OpenID launches self-certification testing, trust framework registry
22 April, 2015
category: Corporate, Digital ID, Financial, Government
While this is a self-test, companies need to take it seriously, as the company’s reputation is on the line, says Andre Boysen, digital identity evangelist at SecureKey. The company has all of its products supporting OpenID Connect. “You’re putting your business and credibility on the line, business that do this are committed to it, he explains. “It’s time for organizations that do OpenID Connect to hand out their shingle and say ‘OpenID Connect is spoken here.’ When they do that transactions will start flowing.”
Secure, portable identities are paramount in the payments market, says Raj Mata, senior director for product management for the payments platform at PayPal. “From a consumer standpoint it doesn’t matter where I am I need the identity to work seamlessly with everyone,” he explains. “Also, we now have an assurance that the person we are partnering with has gone through the test. It raises the bar from a security and interoperability perspective.”
The trust this testing will offer partners is what makes it important, says Eric Sachs, director of product management for Identity at Google. The search giant has been working with OpenID for about seven years so that Google account holders could use those identities in other places. “Whenever we go to a site or application owner to add Google there is always some level of trust,” he explains. “This will build on that trust and get more websites and applications involved.”
Google is going to be OpenID Connect certified for a consumer and enterprise use case, Sachs says. Google’s Identity Toolkit aims to easily enable web sites and applications to consume Google logins to sites.
Google also helps out on the enterprise side, especially for those who have employees using applications and cloud-based services that the IT department might not know about. This “shadow IT” ends up creating security problems for enterprises, Sachs explains. Google acts as an identity provider for enterprises and this new testing system will enable it to trust these other services so employees can use their Google enterprise identity.
OIXnet
The OIXnet registry will provide transparency into OpenID Connect deployments and services, says Thibeau. Registration will enable the discovery of identity trust frameworks that will ensure interoperability. “Trusted transactions are the engines of online services,” said Thibeau, OIX Chairman and President. “Like an Underwriter Lab’s seal of approval on products, OIXnet is a neutral, open online registry that enables a similar level of trust and discovery at Internet scale for a wide variety of trust frameworks.”
The OpenID Foundation was the first to leverage OIXnet, registering OpenID certifications of deployment by members, including Google, Microsoft, ForgeRock, Ping Identity, PayPal and Nomura Research Institute.
In the second phase of the OIXnet Registry rollout, trust framework providers like the SAFE-BioPharma Association and SecureKey will register business legal and technical interoperability requirements at OIXnet.
The idea for a registry goes back some years, says Peter Alterman, COO at Safe-BioPharma. When he was at the National Institute of Health, there was a discussion around creating a self-asserted registry of attributes and how they are being used and expressed. OIXnet is not exactly that but it’s a pretty close start, Alterman adds.
“There is no straightforward path; there are many competing ways to do it with no clear winner,” Alterman says. “A registry of what people are doing and how they’re doing it is the next best thing. It’s a way to move the ball forward.”
SAFE-BioPharma will register its digital identities and signature standards for its trust framework at OIXnet.
SecureKey will also register its SecureKey Concierge trust framework in the registry. SecureKey Concierge is a service that Canadians use to access public sector services in Canada where high assurance is required. Canadian banks, which already have existing strong and trusted relationships with Canadians, are the trust anchors for the service. Banks are well situated to establish trust for consumers online with government organizations.