Icam question at didw

>
> Here is the question I was going to ask the panel about trust
> frameworks for open govt ( at digital ID world conference, las Vegas,
> today).
>
> (there was no time left for nobodies like me.)
>
> We know from the ssl world that even basic assurance audits cost about
> 500,000$ the first year, and 200,000$ thereafter. How will the program
> ensure that the very financial obligations do not eliminate small and
> medium size companies from the new identity economy?
>
> If required, I was prepared to get specific, saying that our industry
> of many SME companies has very high quality, very up to date attribute
> info on about 100 million consumers. But it's not obvious we can
> afford to play.
>
>
>
>
>
> _______________________________________________
> general mailing list
> general@...
> http://lists.openid.net/mailman/listinfo/openid-general

> I can say that the OIDF shares the concern of keeping costs down for
> small IdP.
> That is why they are directly engaged in the process.
>
> The goal is to get everyone who can meet the certification
> requirements certified.
>
> The foundation doesn't have the financial resources to make that free
> however.
>
> If the membership has strong feelings about pricing models please
> share them with the board.
>
> Nothing has been finalized yet.
>
> John B.
>
> On 2009-09-16, at 6:12 PM, Peter Williams wrote:
>
>>
>> Here is the question I was going to ask the panel about trust
>> frameworks for open govt ( at digital ID world conference, las Vegas,
>> today).
>>
>> (there was no time left for nobodies like me.)
>>
>> We know from the ssl world that even basic assurance audits cost
>> about
>> 500,000$ the first year, and 200,000$ thereafter. How will the
>> program
>> ensure that the very financial obligations do not eliminate small and
>> medium size companies from the new identity economy?
>>
>> If required, I was prepared to get specific, saying that our industry
>> of many SME companies has very high quality, very up to date
>> attribute
>> info on about 100 million consumers. But it's not obvious we can
>> afford to play.
>>
>>
>>
>>
>>
>> _______________________________________________
>> general mailing list
>> general@...
>> http://lists.openid.net/mailman/listinfo/openid-general
>

> I think it would be useful to justify the cost for small, medium and
> large firms.
>
> Small means a firm with ~50 associates/employees. In realty, this as a
> typical independent brokerage. There are 2 or 3 in the averge size
> city. Annual revenue may be 10m (revenue, not transaction value). The
> trust network from that office accumulates year over year and will be
> typically be 10-20k "active" consumers in that local market.
>
> Medium size is ~250 associates in a several offices across town, and
> is probably part of a national franchise. Revenues per office will be
> 60-100m, but probably audit costs can be partially shared across the
> franchise. A large franchise will manage 10m identities, nationally.
>
> Then there are the existing governance structures who in aggregate are
> "big companies", with major budgets, and for whom $500k on it audits
> is normal and is par for the course (providing controls and tests from
> related audits (eg pci) can be reapplied). But if the audit tests the
> 800 leaves of the aggregation space (since realty operates like dod
> with "local" registration authorities) then 800 * 500k is just not
> sustainable. 800 * 200k a year  essentially becomes a privacy tax...
>
>
>
> On Sep 16, 2009, at 4:03 PM, "John Bradley" <ve7jtb@...> wrote:
>
>> I can say that the OIDF shares the concern of keeping costs down for
>> small IdP.
>> That is why they are directly engaged in the process.
>>
>> The goal is to get everyone who can meet the certification
>> requirements certified.
>>
>> The foundation doesn't have the financial resources to make that free
>> however.
>>
>> If the membership has strong feelings about pricing models please
>> share them with the board.
>>
>> Nothing has been finalized yet.
>>
>> John B.
>>
>> On 2009-09-16, at 6:12 PM, Peter Williams wrote:
>>
>>>
>>> Here is the question I was going to ask the panel about trust
>>> frameworks for open govt ( at digital ID world conference, las  
>>> Vegas,
>>> today).
>>>
>>> (there was no time left for nobodies like me.)
>>>
>>> We know from the ssl world that even basic assurance audits cost
>>> about
>>> 500,000$ the first year, and 200,000$ thereafter. How will the
>>> program
>>> ensure that the very financial obligations do not eliminate small  
>>> and
>>> medium size companies from the new identity economy?
>>>
>>> If required, I was prepared to get specific, saying that our  
>>> industry
>>> of many SME companies has very high quality, very up to date
>>> attribute
>>> info on about 100 million consumers. But it's not obvious we can
>>> afford to play.
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> general mailing list
>>> general@...
>>> http://lists.openid.net/mailman/listinfo/openid-general
>>

> I think it would be useful to justify the cost for small, medium and
> large firms.
>
> Small means a firm with ~50 associates/employees. In realty, this as a
> typical independent brokerage. There are 2 or 3 in the averge size
> city. Annual revenue may be 10m (revenue, not transaction value). The
> trust network from that office accumulates year over year and will be
> typically be 10-20k "active" consumers in that local market.
>
> Medium size is ~250 associates in a several offices across town, and
> is probably part of a national franchise. Revenues per office will be
> 60-100m, but probably audit costs can be partially shared across the
> franchise. A large franchise will manage 10m identities, nationally.
