[Wg-p3] Preparation for USG Privacy Workshop (Aug 10th)
Susan.Landau at sun.com
Tue Aug 11 05:19:35 PDT 2009
On 08/11/09 07:48, Georgia Marsh wrote:
> How was the meeting?
Divisive. Here's my trip report. Thanks for the info on US government
SAML uses; that came up indirectly during the meeting but things were
sufficiently heated that I dropped that in favor of asking some other,
somewhat pointed, questions. But thanks much for your help. It was
good to have that information in my back pocket if needed.
Judy Spencer, who is the co-chair of the Identity Management and Access
Management SC (special committee? signon committee?), ran the meeting.
She sought to focus only on Level of Assurance 1, a decision that was
objected to by many in the audience.
Most of the attendees appeared to be members of the federal government
and contractors. There were very few privacy advocates in the room: one
from EPIC, a junior person from CDT, no one from EFF. I suspect this
was due to too short notice (and in EFF's case, too expensive a plane
flight from west coast).
The morning was taken up with presentations by the various folks. First
Chris Louden of Protiviti, a federal contractor working on this
initiative gave an overview, and made the point that for efficiency's
sake, the government wanted to leverage work in the private sector.
There had already been SAML profiles. But OpenID had lots of traction
and so the government was going to leverage that for Level of Assurance
1, where the government wanted to be able to identify the same user each
time the same user turned up but without any need to tie identity to a
particular person (so as to enable to return customized webpages, send
updates to the user if an email had been supplied, etc.). Chris went
through the privacy requirements for level 1, which included
unlinkability of the user between different sites (something satisfied
by OpenID 2.0 but not OpenID 1.0).
This was followed by a panel: Bob Morgan on InCommon, Don Thibeau and
Drummond Reed doing a tag team on OpenID and InfoCard Foundations and
Brett on Kantara. The meeting was originally supposed to be on OpenID,
InfoCard, and privacy issues but had broadened. Don and Drummond spoke
about OpenID 2.0 fulfilling the pseudonymity needs prescribed by the
federal profiles and that OpenID had billions of users. They did not
mention that it was OpenID 1.0 that had the large installed user base.
At this point, I asked some questions. I asked about the number of
OpenID 2.0 users; this was not answered. I asked about liability and
didn't get an answer. Nonetheless it was useful to plant these issues
for later discussion.
The afternoon session was devoted to privacy and identity and that was
the time for Q&A. Here I asked about extensibility, pointing out that in
security you architect for the whole solution, then cut back as needed
(and not the other way around) and that we will need identifiers for
health care with much higher levels of assurance. Chris Louden of
Protiviti said that they understand the issue and they've got that
covered. At this point, various of the audience picked up the issue of
Someone from MITRE spoke about the progress with level of assurance 3
and 4 and how this was a step backwards.
Don Schmidt of Microsoft said, "billions of burgers sold has nothing to
do with reality."
Jeff Stollman said that usability needs say that other levels influence
level 1.0. "You can't talk about level 1.0 separately from higher
levels when you talk about usability"; you are making a huge mistake by
using OpenID for level 1.0 when you can't do OpenID for higher levels.
The audience resonated with this.
Tony Nadlin (sp?) said "Why are you going the industry route? Liability
issues have not been addressed? What is your emergency response
initiative? What is your liability initiative?"
Judy Spencer: "For level 1, OpenID is absolutely appropriate. We want
to enable technologies for people to use and OpenID is perfectly
acceptable at level 1.0."
Don Schmidt: Using OpenID is a really bad idea (this is a paraphrase).
You're teaching people the wrong message about security. "If this is
successful and if there's a disconnect between this and higher levels
[because OpenID is not extensible for higher levels], in the end we
haven't done a good thing." I was surprised to see Microsoft speaking
that way, but Schmidt was quite emphatic.
I would say that by the end of the meeting, there was a great deal of
dubiousness in the room concerning using OpenID even at level of
assurance 1. The agencies will have to implement, of course. But the
people there were clearly aware --- if they hadn't been earlier --- of
the problems with OpenID.
Susan Landau phone: 413-259-2018
Distinguished Engineer fax: 413-253-2156
Sun Microsystems Laboratories
35 Network Drive
Burlington MA 01803-0902
susan.landau at sun.com
More information about the Wg-p3