Open Identity Exchange

Last updated
The OIX logo The Open Identity Exchange Logo.jpg
The OIX logo

The Open Identity Exchange (OIX) is a membership organisation that works to accelerate the adoption of digital identity services based on open standards. It is a non-profit organisation and is technology agnostic. It is collaborative, and works across the private and public sectors. [1]

Contents


Members work together to jointly fund and participate in pilot projects (sometimes referred to as alpha projects). These pilots test business, legal and/or technical concepts or theory and their interoperability in real world use cases. A white paper is published for every project.

History

Genesis

Shortly after coming into office, the Obama administration asked the U.S. General Services Administration (GSA) how to leverage open identity technologies to allow the American public to more easily, efficiently, and safely interact with federal websites such as the National Institute of Health (NIH), the Social Security Administration (SSA), and the Internal Revenue Service (IRS).

At the 2009 RSA Conference, the GSA sought to build a public/private partnership with the Open ID Foundation (OIDF) and the Information Card Foundation (ICF) in order to craft a workable identity information framework that would establish the legal and policy precedents needed to establish trust for Open ID transactions.

The partnership eventually developed a trust framework model, described below. Further meetings were held at the Internet Identity Workshop in November 2009, which resulted in OIDF and ICF forming a joint steering committee. The committee's task was to study the best implementation options for the newly created framework.[ citation needed ]

Foundation

The US Chief Information Officer recommended the formation of a non-profit corporation, the Open Identity Exchange (OIX). In January 2010, the OIDF and ICF approved grants to fund the creation of the Open Identity Exchange. OIX was the first trust framework provider [2] certified by the US Government. Booz Allen Hamilton, CA Technologies, Equifax, Google, PayPal, Verisign, and Verizon were all members of either OIDF and ICF, and agreed to become founding members of OIX.

Launch

The Open Identity Exchange was publicly launched at RSA 2010 and it addressed the increasing challenges of building trust in online identity as outlined below:

In 2012 the executive director position was founded and National Strategy for Trusted Identities in Cyberspace (NSTIC) pilot projects showed the growing proof of traction and increased awareness and attention. In 2012 OIX UK was formed and throughout 2013 initial UK Cabinet Office Identity Assurance Programme (IDAP) pilots were launched and white papers published.

OIXnet

In 2014, OIX established the OIXnet trust registry, a global authoritative registry of business, legal and technical requirements needed to ensure market adoption and global interoperability. [3]

In 2014, OIDF also announced plans to register all companies self-certifying conformance to OpenID Connect via the OpenID Certification Program on OIXnet.

Purpose

It is an official online and publicly-accessible repository of documents and information relating to identity systems and identity system participants. Referred to as a “registry”, it functions as an official and centralized source of such documents and information, much like a government-operated recorder of deeds. That is, individuals and entities can register documents and information with the OIXnet registry to provide notice of their contents to the public, and members of the public seeking access to such documents or information can go to that single authoritative location to find them.

The OIXnet registry is designed to provide a single comprehensive and authoritative location where documents and information relating to a specific purpose (in this case, identity systems) can be safely stored for the purpose of putting others on notice of certain facts, and from which such documents and information can be accessed by interested stakeholders seeking such information.

Early participants

OIXnet was launched in 2015. OpenID Foundation was the first registrant by registering the initial set of organizations, including Google, ForgeRock, Microsoft, NRI, PayPal and Ping Identity, certifying conformance to OpenID Connect. Additional registrations were added to OIXnet throughout 2015 and 2016 with 10 trusted identity services currently registered.

Status

The OIXnet registry is currently in pilot in 2016 registering new and diverse trust frameworks and communities of interest.

International chapters

OIX developed a chapters policy in 2015 that allows regional OIX chapters to be established. In 2016 the OIX United Kingdom Chapter was approved by OIX board and launched.

Leadership

The OIX board represents leaders in online identity in the internet, telecom and data aggregation industries concerned with both market expansion and information security.

