[Wg-p3] Preparation for USG Privacy Workshop (Aug 10th)

Susan Landau Susan.Landau at sun.com
Tue Aug 11 05:19:35 PDT 2009

On 08/11/09 07:48, Georgia Marsh wrote:
> How was the meeting?
Divisive.  Here's my trip report.  Thanks for the info on US government 
SAML uses; that came up indirectly during the meeting but things were 
sufficiently heated that I dropped that in favor of asking some other, 
somewhat pointed, questions.  But thanks much for your help.  It was 
good to have that information in my back pocket if needed.



Judy Spencer, who is the co-chair of the Identity Management and Access 
Management SC (special committee? signon committee?), ran the meeting.  
She sought to focus only on Level of Assurance 1, a decision that was 
objected to by many in the audience.

Most of the attendees appeared to be members of the federal government 
and contractors.  There were very few privacy advocates in the room: one 
from EPIC, a junior person from CDT, no one from EFF.  I suspect this 
was due to too short notice (and in EFF's case, too expensive a plane 
flight from west coast).

The morning was taken up with presentations by the various folks.  First 
Chris Louden of Protiviti, a federal contractor working on this 
initiative gave an overview, and made the point that for efficiency's 
sake, the government wanted to leverage work in the private sector.  
There had already been SAML profiles.  But OpenID had lots of traction 
and so the government was going to leverage that for Level of Assurance 
1, where the government wanted to be able to identify the same user each 
time the same user turned up but without any need to tie identity to a 
particular person (so as to enable to return customized webpages, send 
updates to the user if an email had been supplied, etc.). Chris went 
through the privacy requirements for level 1, which included 
unlinkability of the user between different sites (something satisfied 
by OpenID 2.0 but not OpenID 1.0).

This was followed by a panel: Bob Morgan on InCommon, Don Thibeau and 
Drummond Reed doing a tag team on OpenID and InfoCard Foundations and 
Brett on Kantara.  The meeting was originally supposed to be on OpenID, 
InfoCard, and privacy issues but had broadened.   Don and Drummond spoke 
about OpenID 2.0 fulfilling the pseudonymity needs prescribed by the 
federal profiles and that OpenID had billions of users. They did not 
mention that it was OpenID 1.0 that had the large installed user base.
At this point, I asked some questions.  I asked about the number of 
OpenID 2.0 users; this was not answered.  I asked about liability and 
didn't get an answer. Nonetheless it was useful to plant these issues 
for later discussion.

The afternoon session was devoted to privacy and identity and that was 
the time for Q&A. Here I asked about extensibility, pointing out that in 
security you architect for the whole solution, then cut back as needed 
(and not the other way around) and that we will need identifiers for 
health care with much higher levels of assurance.  Chris Louden of 
Protiviti said that they understand the issue and they've got that 
covered.  At this point, various of the audience picked up the issue of 
extensibility strongly.

Someone from MITRE spoke about the progress with level of assurance 3 
and 4 and how this was a step backwards.

Don Schmidt of Microsoft said, "billions of burgers sold has nothing to 
do with reality."

Jeff Stollman said that usability needs say that other levels influence 
level 1.0.  "You can't talk about level 1.0 separately from higher 
levels when you talk about usability"; you are making a huge mistake by 
using OpenID for level 1.0 when you can't do OpenID for higher levels. 
The audience resonated with this.

Tony Nadlin (sp?) said "Why are you going the industry route?  Liability 
issues have not been addressed?  What is your emergency response 
initiative?  What is your liability initiative?"

Judy Spencer:  "For level 1, OpenID is absolutely appropriate.  We want 
to enable technologies for people to use and OpenID is perfectly 
acceptable at level 1.0."

Don Schmidt: Using OpenID is a really bad idea (this is a paraphrase).  
You're teaching people the wrong message about security. "If this is 
successful and if there's a disconnect between this and higher levels 
[because OpenID is not extensible for higher levels], in the end we 
haven't done a good thing."  I was surprised to see Microsoft speaking 
that way, but Schmidt was quite emphatic.

I would say that by the end of the meeting, there was a great deal of 
dubiousness in the room concerning using OpenID even at level of 
assurance 1.  The agencies will have to implement, of course.  But the 
people there were clearly aware --- if they hadn't been earlier ---  of 
the problems with OpenID.

Susan Landau                     phone: 413-259-2018
Distinguished Engineer           fax: 413-253-2156

        Sun Microsystems Laboratories
        MS UBUR02-311
        35 Network Drive
        Burlington MA 01803-0902

        susan.landau at sun.com

More information about the Wg-p3 mailing list