I was up on whitehouse.gov this morning signing up for a petition. Going through the normal account registration processes, I was looking in vain for the “login with Facebook” or “login with Google” buttons.
I am sure this version of the identity system for the web site has been in place for some time, but what happened to the dreams of utilizing OpenID (or more appropriately OpenID Connect) as the basis for registering and authenticating users to this site?
whitehouse.gov is a trivial relying party from an identity perspective. The information requested is all self asserted. The only item an IDP (OP in this case) might not be able to assert is the zip code.
Four years ago at the behest of White House, I and a few other intrepid souls (I, in the guise of PayPal), set up several LOA1 IDPs with the express goal of supporting citizen access to this site – it was a high risk engagement for me and others at PayPal personally at that time and had its own internal implications.
whitehouse.gov was certainly using OpenID at one point, so they obviously backed it out at some later point.
I feel a little like American occupied countries that are promised a long future of support only to find out the USA got bored 12 months later.
We are fast coming up on the next IDESG meetings in Phoenix. Here is the question for NSTIC and the White House. “If a low risk web site operated by the White House is failing to use the most fundamental identity technologies (or worse has turned them off), why should the rest of the USA conclude that it is worth taking any action to implement this identity stuff?” This is a terrible reference for the NSTIC program.
Over the years there have been numerous meetings at the White House leading up to the formation of NSTIC and the IDESG. In those meetings several of us made the plea that apart from all of the multitudinous complexities the NSTIC program could address, if we simply had help engaging with RPs then we could advance the cause and adoption of trusted identities and transactions.
Four year later, we have not made any progress with RPs. Instead we have a governance structure that rivals that of a small nation in complexity (though to be fair though I have always favored an LDAP over X.500 approach. ) and are just settling down to debate the big questions – none of which may be worth the proverbial hill of beans.
Once you clear away all the privacy issues, the rules of engagement, the sectarian interests and all of our hopes, the most important question still appears to be unanswered…
“Can we provide value to RPs that they will pay for?”
If the answer is yes, a lot of issues will be worked out in the process of growing that ecosystem. If the answer is no, then NTSIC and the associated efforts are largely a waste of time.