Government relations

The OIX board met with Howard Schmidt in 2011 [4] to discuss the public–private partnership envisioned in the NSTIC strategy.

The UK government's Cabinet Office joined the OIX at board level, as it began the work on its Identity Assurance Programme which is now GOV.UK Verify. [5]

The States of Jersey joined in 2015 so they could leverage the knowledge gained during the development of the UK government identity assurance programme to hasten adaptation and adoption for Jersey.

Membership

The Open Identity Exchange currently has thirteen executive members and 50+ general members as of November 2016. [6]

OIX UK Europe Chapter

At the beginning of 2015 the Cabinet Office requested Open Identity Exchange to begin a process of exploring the legal, business and pragmatic considerations of creating a self-sustaining UK ‘chapter’ of the Open Identity Exchange. To that point OIX UK operated as an independent UK entity able to administer ‘directed funding’ from member organisations. [7] It had received a series of grants from the UK Cabinet Office that were used for the collaboratively funded projects.

An ad-hoc board of advisers was formed of independent, experienced, public and private sector leaders who addressed policy considerations during this transition process. In addition to considering the role of OIX UK in the future, this board of advisers considered the private sector's needs for identity services, [8] resulting in an ongoing OIX project. [9]

The Open Identity Exchange board of directors approved an OIX chapters policy at the end of 2015, allowing the formation of individual chapters affiliated with OIX in various local markets. In April 2016 the OIX UK Europe Chapter appointed its board of directors.

White Papers

The OIX White Papers deliver joint research to examine a wide range of challenges facing the open identity market and to provide possible solutions. They are written by experts in the fields of technology, particularly open identity.

OIX

Trust Frameworks

UK Identity Assurance Programme (IDAP)

US National Strategy for Trusted Identities in Cyberspace (NSTIC [11] )

White Papers Published in 2016

Open Identity Exchange (OIX) White Papers focus on current issues and opportunities in emerging identity markets. OIX white papers are intended to deliver value to the identity ecosystem and take one of two perspectives: a retrospective report on the outcome of a given project or pilot or a prospective discussion on a current issue or opportunity. OIX White Papers are authored by independent domain experts and are intended as summaries for a general business audience.

Recent published whitepapers include:

• Use of online activity as part of the identity verification [12]

• UK private sector needs for identity assurance [13]

• Use of digital identity in peer-to-peer economy [14]

• Shared signals proof of concept [15]

• Creating a digital identity in Jersey

• Just Giving and GOV.UK Verify

• Creating a pensions dashboard [16]

• Could digital identities help transform consumers attitudes and behavior towards savings? [17]

• Digital identity across borders: opening a bank account in another EU country

• Generating Revenue and Subscriber Benefits: An Analysis of: The ARPU of Identity [18]

Projects

OIX projects deliver joint research to examine a wide range of challenges facing the open identity market and to provide possible solutions.

States of Jersey: Creating a Digital ID

The hypothesis was that the UK Government identity assurance model could be adapted for Jersey with the support of certified UK IdPs and potential identity assurance hub providers, to meet the requirements of SoJ. The hypothesis also considered that this would create an attractive market opportunity in Jersey for one or more of these providers. [19]

LIGHTest Project

This is a 3-year project that started in September 2016 and is partially funded from the European Union Horizon 2020 research and innovation programme under G.A, No. 700321. The LIGHTest consortium consists of 14 partners from 9 European countries and coordinated by Fraunhofer-Gesellschaft. The project looks to reach out beyond Europe, to build a global community.

LIGHTest (Lightweight Infrastructure for Global Heterogeneous Trust management in support of an open Ecosystem of Stakeholders and Trust schemes)

The objective of LIGHTest is to create a global cross-domain trust infrastructure that renders it transparent and easy for verifiers to evaluate electronic transactions. By querying different trust authorities worldwide and combining trust aspects related to identity, business, reputation etc. it will become possible to conduct domain-specific trust decisions.

