[Wg-p3] Preparation for USG Privacy Workshop (Aug 10th)
J. Trent Adams
jtrentadams at gmail.com
Tue Aug 11 06:43:13 PDT 2009
Excellent summary. And great questions yesterday.
To provide additional flavor to Susan's comments about usability, it was
brought up many times throughout the day. I would classify some of the
issues as what could be called a contract with the users (i.e. setting
their expectations and how to meet them). While Judy and Chris tried to
reinforce the focus on LOA 1, many saw a disconnect between the
usability requirements of this pilot and what might come next with a
Of note on this point, Judy made an interesting comment toward the end
that I'm not sure is accurate (AFAIK). She said that Don Thibeau had
mentioned to her that while OpenID can't move beyond LOA 1 today, there
are people in the OpenID community working on ways to address this soon.
Also, Don was asked how much usability testing has taken place on
OpenID. While he did say that he assumes Google and Yahoo have done
extensive testing on their own, he decided not to mention the report
that came out earlier this year illustrating how OpenID integration
decreases conversion rates. His response was primarily that the pilot
should be rolled out and be adjusted according to reactions.
Significant questions were also raised about privacy relating to
unintended self-exposure and masquerading. Both issues were noted by
Chris Louden as he said they were issues that hadn't been previously
In the end, none of the topics raised appeared to indicate the GSA/ICAM
would slow down the pilot program to address them.
It was also very interesting that in response to questions, Brett
mentioned that Kantara has three groups working on or planning to work
on the following issues that were brought up:
3. Privacy Assurance
4. Legal & Litigation
It was clear to me that Kantara was the only represented group in the
room positioned to deal across the board with the issues at the center
of the discussion. It might make sense to reach out to the attendees
and invite them to participate in these activities.
Finally, it might not be known to the group, but Kantara submitted it's
Trust Framework Process proposal to the GSA/ICAM on Friday. So far,
it's the only application they have received.
Susan Landau wrote:
> On 08/11/09 07:48, Georgia Marsh wrote:
>> How was the meeting?
> Divisive. Here's my trip report. Thanks for the info on US
> government SAML uses; that came up indirectly during the meeting but
> things were sufficiently heated that I dropped that in favor of asking
> some other, somewhat pointed, questions. But thanks much for your
> help. It was good to have that information in my back pocket if needed.
> Judy Spencer, who is the co-chair of the Identity Management and
> Access Management SC (special committee? signon committee?), ran the
> meeting. She sought to focus only on Level of Assurance 1, a decision
> that was objected to by many in the audience.
> Most of the attendees appeared to be members of the federal government
> and contractors. There were very few privacy advocates in the room:
> one from EPIC, a junior person from CDT, no one from EFF. I suspect
> this was due to too short notice (and in EFF's case, too expensive a
> plane flight from west coast).
> The morning was taken up with presentations by the various folks.
> First Chris Louden of Protiviti, a federal contractor working on this
> initiative gave an overview, and made the point that for efficiency's
> sake, the government wanted to leverage work in the private sector.
> There had already been SAML profiles. But OpenID had lots of traction
> and so the government was going to leverage that for Level of
> Assurance 1, where the government wanted to be able to identify the
> same user each time the same user turned up but without any need to
> tie identity to a particular person (so as to enable to return
> customized webpages, send updates to the user if an email had been
> supplied, etc.). Chris went through the privacy requirements for level
> 1, which included unlinkability of the user between different sites
> (something satisfied by OpenID 2.0 but not OpenID 1.0).
> This was followed by a panel: Bob Morgan on InCommon, Don Thibeau and
> Drummond Reed doing a tag team on OpenID and InfoCard Foundations and
> Brett on Kantara. The meeting was originally supposed to be on
> OpenID, InfoCard, and privacy issues but had broadened. Don and
> Drummond spoke about OpenID 2.0 fulfilling the pseudonymity needs
> prescribed by the federal profiles and that OpenID had billions of
> users. They did not mention that it was OpenID 1.0 that had the large
> installed user base.
> At this point, I asked some questions. I asked about the number of
> OpenID 2.0 users; this was not answered. I asked about liability and
> didn't get an answer. Nonetheless it was useful to plant these issues
> for later discussion.
> The afternoon session was devoted to privacy and identity and that was
> the time for Q&A. Here I asked about extensibility, pointing out that
> in security you architect for the whole solution, then cut back as
> needed (and not the other way around) and that we will need
> identifiers for health care with much higher levels of assurance.
> Chris Louden of Protiviti said that they understand the issue and
> they've got that covered. At this point, various of the audience
> picked up the issue of extensibility strongly.
> Someone from MITRE spoke about the progress with level of assurance 3
> and 4 and how this was a step backwards.
> Don Schmidt of Microsoft said, "billions of burgers sold has nothing
> to do with reality."
> Jeff Stollman said that usability needs say that other levels
> influence level 1.0. "You can't talk about level 1.0 separately from
> higher levels when you talk about usability"; you are making a huge
> mistake by using OpenID for level 1.0 when you can't do OpenID for
> higher levels. The audience resonated with this.
> Tony Nadlin (sp?) said "Why are you going the industry route?
> Liability issues have not been addressed? What is your emergency
> response initiative? What is your liability initiative?"
> Judy Spencer: "For level 1, OpenID is absolutely appropriate. We
> want to enable technologies for people to use and OpenID is perfectly
> acceptable at level 1.0."
> Don Schmidt: Using OpenID is a really bad idea (this is a
> paraphrase). You're teaching people the wrong message about security.
> "If this is successful and if there's a disconnect between this and
> higher levels [because OpenID is not extensible for higher levels], in
> the end we haven't done a good thing." I was surprised to see
> Microsoft speaking that way, but Schmidt was quite emphatic.
> I would say that by the end of the meeting, there was a great deal of
> dubiousness in the room concerning using OpenID even at level of
> assurance 1. The agencies will have to implement, of course. But the
> people there were clearly aware --- if they hadn't been earlier ---
> of the problems with OpenID.
> Susan Landau phone: 413-259-2018
> Distinguished Engineer fax: 413-253-2156
> Sun Microsystems Laboratories
> MS UBUR02-311
> 35 Network Drive
> Burlington MA 01803-0902
> susan.landau at sun.com
> Wg-p3 mailing list
> Wg-p3 at kantarainitiative.org
J. Trent Adams
More information about the Wg-p3