No need for Level of Assurance level 1 and thus OpenID for e-government?

In both EU and US there is a lot happening on how citizens identify themselves for e-government services, especially the STORK project in the EU, and the ICAM work in the states. Their approaches to e-government identity are drastically different, but I’ll focus in this post with what they share: levels of assurance. Basically level of assurance refers to how certain an identity provider is w.r.t. the identity of the user, which depends on both the used authentication means and the identity binding process (see, e.g., here for an informal explanation) . Both sides of the ocean use (more or less) the same four levels that originate from NIST:

  1. Level 1: Little or no confidence in the asserted identity’s validity.
  2. Level 2: Some confidence in the asserted identity’s validity.
  3. Level 3: High confidence in the asserted identity’s validity.
  4. Level 4: Very high confidence in the asserted identity’s validity.

Looking at the US profiles for OpenID and InfoCard, what got my attention right away is that OpenID is only permitted for level 1 (i.e., no confidence), and that InfoCard is permitted for levels 1 to 3 (I couldn’t find the levels for SAML). This seems to me a good decision, OpenID is much less secure than InfoCard, and (in it’s current version) should IMHO only be used for low security e-services. I had a brief discussion with my colleague Bob Hulsebosch, who was the main author of STORK D2.3 deliverable (Quality Authenticator Scheme) that describes the mapping of the different national authentication levels to the STORK (NIST based) levels. My conclusion from this discussion is that I’m not convinced of the need for an assurance level 1 solution for e-government, and, as a consequence, of the usefullness of OpenID for e-government. Most e-government services I expect are level 2 and up. This is also confirmed by the fact that many EU countries (including the Netherlands) do not have a level 1. Also the examples in the US document “E-Authentication guidance for federal agencies” for level 1 seem somewhat far fetched IMHO. And even if there are some significant e-government services for which level 1 would be ok, then still InfoCard would be much preferred because of it support for higher levels as well.

Of course, I only follow the US e-government identity discussion from a distance, and maybe there are excellent reasons for supporting a level-1-only scheme.  Anyone who has a pointer to an explanation for this, please send this to me. Also a motivation for the Levels of Assurance decisions for OpenID, InfoCard and SAML is very welcome.

What I didn’t cover explicitly in this post is the very interesting choice to support all three major identity (federation) standards OpenID, InfoCard and SAML. Most (all?) governments that I’m aware off  use only SAML.

3 Responses to No need for Level of Assurance level 1 and thus OpenID for e-government?

  1. Interesting! Regarding the use of openid for governement, the question is, however, if the only application is G2C, or also interaction between citizens facilitated by government. Think about, e.g., citizen dicussion fora. For this sort of thing lower levels of trust (combined with more privacy) might be interesting as well as solving issues with the scale and adoption of cross-European identity.

  2. Peter, you are right, I did have C2G in mind, not C2C facilitated by the government. I guess you’d probably would want to make sure that the government cannot easily find out who the citizins are in such a case. OpenID could be used here, with as main requirement that pseudonyms are support by the IdP/OP. The remainder of the OpenID government profile, and the need for a trust provider, and less obvious to me for a C2C use case.

  3. […] attributes. This is similar to the levels of assurance concept as standardized by NIST (see also a previous post of mine on this), and used by e.g. the EU STORK project. However, level of assurance refers to the identity as […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: