RSA: Google, PayPal, Equifax, Others Form Open Identity Exchange
The companies have created a non-profit to manage the process of certifying identity providers.
Google, PayPal, Equifax, VeriSign, Verizon, CA, and Booz Allen Hamilton on Wednesday at the RSA Conference announced that they have formed a non-profit organization to oversee the exchange of online identity credentials on public and private sector Web sites.
The organization, The Open Identity Exchange (OIX), will serve as a trust framework provider. A trust framework is a certification program that allows organizations and individuals to exchange digital credentials and to trust the identity, security, and privacy assertions associated with those credentials.
With help from the OpenID Foundation and the Information Card Foundation, OIX has been authorized to serve as a trust framework for the U.S. government. It will certify identity management providers to make sure they meet federal standards.
Google, Equifax, and PayPal will be the first three identity providers to issue digital identity credentials as a way to enable privacy-protected registration and login at U.S. government Web sites.
Verizon is expected to be the fourth, once it completes the certification process.
"We're pleased to be among the first organizations to be certified by the newly created OIX," said Google senior product manager Eric Sachs in a statement. "We've already seen encouraging implementations of identity technologies in the industry, and our hope is that the work of the OIX will expand on this progress to help facilitate more open government participation, as well as improve security on the Internet by reducing password use across websites."
The National Institutes of Health (NIH) Web site is the first government Web site to accept such credentials. Online visitors will be able conduct customized library searches, access training material and medical research wikis, and register for conferences while maintaining some privacy protection.
"Think about giving yourself single sign-on capability for all government services," said Ron Carpinella, VP of identity management at Equifax, in a phone interview. "In the current environement, you tend to have multiple user IDs and passwords wherever you go. I have 30 pages of user IDs and passwords because of all the different systems I have to engage with. Now, I can have essentially a single sign-on that can be shared across disparate government service providers. I don't have to register every time and place."
What makes these sorts of credentials compelling is that that they allow users to be authenticated without necessarily being identified. The technology could be used, for example, to allow someone to verify residency -- as a requirement for participation in a given online meeting -- without revealing a name or address.
Microsoft, which has done a lot of work on identity and trust, is conspicuous in its absence from the OIX founding group, but Carpinella says that he expects the company will participate.
As more government Web sites support these credentials, online visitors will be able to interact with these sites without having to register for each one or to remember separate site-specific passwords. Carpinella expects that in time OIX certified credentials will provide access to Web sites for the Department of Health and Human Services, Medicare and Medicaid, and the Social Security Administration, to name a few.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.