>
> Then there are the existing governance structures who in aggregate are
> "big companies", with major budgets, and for whom $500k on it audits
> is normal and is par for the course (providing controls and tests from
> related audits (eg pci) can be reapplied). But if the audit tests the
> 800 leaves of the aggregation space (since realty operates like dod
> with "local" registration authorities) then 800 * 500k is just not
> sustainable. 800 * 200k a year  essentially becomes a privacy tax...
>
>
>
> On Sep 16, 2009, at 4:03 PM, "John Bradley" <ve7jtb@...> wrote:
>
>> I can say that the OIDF shares the concern of keeping costs down for
>> small IdP.
>> That is why they are directly engaged in the process.
>>
>> The goal is to get everyone who can meet the certification
>> requirements certified.
>>
>> The foundation doesn't have the financial resources to make that free
>> however.
>>
>> If the membership has strong feelings about pricing models please
>> share them with the board.
>>
>> Nothing has been finalized yet.
>>
>> John B.
>>
>> On 2009-09-16, at 6:12 PM, Peter Williams wrote:
>>
>>>
>>> Here is the question I was going to ask the panel about trust
>>> frameworks for open govt ( at digital ID world conference, las
>>> Vegas,
>>> today).
>>>
>>> (there was no time left for nobodies like me.)
>>>
>>> We know from the ssl world that even basic assurance audits cost
>>> about
>>> 500,000$ the first year, and 200,000$ thereafter. How will the
>>> program
>>> ensure that the very financial obligations do not eliminate small
>>> and
>>> medium size companies from the new identity economy?
>>>
>>> If required, I was prepared to get specific, saying that our
>>> industry
>>> of many SME companies has very high quality, very up to date
>>> attribute
>>> info on about 100 million consumers. But it's not obvious we can
>>> afford to play.
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> general mailing list
>>> general@...
>>> http://lists.openid.net/mailman/listinfo/openid-general
>>

> To ensure I'm not presenting a unique use case, I've chatted about  
> openid -> .gov with some other trade associations offline - those  
> with mass memberships linked by the internet.
>
> These organizations typically have large value political action  
> committees, focused on their preferred political party (or other  
> funded groups). At the DIDW conference itself last week , one large  
> labor union was able to proudly show off its own organizing power -  
> at the grassroots level. One should assume that their membership  
> would be proud to interface to government functions under their  
> union's banner. (I don't recall which political party they associate  
> with.)
>
> Is the OIDF trust scheme likely to be accommodating or hostile to  
> such associations and unions (of which there are many examples, with  
> a large variety of political affiliations)? These organizations are  
> typically excellent at grassroots representation, and would  
> presumably be excellent candidate IdPs under the OIDF trust scheme  
> (since openid was originally about grass roots trust)?
>
> In scheme design, one should assume that a huge trade association  
> like the National Association of Realtors (NAR) outsources its  
> web2.0 portal to some or other competitive vendor, that it may  
> change vendor in any given year, or the association may just build  
> its own by mashing-up 5 service vendors. Technology aside, like  
> unions one should assume a mature, working centralized membership  
> system, may even have a proposed smartcard-capable identity card,  
> has a security program for its local-office feeder sites, and has  
> existing certification protocols for delegating registration and  
> identity vetting to thousands of brick-and-mortar offices with  
> accredited officials who typically know people by sight.
>
> Will there be any professional mandates? Must the application be  
> prepared and prosecuted by a CISSP at minimum, or will it perhaps  
> require a CPA to interact with a formal AICPA-grade "attestation",  
> or ...?
>
> I assume that being audited under the trust scheme criteria does NOT  
> require the applicant to be a member of the OIDF. This would add an  
> annual cost burden in addition to internal audit costs and external  
> fees to the OIDF's chosen audit firm.
>
> Finally, I would love NAR (with its incredible organizing power, and  
> a long history of running internal security programs) to join the  
> OIDF formally, and help round out the trust scheme for the benefit  
> of itself and other associations. I've lobbied for that before; but,  
> unfortunately, Peter is a powerless pleb. If we could make the case,  
> I know that NAR is pro-openid, loves open source culture, and even  
> has VC-money to invest in such strategic initiatives. A skilled  
> networker would an excellent opportunity to bridge what I cannot,  
> and get them onboard in my view - with specific focus on the trust  
> scheme.
>
> -----Original Message-----
> From: John Bradley [mailto:ve7jtb@...]
> Sent: Wednesday, September 16, 2009 4:39 PM
> To: Peter Williams
> Cc: openid General
> Subject: Re: [OpenID] Icam question at didw
>
> You raise good points.
>
> We are looking at ways that peoples existing auditors may be able to
> perform the function to keep costs down.
>
> Certainly the OIDF is not looking at this to be a money maker.  But it
> also has little money.
>
> I think you should take your use case to the certification committee
> of the board who are looking at those issues.
>
> John B.
> On 2009-09-16, at 7:30 PM, Peter Williams wrote:
>
>> I think it would be useful to justify the cost for small, medium and
>> large firms.
