Note: the following post was submitted by Andy Dale, our resident expert on all things identity management and authentication.
Electronic chickens and eggs keep chasing each other through the internet evolutionary cycle. In this latest evolution, Federated Identity Technology that has been maturing over the last 5 years now has a nascent trust infrastructure that will make it not only functional, but, usable. I have written here previously introducing some concepts of Single Sign-On and Third Party Authentication; these are facets of Federated Identity. I often say that an Identity Federation is one third technology and two thirds legal agreements. It is vital that members of a federation have interoperable technology otherwise nothing works. However the actual glue that makes an Identity Federation useful is the legal agreements that govern behavior of the members. This lets members trust each others' identity assertions, like logins. These legal agreements have to be deeply crafted so that they can satisfy the federation members in the complex regulatory frameworks in which they operate. The InCommon federation has legal agreements that let US academic institutions federate identity infrastructure within the
Family Education Rights & Privacy Act (FERPA)
regulatory framework. OpenID and InformationCards have been flourishing as internet scale identity technologies that have been embraced by companies like Google, VeriSign, PayPal, Verizon and many more. All of these companies have been willing to issue 'portable identities' to their users but few of them have been willing, or able, to accept identities from other providers. The technology has been there but the legal infrastructure has been missing to make this all useful, in this wider context. Last week at RSA; the premier annual online security conference in San Francisco, the formation of a new organization was announced:
Open Identity Exchange (OIX)
. OIX will establish a framework of 'standard' interoperable legal agreements. These agreements will be vetted and accepted by members of OIX and used to establish 'networks of trust'. OIX does not try to establish a single network of trust as the legal agreements for different types of activities will clearly need different legal agreements. Health Record sharing has different demands than Photo Sharing. The first trust network that has been established will enable people with OpenIDs or InfoCards issued by Google, Equifax and PayPal to access US government web sites. OCLC is a
of OIX and holds an advisory board seat. We are there because we see the potential for OIX to provide the library community a vital piece of infrastructure. Over time we see the possibility that the OIX infrastructure can be used provide identity trust between libraries, consortia and content providers and greatly lower the barriers of access to content. The promise is a world in which a patron can log in to their library, large or small, K-12, Public, academic or special and gain direct access to all of the resources that they should be able to access. We will keep you informed as this exciting new space evolves.