Google, PayPal and Equifax are the first identity certifiers approved to offer secure access to government Web sites under a new trust framework operated by Open Identity Exchange. The National Institutes of Health (NIH) will become the first government Web site to allow users to log in using the new system, the organizations announced Wednesday.
Trust frameworks are a way for one site, for example the Internal Revenue Service, to trust identity information about a user provided by another site, such as Equifax, Google or PayPal. Open Identity Exchange (OIX) is the first trust framework to be approved by the US government.
The technology for passing such information from one site to another already exists, in the form of OpenID and Information Card, and for example allows Facebook users to log in to the site using their Google, MySpace or Yahoo ID.
However, those systems alone do not formalise the degree of trust and security that the identification provider promises the site relying on the information. That requires a trust framework, which sets out the rules and standards of security that providers must comply with if they are to be trusted by the relying party, the site accepting the identity information.
Open Identity Exchange operates a trust framework that certifies online identity managers meeting U.S. federal standards for identity assurance. It meets Level Of Assurance 1 (LOA 1), the lowest of four levels of security set by the Identity, Credential and Access Management (ICAM) subcommittee of the US CIO Council.
The NIH will allow users to log in using OIX-certified IDs when they perform tasks such as saving personalised searches of its library of academic papers. It has been testing the use of OpenID and Information Card services for some months as part of its iTrust initiative.
OIX was created with the support of the OpenID Foundation and the Information Card Foundation. Identity providers Equifax, Google and PayPal are members, as are VeriSign, Verizon, CA, Booz Allen Hamilton and the nonprofit Online Computer Library Center (OCLC).