>>
>> Small means a firm with ~50 associates/employees. In realty, this  
>> as a
>> typical independent brokerage. There are 2 or 3 in the averge size
>> city. Annual revenue may be 10m (revenue, not transaction value). The
>> trust network from that office accumulates year over year and will be
>> typically be 10-20k "active" consumers in that local market.
>>
>> Medium size is ~250 associates in a several offices across town, and
>> is probably part of a national franchise. Revenues per office will be
>> 60-100m, but probably audit costs can be partially shared across the
>> franchise. A large franchise will manage 10m identities, nationally.
>>
>> Then there are the existing governance structures who in aggregate  
>> are
>> "big companies", with major budgets, and for whom $500k on it audits
>> is normal and is par for the course (providing controls and tests  
>> from
>> related audits (eg pci) can be reapplied). But if the audit tests the
>> 800 leaves of the aggregation space (since realty operates like dod
>> with "local" registration authorities) then 800 * 500k is just not
>> sustainable. 800 * 200k a year  essentially becomes a privacy tax...
>>
>>
>>
>> On Sep 16, 2009, at 4:03 PM, "John Bradley" <ve7jtb@...>  
>> wrote:
>>
>>> I can say that the OIDF shares the concern of keeping costs down for
>>> small IdP.
>>> That is why they are directly engaged in the process.
>>>
>>> The goal is to get everyone who can meet the certification
>>> requirements certified.
>>>
>>> The foundation doesn't have the financial resources to make that  
>>> free
>>> however.
>>>
>>> If the membership has strong feelings about pricing models please
>>> share them with the board.
>>>
>>> Nothing has been finalized yet.
>>>
>>> John B.
>>>
>>> On 2009-09-16, at 6:12 PM, Peter Williams wrote:
>>>
>>>>
>>>> Here is the question I was going to ask the panel about trust
>>>> frameworks for open govt ( at digital ID world conference, las
>>>> Vegas,
>>>> today).
>>>>
>>>> (there was no time left for nobodies like me.)
>>>>
>>>> We know from the ssl world that even basic assurance audits cost
>>>> about
>>>> 500,000$ the first year, and 200,000$ thereafter. How will the
>>>> program
>>>> ensure that the very financial obligations do not eliminate small
>>>> and
>>>> medium size companies from the new identity economy?
>>>>
>>>> If required, I was prepared to get specific, saying that our
>>>> industry
>>>> of many SME companies has very high quality, very up to date
>>>> attribute
>>>> info on about 100 million consumers. But it's not obvious we can
>>>> afford to play.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general@...
>>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>
>

> To ensure I'm not presenting a unique use case, I've chatted about  
> openid -> .gov with some other trade associations offline - those  
> with mass memberships linked by the internet.
>
> These organizations typically have large value political action  
> committees, focused on their preferred political party (or other  
> funded groups). At the DIDW conference itself last week , one large  
> labor union was able to proudly show off its own organizing power -  
> at the grassroots level. One should assume that their membership  
> would be proud to interface to government functions under their  
> union's banner. (I don't recall which political party they associate  
> with.)
>
> Is the OIDF trust scheme likely to be accommodating or hostile to  
> such associations and unions (of which there are many examples, with  
> a large variety of political affiliations)? These organizations are  
> typically excellent at grassroots representation, and would  
> presumably be excellent candidate IdPs under the OIDF trust scheme  
> (since openid was originally about grass roots trust)?
>
> In scheme design, one should assume that a huge trade association  
> like the National Association of Realtors (NAR) outsources its  
> web2.0 portal to some or other competitive vendor, that it may  
> change vendor in any given year, or the association may just build  
> its own by mashing-up 5 service vendors. Technology aside, like  
> unions one should assume a mature, working centralized membership  
> system, may even have a proposed smartcard-capable identity card,  
> has a security program for its local-office feeder sites, and has  
> existing certification protocols for delegating registration and  
> identity vetting to thousands of brick-and-mortar offices with  
> accredited officials who typically know people by sight.
>
> Will there be any professional mandates? Must the application be  
> prepared and prosecuted by a CISSP at minimum, or will it perhaps  
> require a CPA to interact with a formal AICPA-grade "attestation",  
> or ...?
>
> I assume that being audited under the trust scheme criteria does NOT  
> require the applicant to be a member of the OIDF. This would add an  
> annual cost burden in addition to internal audit costs and external  
> fees to the OIDF's chosen audit firm.
>
> Finally, I would love NAR (with its incredible organizing power, and  
> a long history of running internal security programs) to join the  
> OIDF formally, and help round out the trust scheme for the benefit  
> of itself and other associations. I've lobbied for that before; but,  
> unfortunately, Peter is a powerless pleb. If we could make the case,  
> I know that NAR is pro-openid, loves open source culture, and even  
> has VC-money to invest in such strategic initiatives. A skilled  
> networker would an excellent opportunity to bridge what I cannot,  
> and get them onboard in my view - with specific focus on the trust  
> scheme.
>
> -----Original Message-----
> From: John Bradley [mailto:ve7jtb@...]
> Sent: Wednesday, September 16, 2009 4:39 PM
> To: Peter Williams
> Cc: openid General
> Subject: Re: [OpenID] Icam question at didw
>
> You raise good points.
