew Nash, Senior Director of Identity Services, PayPal; Nico Popp, Vice President of Innovation, Verisign; and Peter Tibbett, Vice President of Technology and Innovation; Verizon. The Chairman of the OIX Board of Directors is Don Thibeau, who currently serves as the Executive Director of the OpenID Foundation. The Acting Executive Director of OIX is John Ehrig. Why is OIX being launched? Just as certain activities in the physical world driving a car, flying in an airplane, applying for a mortgage require identity credentials, so do certain activities in the digital world. However until recently digital identity credentials were largely confined to closed systems that served a defined population of known users, such as a single website, or a corporate or university network. The rise of the Internet and the Web interconnecting millions of different websites and systems demands new digital identity solutions like OpenID and Information Cards that open up closed systems to qualified users from anywhere on the Internet. What problem is OIX solving? Open identity technologies reduce the friction of using the Web, much like credit cards reduce the friction of paying for goods and services. However, they also introduce a new problem: who do you trust? In other words, how does a relying party know it can trust credentials from an identity service provider without knowing if that provider s security, privacy, and operational policies are strong enough to protect the relying party s interests? This is not a technology problem. It is a business, legal, and social problem that must be solved with policy-based solutions like OIX. What is an identity provider? 1
An identity provider is the website or service providing a security credential on behalf of the user. What is a relying party? A relying party is the website or service that requires a security credential from the user. What is a trust framework? In digital identity systems, a trust framework is a certification program that enables a relying party to trust the identity, security, and privacy assurances from an identity provider. Is OIX following an open market model approach? Yes, the key challenge to providing identity assurance at Internet scale is removing the need for direct trust agreements between identity providers and relying parties. To solve this problem, the open identity community, led by members of the OpenID Foundation and Information Card Foundation, developed the Open Identity Trust Framework (OITF) model [http://openidentityexchange.org/sites/default/files/the-open-identity-trustframework-model-2010-03.pdf]. This model breaks apart centralized control of certification into separate functions in order to create an open competitive market for each function. What are the benefits of an open market model for identity assurance? Open market models reward good market behavior in a virtuous cycle. Having trust frameworks, trust framework providers, identity providers, relying parties, and assessors competing directly with each other for business means: More choice for users and websites about the policies that will apply to their interactions. Market pricing for services throughout the open identity infrastructure. Economies of scale as service standardization lowers costs for all parties. Diversity from head to foot of the "long tail", which is especially important to preserve the diversity of contexts and policies necessary for a healthy online ecosystem. What Open Identity Trust Frameworks are OIX now servicing? The US General Services Administration (GSA) and the Identity, Credential, and Access Management Committee (ICAM) has approved OIX as the first trust framework provider to the US government. This permits OIX to issue certifications for the US ICAM LOA 1 trust framework [http://openidentityexchange.org/trust-frameworks/us-government-icam] to identity providers who are assessed to meet its identity, security, and privacy requirements. The National Institute of Health (NIH) is the first US federal agency to 2
move into production status to accept OpenID and Information Card credential issued by OIX-certified identity providers. Are there any identity providers certified for US ICAM? Yes. Google, PayPal, and Equifax are the first three OIX members to be certified for as identity providers [http://openidentityexchange.org/certified-providers] at US ICAM LOA 1 (level of assurance 1). Verizon and VeriSign are currently in the certification process. Are other governments adopting the trust framework model? Canada, the UK, and France (FC2 consortium) all have projects investigating the use of open identity technologies and trust frameworks. What other types of trust frameworks is OIX anticipating to serve? Trust frameworks can be developed by any online community that needs to assure trust across diverse members. An example is the U.S. Public Broadcasting System (PBS) affiliate network. In addition to increasing audience involvement and integrating television and online content, PBS would like to build subscriber relationships, streamline donations, and help safeguard children from predators when they visit web sites for popular PBS children s television shows such as Sesame Street, Arthur, and Curious George. PBS could do this with a Public Media Trust Framework [http://openidentityexchange.org/trust-frameworks/pbs-public-media]. Will trust frameworks only come from governments and non-profits? No. Trust communities can also be entirely private. For example, the Line Information Database (LIDB) Forum, a group of telecommunications companies with decades of experience implementing technical interoperability standards for phone system interchange, is investigating developing a trust framework for privacy-protected sharing of subscriber data. Another example is the Online Computer Library Center (OCLC) which wants to develop a cooperative trust framework for libraries and their users. An OCLC trust framework will broaden online access to library materials, essentially creating a virtual online library card. How will OIX benefit consumers? Consumers of identity management services (either from identity providers or relying parties) will benefit first from the increased adoption of open identity technologies from certified providers -- for example the availability of OpenID and Information Cards to use at US federal government websites. They will also benefit from the standardized identity, security, and privacy policies that OIX trust frameworks will propagate. Lastly, 3
the OIX Listing Service will permit consumers to compare the technical and policy standards of various identity providers and relying parties, helping advance competition and increase quality throughout the industry. Who should join OIX? All organizations engaged in the digital identity market who want to become certified identity providers, relying parties, or assessors. In addition OIX welcomes governments, professional associations, non-profit networks, and other communities who want to develop their own trust frameworks. What are the top benefits of OIX membership? The top benefits exclusively available to OIX members are: 1. The ability to be certified to the US ICAM trust framework requirements, thereby gaining access to the US government market. 2. Signify that your organization is a leader in digital identity assurance through use of the OIX Certified brand. 3. Gain access to a worldwide network of leading organizations and individuals in the digital identity assurance industry. 4. "Early mover" engagement with new and evolving public and private trust frameworks, including the ability to participate in OIX advisory committees and working groups developing these frameworks. 5. Achieve a level playing field with the biggest players in the market. 6. Influence the strategy, direction and policies of OIX. How can I join OIX? Joining is easy, simply follow these instructions [http://openidentityexchange.org/join]. How much does it cost to become a member and get certified? OIX s two tiered member program Executive and General (with a special pricing plan for government, academic and non-profit organizations) - encourages organizations of all sizes to participate, collaborate, and contribute to the success of our shared mission. Each tier has auditing, participation and/or leadership benefits commensurate with financial contribution. See the complete fee schedule [http://openidentityexchange.org/join]. Where can I get more information? For more information please contact help@openidentityexchange.org What is the OpenID Foundation? 4
The OpenID Foundation (OIDF) [http://www.openid.net/] was formed in June 2007 to help promote, protect, and enable the OpenID technologies and community. The OIDF does not dictate the technical direction of OpenID; instead it will help enable and protect whatever is created by the community. OpenID is a Web registration and single sign-on protocol that lets users register and login to OpenID-enabled websites using their own choice of OpenID identifier. With OpenID, a user can operate their own OpenID service (such as on their blog), or they can use the services of a third-party OpenID provider (most major Web portals, such as AOL, Google, and Yahoo, now offer OpenID service). What is the Information Card Foundation? The Information Card Foundation (ICF) [http://www.informationcard.net/] is non-profit community of individuals and companies working together to evolve the Information Card ecosystem. Information Cards are a new approach to Internet-scale digital identity in which all of a user s identities, whether self-created or from third party identity providers are uniformly represented as visual cards in a software application called a card selector. The cards themselves may be stored on the same computer as the card selector, or on a mobile device, or in the cloud. Cards may be exchanged with websites using a variety of protocols and formats. All card selectors support at least the IMI protocol developed by the OASIS IMI TC, however Information Cards are now being adapted to other protocols as well (including OpenID). 5