OIX Targets Digital Identity Challenge

The concept of a single online trusted identity is not new, but the reality has proved to be elusive. Now a new nonprofit group called the Open Identity Exchange (OIX) is promising to provide a trusted framework for the exchange of online identity credentials on the public Internet and in private data communications.

A group of companies, including Google (Nasdaq: GOOG), PayPal , Equifax Inc. , VeriSign Inc. (Nasdaq: VRSN), Verizon Enterprise Solutions , CA Technologies (Nasdaq: CA), and Booz Allen Hamilton, today announced the formation of the OIX at the RSA Conference 2010.

The OIX grew out of a US government initiative that created a public-private partnership to address the single trusted identity issues. Three companies -- Equifax, Google, and PayPal – have been certified by the OIX to issue digital identity credentials that can be used to log on to US government Websites in a secure and privacy-protected way. Verizon is currently in the registration process. The National Institute of Health is the first government agency to accept OIX logins and planned to demonstrate that capability at the RSA Conference.

The OIX is the first step in creating more trusted online communications, said Peter Tippett, vice president of security solutions and enterprise innovation at Verizon Business. There is more work to be done to enable higher levels of security, Tippett said.

Consumers and businesses alike have wanted to simplify the process of logging in to Websites by creating a single digital identity, with login and password, that can be used securely. Because different Websites use different types of security, however, logins and passwords varied widely, and could not be used interchangeably.

A number of companies, Verizon included, have developed their own Public Key Infrastructure (PKI) approaches to offering security and have been successful selling those solutions to governments and businesses. For example, Verizon provides the PKI technology for the government of Belgium, for Australian passports with embedded chips, and for the identification cards of both the White House and the Veterans Administration, among many others.

“VeriSign is the number-one provider of Website certificates and Verizon is the number-one provider of PKI infrastructure,” Tippett said.

But with many different companies providing security solutions, it becomes hard to verify the business processes and practices of each, so that consumers can confidently exchange personal information, Tippett explained. The OIX is intended to provide that verification to enable more confident exchange of login and password information among different sites and different organizations.

The OpenID (OIDF) and Information Card Foundation, which provided grant money to help fund the OIX, provide the technology to enable the use of identity credentials across different Websites, but can’t verify the extent to which those credentials can be trusted.

"OpenID allows sharing across systems, but they kept running into the challenge of how to know that the people at Google or Verizon really have policies and procedures that are good enough, and are enforcing those policies and procedures well enough,” Tippett said. “The OIX is a framework for making sure that each of us is doing a good enough job.”

It will be up to individual players to determine how they use the OIX capability. Verizon plans to “be in the identity business” and to use the OIX to enable its customers to connect to multiple other sites and resources, he said.

Tippett points out, however, that the OIX is not the last word in online security -- there are liable to be more highly secure technologies for accessing the most sensitive of results, such as health records, medical tests, or tax records.

— Carol Wilson, Chief Editor, Events, Light Reading