>
> We are looking at ways that peoples existing auditors may be able to
> perform the function to keep costs down.
>
> Certainly the OIDF is not looking at this to be a money maker.  But it
> also has little money.
>
> I think you should take your use case to the certification committee
> of the board who are looking at those issues.
>
> John B.
> On 2009-09-16, at 7:30 PM, Peter Williams wrote:
>
>> I think it would be useful to justify the cost for small, medium and
>> large firms.
>>
>> Small means a firm with ~50 associates/employees. In realty, this  
>> as a
>> typical independent brokerage. There are 2 or 3 in the averge size
>> city. Annual revenue may be 10m (revenue, not transaction value). The
>> trust network from that office accumulates year over year and will be
>> typically be 10-20k "active" consumers in that local market.
>>
>> Medium size is ~250 associates in a several offices across town, and
>> is probably part of a national franchise. Revenues per office will be
>> 60-100m, but probably audit costs can be partially shared across the
>> franchise. A large franchise will manage 10m identities, nationally.
>>
>> Then there are the existing governance structures who in aggregate  
>> are
>> "big companies", with major budgets, and for whom $500k on it audits
>> is normal and is par for the course (providing controls and tests  
>> from
>> related audits (eg pci) can be reapplied). But if the audit tests the
>> 800 leaves of the aggregation space (since realty operates like dod
>> with "local" registration authorities) then 800 * 500k is just not
>> sustainable. 800 * 200k a year  essentially becomes a privacy tax...
>>
>>
>>
>> On Sep 16, 2009, at 4:03 PM, "John Bradley" <ve7jtb@...>  
>> wrote:
>>
>>> I can say that the OIDF shares the concern of keeping costs down for
>>> small IdP.
>>> That is why they are directly engaged in the process.
>>>
>>> The goal is to get everyone who can meet the certification
>>> requirements certified.
>>>
>>> The foundation doesn't have the financial resources to make that  
>>> free
>>> however.
>>>
>>> If the membership has strong feelings about pricing models please
>>> share them with the board.
>>>
>>> Nothing has been finalized yet.
>>>
>>> John B.
>>>
>>> On 2009-09-16, at 6:12 PM, Peter Williams wrote:
>>>
>>>>
>>>> Here is the question I was going to ask the panel about trust
>>>> frameworks for open govt ( at digital ID world conference, las
>>>> Vegas,
>>>> today).
>>>>
>>>> (there was no time left for nobodies like me.)
>>>>
>>>> We know from the ssl world that even basic assurance audits cost
>>>> about
>>>> 500,000$ the first year, and 200,000$ thereafter. How will the
>>>> program
>>>> ensure that the very financial obligations do not eliminate small
>>>> and
>>>> medium size companies from the new identity economy?
>>>>
>>>> If required, I was prepared to get specific, saying that our
>>>> industry
>>>> of many SME companies has very high quality, very up to date
>>>> attribute
>>>> info on about 100 million consumers. But it's not obvious we can
>>>> afford to play.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general@...
>>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>
>

> To ensure I'm not presenting a unique use case, I've chatted about
> openid -> .gov with some other trade associations offline - those
> with mass memberships linked by the internet.
>
> These organizations typically have large value political action
> committees, focused on their preferred political party (or other
> funded groups). At the DIDW conference itself last week , one large
> labor union was able to proudly show off its own organizing power -
> at the grassroots level. One should assume that their membership
> would be proud to interface to government functions under their
> union's banner. (I don't recall which political party they associate
> with.)
>
> Is the OIDF trust scheme likely to be accommodating or hostile to
> such associations and unions (of which there are many examples, with
> a large variety of political affiliations)? These organizations are
> typically excellent at grassroots representation, and would
> presumably be excellent candidate IdPs under the OIDF trust scheme
> (since openid was originally about grass roots trust)?
>
> In scheme design, one should assume that a huge trade association
> like the National Association of Realtors (NAR) outsources its
> web2.0 portal to some or other competitive vendor, that it may
> change vendor in any given year, or the association may just build
> its own by mashing-up 5 service vendors. Technology aside, like
> unions one should assume a mature, working centralized membership
> system, may even have a proposed smartcard-capable identity card,
> has a security program for its local-office feeder sites, and has
> existing certification protocols for delegating registration and
> identity vetting to thousands of brick-and-mortar offices with
> accredited officials who typically know people by sight.
>
> Will there be any professional mandates? Must the application be
> prepared and prosecuted by a CISSP at minimum, or will it perhaps
> require a CPA to interact with a formal AICPA-grade "attestation",
> or ...?
>
> I assume that being audited under the trust scheme criteria does NOT
> require the applicant to be a member of the OIDF. This would add an
> annual cost burden in addition to internal audit costs and external
> fees to the OIDF's chosen audit firm.
>
> Finally, I would love NAR (with its incredible organizing power, and
> a long history of running internal security programs) to join the
> OIDF formally, and help round out the trust scheme for the benefit
> of itself and other associations. I've lobbied for that before; but,
> unfortunately, Peter is a powerless pleb. If we could make the case,
> I know that NAR is pro-openid, loves open source culture, and even
> has VC-money to invest in such strategic initiatives. A skilled
> networker would an excellent opportunity to bridge what I cannot,
> and get them onboard in my view - with specific focus on the trust
> scheme.