This is achieved by reusing existing governance, organization, infrastructure, standards, software, community, and know-how of the existing Domain Name System, combined with new innovative building blocks. This approach allows an efficient global rollout of a solution that assists decision makers in their trust decisions. By integrating mobile identities into the scheme, LIGHTest also enables domain-specific assessments on Levels of Assurance for these identities.

GOV.UK Verify

The UK Government, Cabinet Office joined the OIX at board level, as it began the work on its Identity Assurance Programme (IDAP). Through the OIX Directed Funding programme, a considerable number of projects continue to be carried out under OIX governance, the results of which have helped with the ongoing development of GOV.UK Verify. Work continues as GDS looks at how digital identities can be used in both the public and private sector.

GOV.UK Verify is built and maintained by the Government Digital Service (GDS), part of the Cabinet Office. The UK Government is committed to expanding GOV.UK Verify and helping to grow a market for identity assurance that will be able to meet user needs in relation to central government services, as well as for local, health and private sector services. GOV.UK Verify uses certified companies to verify your identity to government. A certified company is a private company that works to high industry and government standards when they verify your identity.

Related Research Articles

Identity management (IdM), also known as identity and access management, is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

<span class="mw-page-title-main">Liberty Alliance</span> Computer trade group

The Liberty Alliance Project was an organization formed in September 2001 to establish standards, guidelines and best practices for identity management in computer systems. It grew to more than 150 organizations, including technology vendors, consumer-facing companies, educational organizations and governments. It released frameworks for federation, identity assurance, an Identity Governance Framework, and Identity Web Services.

A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.

A digital identity is data stored on computer systems relating to an individual, organization, application, or device. For individuals, it involves the collection of personal data that is essential for facilitating automated access to digital services, confirming one's identity on the internet, and allowing digital systems to manage interactions between different parties. It is a component of a person's social identity in the digital realm, often referred to as their online identity.

<span class="mw-page-title-main">OpenID</span> Open and decentralized authentication protocol standard

OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites using a third-party identity provider (IDP) service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log in to multiple unrelated websites without having to have a separate identity and password for each. Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign on to any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites.

A credential service provider (CSP) is a trusted entity that issues security tokens or electronic credentials to subscribers. A CSP forms part of an authentication system, most typically identified as a separate entity in a Federated authentication system. A CSP may be an independent third party, or may issue credentials for its own use. The term CSP is used frequently in the context of the US government's eGov and e-authentication initiatives. An example of a CSP would be an online site whose primary purpose may be, for example, internet banking - but whose users may be subsequently authenticated to other sites, applications or services without further action on their part.

A mobile signature is a digital signature generated either on a mobile phone or on a SIM card on a mobile phone.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

Privacy-enhancing technologies (PET) are technologies that embody fundamental data protection principles by minimizing personal data use, maximizing data security, and empowering individuals. PETs allow online users to protect the privacy of their personally identifiable information (PII), which is often provided to and handled by services or applications. PETs use techniques to minimize an information system's possession of personal data without losing functionality. Generally speaking, PETs can be categorized as either hard or soft privacy technologies.

All European countries show eGovernment initiatives, mainly related to the improvement of governance at the national level. Significant eGovernment activities also take place at the European Commission level as well. There is an extensive list of eGovernment Fact Sheets maintained by the European Commission.

Identity assurance in the context of federated identity management is the ability for a party to determine, with some level of certainty, that an electronic credential representing an entity with which it interacts to effect a transaction, can be trusted to actually belong to the entity.

The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a US government initiative announced in April 2011 to improve the privacy, security and convenience of sensitive online transactions through collaborative efforts with the private sector, advocacy groups, government agencies, and other organizations.

<span class="mw-page-title-main">Kantara Initiative</span> Digital identity organization

Kantara Initiative, Inc. is a non-profit trade association that works to develop standards for identity and personal data management. It focuses on improving the trustworthy use of identity and personal data in digital identity management and data privacy.

