The map of trusted identity services
Led by industry leaders. Workshops and pilots to explore governance and liability challenges. Registry of trusted identity systems. Certification program with active participation by industry. Is this the future envisioned in the National Strategy for Trusted Identities in Cyberspace (NSTIC - PDF)?
It certainly looks and sounds like it, with an important caveat - the organization is the Open Identity Exchange (OIX), a non-profit trade organization whose membership is open and members pay annual dues that range from $1000 to $50000. It is not the NSTIC NPO envisioned Identity Ecosystem Steering Group (“IDESG”).
OIX recently launched the OIXnet Registry which enables the registration of “identity systems” such as certification programs and trust frameworks.
The first identity system to go live in the registry is the pilot self-certification program for the OpenID Connect protocol which is operated by the OpenID Foundation.
In a future phase, trust framework providers such as the SAFE-BioPharma Association and SecureKey are waiting in the wings to register their trust frameworks in OIXnet.
The majority of the heat and flash around the launch announcements tended to focus on the OpenID Connect self-certification program. While important for near term interoperability, it pales in comparison to the strategic importance of the OIXnet registry.
Beyond the current registration pipeline, it is easy to envision a future where certification programs for authentication initiatives such as FIDO end up being registered in OIXnet. Or value added services being offered by OIX that map between various trust frameworks that are registered with OIXnet.
In short, OIX has just come out strong in a bid to become the de-facto map maker of the trusted identity terrain.
Map makers have significant formal and informal authority that can affect how we navigate a domain and with the OIXnet entry, the trusted identity world just got a whole lot more interesting! Are you ready?
++ The IDESG Identity Ecosystem Framework is “ready for review”. Is it too late to the party or just fashionably late?
++ The Kantara Trust Registry. A “Technology Preview” launched in December 2012.
De-identification
NIST is requesting comments by May 15 on a draft report on “De-Identification of Personally Identifiable Information” which reviews de-identification techniques and research.
++ I’ve always thought that de-identification research would be a backwards way to get more research data on data minimization as it applies to identity resolution.
++ You can de-identify but you can’t hide
cyberLinks: random and relevant
++ Google is shutting down its ClientLogin, OAuth 1.0 (3LO), AuthSub, and OpenID 2.0 infrastructure
++ The free Let’s Encrypt CA has updated its draft of Certificate Policy (CP) and made available its first public draft Certification Practice Statement (CPS)
++ Australian radio interview with Bruce Schneier - The hidden struggles to control your data