>
> -----Original Message-----
> From: John Bradley [mailto:ve7jtb@...]
> Sent: Wednesday, September 16, 2009 4:39 PM
> To: Peter Williams
> Cc: openid General
> Subject: Re: [OpenID] Icam question at didw
>
> You raise good points.
>
> We are looking at ways that peoples existing auditors may be able to
> perform the function to keep costs down.
>
> Certainly the OIDF is not looking at this to be a money maker.  But it
> also has little money.
>
> I think you should take your use case to the certification committee
> of the board who are looking at those issues.
>
> John B.
> On 2009-09-16, at 7:30 PM, Peter Williams wrote:
>
>> I think it would be useful to justify the cost for small, medium and
>> large firms.
>>
>> Small means a firm with ~50 associates/employees. In realty, this
>> as a
>> typical independent brokerage. There are 2 or 3 in the averge size
>> city. Annual revenue may be 10m (revenue, not transaction value). The
>> trust network from that office accumulates year over year and will be
>> typically be 10-20k "active" consumers in that local market.
>>
>> Medium size is ~250 associates in a several offices across town, and
>> is probably part of a national franchise. Revenues per office will be
>> 60-100m, but probably audit costs can be partially shared across the
>> franchise. A large franchise will manage 10m identities, nationally.
>>
>> Then there are the existing governance structures who in aggregate
>> are
>> "big companies", with major budgets, and for whom $500k on it audits
>> is normal and is par for the course (providing controls and tests
>> from
>> related audits (eg pci) can be reapplied). But if the audit tests the
>> 800 leaves of the aggregation space (since realty operates like dod
>> with "local" registration authorities) then 800 * 500k is just not
>> sustainable. 800 * 200k a year  essentially becomes a privacy tax...
>>
>>
>>
>> On Sep 16, 2009, at 4:03 PM, "John Bradley" <ve7jtb@...>
>> wrote:
>>
>>> I can say that the OIDF shares the concern of keeping costs down for
>>> small IdP.
>>> That is why they are directly engaged in the process.
>>>
>>> The goal is to get everyone who can meet the certification
>>> requirements certified.
>>>
>>> The foundation doesn't have the financial resources to make that
>>> free
>>> however.
>>>
>>> If the membership has strong feelings about pricing models please
>>> share them with the board.
>>>
>>> Nothing has been finalized yet.
>>>
>>> John B.
>>>
>>> On 2009-09-16, at 6:12 PM, Peter Williams wrote:
>>>
>>>>
>>>> Here is the question I was going to ask the panel about trust
>>>> frameworks for open govt ( at digital ID world conference, las
>>>> Vegas,
>>>> today).
>>>>
>>>> (there was no time left for nobodies like me.)
>>>>
>>>> We know from the ssl world that even basic assurance audits cost
>>>> about
>>>> 500,000$ the first year, and 200,000$ thereafter. How will the
>>>> program
>>>> ensure that the very financial obligations do not eliminate small
>>>> and
>>>> medium size companies from the new identity economy?
>>>>
>>>> If required, I was prepared to get specific, saying that our
>>>> industry
>>>> of many SME companies has very high quality, very up to date
>>>> attribute
>>>> info on about 100 million consumers. But it's not obvious we can
>>>> afford to play.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general@...
>>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>
>

> To ensure I'm not presenting a unique use case, I've chatted about
> openid -> .gov with some other trade associations offline - those
> with mass memberships linked by the internet.
>
> These organizations typically have large value political action
> committees, focused on their preferred political party (or other
> funded groups). At the DIDW conference itself last week , one large
> labor union was able to proudly show off its own organizing power -
> at the grassroots level. One should assume that their membership
> would be proud to interface to government functions under their
> union's banner. (I don't recall which political party they associate
> with.)
>
> Is the OIDF trust scheme likely to be accommodating or hostile to
> such associations and unions (of which there are many examples, with
> a large variety of political affiliations)? These organizations are
> typically excellent at grassroots representation, and would
> presumably be excellent candidate IdPs under the OIDF trust scheme
> (since openid was originally about grass roots trust)?
>
> In scheme design, one should assume that a huge trade association
> like the National Association of Realtors (NAR) outsources its
> web2.0 portal to some or other competitive vendor, that it may
> change vendor in any given year, or the association may just build
> its own by mashing-up 5 service vendors. Technology aside, like
> unions one should assume a mature, working centralized membership
> system, may even have a proposed smartcard-capable identity card,
> has a security program for its local-office feeder sites, and has
> existing certification protocols for delegating registration and
> identity vetting to thousands of brick-and-mortar offices with
> accredited officials who typically know people by sight.
>
> Will there be any professional mandates? Must the application be
> prepared and prosecuted by a CISSP at minimum, or will it perhaps
> require a CPA to interact with a formal AICPA-grade "attestation",
> or ...?
>
> I assume that being audited under the trust scheme criteria does NOT
> require the applicant to be a member of the OIDF. This would add an
> annual cost burden in addition to internal audit costs and external
> fees to the OIDF's chosen audit firm.