The Government Digital Service is a unit of the Government of the United Kingdom's Cabinet Office tasked with transforming the provision of online public services. It was formed in April 2011 to implement the "Digital by Default" strategy proposed by a report produced for the Cabinet Office in 2010 called 'Directgov 2010 and beyond: revolution not evolution'. It is overseen by the Public Expenditure Executive. GDS is primarily based in the Whitechapel Building, London. Its CEO is Tom Read.

ID.me is an American online identity network company that allows people to provide proof of their legal identity online. ID.me digital credentials can be used to access government services, healthcare logins, or discounts from retailers. The company is based in McLean, Virginia.

A trust service provider (TSP) is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. Trust service providers are qualified certificate authorities required in the European Union and in Switzerland in the context of regulated electronic signing procedures.

Digital identity is used in Australia by residents to validate who they are over digital media, such as over the Internet.

GOV.UK Verify was an identity assurance system developed by the British Government Digital Service (GDS) which was in operation between May 2016 and April 2023. The system was intended to provide a single trusted login across all British government digital services, verifying the user's identity in 15 minutes. It allowed users to choose one of several companies to verify their identity to a standard level of assurance before accessing 22 central government online services.

The once-only principle is an e-government concept that aims to ensure that citizens, institutions, and companies only have to provide certain standard information to the authorities and administrations once. By incorporating data protection regulations and the explicit consent of the users, the public administration is allowed to re-use and exchange the data with each other. The once-only principle is part of the European Union's (EU) plans to further develop the Digital Single Market by reducing the administrative burden on citizens and businesses.

Many nations have implemented, are implementing, or have proposed nationwide digital identity systems.

References

  1. "The Open Identity Exchange". OIX. April 12, 2024. Retrieved April 12, 2024.
  2. "What prevents a Telecom Operator from being a full fledged Identity Provider?". www.opengardensblog.futuretext.com. Retrieved 2016-12-05.
  3. "Open Identity Exchange Launches OIXnet: A Global Registry for Trust Frameworks | PYMNTS.com" . Retrieved 2016-12-05.
  4. State of the Net 2011 Keynote: Howard Schmidt. Accessed 2013-08-16.
  5. "GOV.UK Verify - GOV.UK". www.gov.uk. Retrieved 2016-11-28.
  6. OIX Members.
  7. "OIX Directed Funding Policy" (PDF). Open Identity Exchange.
  8. "Identity assurance and the private sector - a discovery project - GOV.UK Verify" . Retrieved 2017-07-30.
  9. "Private Sectors Requirements for Identity Services". OIX. Retrieved 2017-07-30.
  10. The Three Pillars of Trust. Booz Allen Hamilton. Accessed 2013-07-31.
  11. "DG - NSTIC - Archived Groups - Kantara Initiative". kantarainitiative.org. Retrieved 2016-12-05.
  12. "Report suggests Facebook activity could be used for online identity verification | PublicTechnology.net". www.publictechnology.net. 26 July 2016. Retrieved 2016-11-28.
  13. "Survey: 81% of UK companies want cross-industry digital ID options - SecureIDNews". SecureIDNews. Retrieved 2016-11-28.
  14. "GOV.UK Verify | Digital Identity - We Are Snook". We Are Snook. 2016-06-10. Retrieved 2016-12-05.
  15. "Protecting High Assurance Commercial Identity Providers - Confyrm". Confyrm. 2016-06-05. Retrieved 2016-12-05.
  16. "Press release: Money Advice Service on behalf of the Open Identity Exchange publishes recommendations for Pension Finder Dashboard - Money Advice Service". www.moneyadviceservice.org.uk. Retrieved 2016-11-28.
  17. "TISA Newsletter" (PDF).
  18. "Analytical Models - Whitepapers". www.analyticalmodels.com.au. Retrieved 2016-12-05.
  19. Ferbrache, Marcus (2016-07-12). "Towards a digital ID: part 4". Official States of Jersey Blog. Retrieved 2016-11-29.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.