>
> Finally, I would love NAR (with its incredible organizing power, and
> a long history of running internal security programs) to join the
> OIDF formally, and help round out the trust scheme for the benefit
> of itself and other associations. I've lobbied for that before; but,
> unfortunately, Peter is a powerless pleb. If we could make the case,
> I know that NAR is pro-openid, loves open source culture, and even
> has VC-money to invest in such strategic initiatives. A skilled
> networker would an excellent opportunity to bridge what I cannot,
> and get them onboard in my view - with specific focus on the trust
> scheme.
>
> -----Original Message-----
> From: John Bradley [mailto:ve7jtb@...]
> Sent: Wednesday, September 16, 2009 4:39 PM
> To: Peter Williams
> Cc: openid General
> Subject: Re: [OpenID] Icam question at didw
>
> You raise good points.
>
> We are looking at ways that peoples existing auditors may be able to
> perform the function to keep costs down.
>
> Certainly the OIDF is not looking at this to be a money maker.  But it
> also has little money.
>
> I think you should take your use case to the certification committee
> of the board who are looking at those issues.
>
> John B.
> On 2009-09-16, at 7:30 PM, Peter Williams wrote:
>
>> I think it would be useful to justify the cost for small, medium and
>> large firms.
>>
>> Small means a firm with ~50 associates/employees. In realty, this
>> as a
>> typical independent brokerage. There are 2 or 3 in the averge size
>> city. Annual revenue may be 10m (revenue, not transaction value). The
>> trust network from that office accumulates year over year and will be
>> typically be 10-20k "active" consumers in that local market.
>>
>> Medium size is ~250 associates in a several offices across town, and
>> is probably part of a national franchise. Revenues per office will be
>> 60-100m, but probably audit costs can be partially shared across the
>> franchise. A large franchise will manage 10m identities, nationally.
>>
>> Then there are the existing governance structures who in aggregate
>> are
>> "big companies", with major budgets, and for whom $500k on it audits
>> is normal and is par for the course (providing controls and tests
>> from
>> related audits (eg pci) can be reapplied). But if the audit tests the
>> 800 leaves of the aggregation space (since realty operates like dod
>> with "local" registration authorities) then 800 * 500k is just not
>> sustainable. 800 * 200k a year  essentially becomes a privacy tax...
>>
>>
>>
>> On Sep 16, 2009, at 4:03 PM, "John Bradley" <ve7jtb@...>
>> wrote:
>>
>>> I can say that the OIDF shares the concern of keeping costs down for
>>> small IdP.
>>> That is why they are directly engaged in the process.
>>>
>>> The goal is to get everyone who can meet the certification
>>> requirements certified.
>>>
>>> The foundation doesn't have the financial resources to make that
>>> free
>>> however.
>>>
>>> If the membership has strong feelings about pricing models please
>>> share them with the board.
>>>
>>> Nothing has been finalized yet.
>>>
>>> John B.
>>>
>>> On 2009-09-16, at 6:12 PM, Peter Williams wrote:
>>>
>>>>
>>>> Here is the question I was going to ask the panel about trust
>>>> frameworks for open govt ( at digital ID world conference, las
>>>> Vegas,
>>>> today).
>>>>
>>>> (there was no time left for nobodies like me.)
>>>>
>>>> We know from the ssl world that even basic assurance audits cost
>>>> about
>>>> 500,000$ the first year, and 200,000$ thereafter. How will the
>>>> program
>>>> ensure that the very financial obligations do not eliminate small
>>>> and
>>>> medium size companies from the new identity economy?
>>>>
>>>> If required, I was prepared to get specific, saying that our
>>>> industry
>>>> of many SME companies has very high quality, very up to date
>>>> attribute
>>>> info on about 100 million consumers. But it's not obvious we can
>>>> afford to play.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general@...
>>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>
>

> Will there be any criteria on the acceptable audit firms?
>
> Can anyone claim to be an [security/IT] auditor, or are there  
> minimum professional requirements (report must be signed by a CPA,  
> for example).
>
> Is the choice of firm subject to some third party acceptance (post  
> report/expense)?
>
> Will there be a register of authorized audit practitioners?
>
> Is the US federal govt the final decision maker, post hoc? Or is the  
> OIDF's acceptance the _final_ determination?
>
> If these question are too hard at this early "design" stage, perhaps  
> folks could alternatively identify a well-known scheme which is  
> generally aligned with the philosophy OIDF is aiming for? Here are  
> few examples, none of which may be applicable.
>
>
> 1. Folks are perfectly happy with how Mozilla runs its root  
> registration authority.Its a good model.
>
> 2. Folks would want a assurance documentation and testing  
> methodology equal to or better than WebTrust for CAs.
>
> 3. BS7799 is a minimum baseline for criteria. All topic areas are  
> mandatory.
>
> 4. A quick and dirty 2 day evaluation by McAffee of your corporate  
> posture scoring 7 out of 10 or better + a continuous penetration  
> test on the outside network by a web scanning company is quite  
> sufficient.
>
> 5. A company without ITIL-certification (or equivalent) really  
> should not be looking at even trying
>
> 6. its quite enough to be a Google-for-domains subscribers... as one  
> inherits Google's own audit result...
>
> 7. If you are in good standing with VeriSign to operate VeriSign  
> class 3 SSL server cert, that's more than adequate for OIDF.
>
> 8. If the IdP system is within the PCI boundary and a VISA acquirer  
> has accepted one's PCI claims and evidence, one is below the minimum  
> requirements ..but one is getting pretty close.
>
> 9 if you cannot afford the insurance to assume a formal financial  
> responsiblity level of $100 per subscriber, get out of the way.
>
>
>
> -----Original Message-----
> From: Don Thibeau [mailto:don@...]
> Sent: Saturday, September 19, 2009 10:53 AM
> To: John Bradley; Peter Williams
> Cc: general @ OpenID.com
> Subject: Re: [OpenID] Icam question at didw
>
> John has accurately characterized our plans below.
>
> Membership in the OpenID Foundation will be not be required.
> Membership in the OIDF will likely provide some benefits but the  
> OIDF Board has not yet finalized operational details.
> We continue to collaborate with InCommon. the Information Card  
> Foundation and others to provide a community wide approach that  
> shares common values.
>
> The pilot phase is a test of both technology and trust framework  
> adoption and continues our close work with the GSA ICAM.
>
> The  objective is to cover costs and take an "open market" approach  
> e.g. leaving the choice of auditor to the those who wish to be  
> certified.
>
> The Board, has from the beginning, set three goals, to promote self  
> certification, maintain low costs and overhead and ensure  
> credibility.  All this is in support of the Foundation's primary  
> mission to protect OpenID IPR and promote adoption.
>
> We are planning discussions of these and other related topics at the  
> TAO of Identity and other OIDF sponsored conferences like IIW
>
>
> Don Thibeau
>
> -----Original Message-----
> From: John Bradley <ve7jtb@...>
>
> Date: Sat, 19 Sep 2009 13:15:36
> To: Peter Williams<pwilliams@...>
> Cc: openid General<general@...>
> Subject: Re: [OpenID] Icam question at didw
>
>
> It is probably best for someone from  the Board to answer for there
> intentions re pricing.
>
> I can tell you that there is nothing in the Trust Provider Framework
> Adoption process from the GSA that would intentionally stop Unions or
> any other legal entity from applying to be a credential issuer for the
> US Gov.
>
> There are also quite likely to be more than one Trust Framework
> Provider per protocol.
>
> I believe Kantara is also applying to certify IdP for the openID as
> well as  SAML.
>
> Almost anyone can apply to be a trust framework provider including NAR
> if they want to.
>
> Being a Trust Framework Provider is a large and expensive
> undertaking,  but is possible.
>
> I expect that the OIDF will be the most economical way for those
> organizations to get certified, but it is not there only option.
>
> I suspect but don't know for certain that applicants won't need to be
> members of the OIDF,  some people may not be able to join for a number
> of reasons.
>
> John B.
>
> On 2009-09-19, at 1:00 PM, Peter Williams wrote:
>
>> To ensure I'm not presenting a unique use case, I've chatted about
>> openid -> .gov with some other trade associations offline - those
>> with mass memberships linked by the internet.
>>
>> These organizations typically have large value political action
>> committees, focused on their preferred political party (or other
>> funded groups). At the DIDW conference itself last week , one large
>> labor union was able to proudly show off its own organizing power -
>> at the grassroots level. One should assume that their membership
>> would be proud to interface to government functions under their
>> union's banner. (I don't recall which political party they associate
>> with.)
>>
>> Is the OIDF trust scheme likely to be accommodating or hostile to
>> such associations and unions (of which there are many examples, with
>> a large variety of political affiliations)? These organizations are
>> typically excellent at grassroots representation, and would
>> presumably be excellent candidate IdPs under the OIDF trust scheme
>> (since openid was originally about grass roots trust)?
>>
>> In scheme design, one should assume that a huge trade association
>> like the National Association of Realtors (NAR) outsources its
>> web2.0 portal to some or other competitive vendor, that it may
>> change vendor in any given year, or the association may just build
>> its own by mashing-up 5 service vendors. Technology aside, like
>> unions one should assume a mature, working centralized membership
>> system, may even have a proposed smartcard-capable identity card,
>> has a security program for its local-office feeder sites, and has
>> existing certification protocols for delegating registration and
>> identity vetting to thousands of brick-and-mortar offices with
>> accredited officials who typically know people by sight.
>>
>> Will there be any professional mandates? Must the application be
>> prepared and prosecuted by a CISSP at minimum, or will it perhaps
>> require a CPA to interact with a formal AICPA-grade "attestation",
>> or ...?
>>
>> I assume that being audited under the trust scheme criteria does NOT
>> require the applicant to be a member of the OIDF. This would add an
>> annual cost burden in addition to internal audit costs and external
>> fees to the OIDF's chosen audit firm.
>>
>> Finally, I would love NAR (with its incredible organizing power, and
>> a long history of running internal security programs) to join the
>> OIDF formally, and help round out the trust scheme for the benefit
>> of itself and other associations. I've lobbied for that before; but,
>> unfortunately, Peter is a powerless pleb. If we could make the case,
>> I know that NAR is pro-openid, loves open source culture, and even
>> has VC-money to invest in such strategic initiatives. A skilled
>> networker would an excellent opportunity to bridge what I cannot,
>> and get them onboard in my view - with specific focus on the trust
>> scheme.
>>
>> -----Original Message-----
>> From: John Bradley [mailto:ve7jtb@...]
>> Sent: Wednesday, September 16, 2009 4:39 PM
>> To: Peter Williams
>> Cc: openid General
>> Subject: Re: [OpenID] Icam question at didw
>>
>> You raise good points.
>>
>> We are looking at ways that peoples existing auditors may be able to
>> perform the function to keep costs down.
>>
>> Certainly the OIDF is not looking at this to be a money maker.  But  
>> it
>> also has little money.
>>
>> I think you should take your use case to the certification committee
>> of the board who are looking at those issues.
>>
>> John B.
>> On 2009-09-16, at 7:30 PM, Peter Williams wrote:
>>
>>> I think it would be useful to justify the cost for small, medium and
>>> large firms.
>>>
>>> Small means a firm with ~50 associates/employees. In realty, this
>>> as a
>>> typical independent brokerage. There are 2 or 3 in the averge size
>>> city. Annual revenue may be 10m (revenue, not transaction value).  
>>> The
>>> trust network from that office accumulates year over year and will  
>>> be
>>> typically be 10-20k "active" consumers in that local market.
>>>
>>> Medium size is ~250 associates in a several offices across town, and
>>> is probably part of a national franchise. Revenues per office will  
>>> be
>>> 60-100m, but probably audit costs can be partially shared across the
>>> franchise. A large franchise will manage 10m identities, nationally.
>>>
>>> Then there are the existing governance structures who in aggregate
>>> are
>>> "big companies", with major budgets, and for whom $500k on it audits
>>> is normal and is par for the course (providing controls and tests
>>> from
>>> related audits (eg pci) can be reapplied). But if the audit tests  
>>> the
>>> 800 leaves of the aggregation space (since realty operates like dod
>>> with "local" registration authorities) then 800 * 500k is just not
>>> sustainable. 800 * 200k a year  essentially becomes a privacy tax...
>>>
>>>
>>>
>>> On Sep 16, 2009, at 4:03 PM, "John Bradley" <ve7jtb@...>
>>> wrote:
>>>
>>>> I can say that the OIDF shares the concern of keeping costs down  
>>>> for
>>>> small IdP.
>>>> That is why they are directly engaged in the process.
>>>>
>>>> The goal is to get everyone who can meet the certification
>>>> requirements certified.
>>>>
>>>> The foundation doesn't have the financial resources to make that
>>>> free
>>>> however.
>>>>
>>>> If the membership has strong feelings about pricing models please
>>>> share them with the board.
>>>>
>>>> Nothing has been finalized yet.
>>>>
>>>> John B.
>>>>
>>>> On 2009-09-16, at 6:12 PM, Peter Williams wrote:
>>>>
>>>>>
>>>>> Here is the question I was going to ask the panel about trust
>>>>> frameworks for open govt ( at digital ID world conference, las
>>>>> Vegas,
>>>>> today).
>>>>>
>>>>> (there was no time left for nobodies like me.)
>>>>>
>>>>> We know from the ssl world that even basic assurance audits cost
>>>>> about
>>>>> 500,000$ the first year, and 200,000$ thereafter. How will the
>>>>> program
>>>>> ensure that the very financial obligations do not eliminate small
>>>>> and
>>>>> medium size companies from the new identity economy?
>>>>>
>>>>> If required, I was prepared to get specific, saying that our
>>>>> industry
>>>>> of many SME companies has very high quality, very up to date
>>>>> attribute
>>>>> info on about 100 million consumers. But it's not obvious we can
>>>>> afford to play.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> general mailing list
>>>>> general@...
>>>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>>
>>
>
> _______________________________________________
> general mailing list
> general@...
> http://lists.openid.net/mailman/listinfo/openid-general

>
> "Being a Trust Framework Provider is a large and expensive
> undertaking,  but is possible."
>
> Given my experience with SSL root registration business, passing CA  
> audits, and selling root keys to folks for millions of dollars each,  
> I find it eminently possible. Apart from technology swap, we seek to  
> be in a pretty classical areas of assurance management/testing.  
> Given there is now an apparent demand curve, and there is shortage  
> of qualified suppliers, its seems a perfect time to invest. Just  
> like folks invested in making shell SSL root keys (for selling on to  
> folks late to the SSL party), one can be building shell schemes and  
> IdPs.
>
> This should be nicely profitable, assuming one has the knowhow and  
> clean VC-quality IP cleanliness, of course.
>
> It's nice to see NORMAL market dynamics entering the space. Gorn are  
> the days, when none of us were "supposed to make money" (18 months  
> ago, only!)
>
>
>
>
> _______________________________________________
> general mailing list
> general@...
> http://lists.openid.net/mailman/listinfo/openid-general