The Open Identity Exchange (OIX) is a membership organisation that works to accelerate the adoption of

digital identity A digital identity is information used by computer systems to represent an external agent – a person, organization, application, or device. Digital identities allow access to services provided with computers to be automated and make it possibl ...

services based on

open standards An open standard is a standard that is openly accessible and usable by anyone. It is also a prerequisite to use open license, non-discrimination and extensibility. Typically, anybody can participate in the development. There is no single definitio ...

. It is a

non-profit A nonprofit organization (NPO) or non-profit organisation, also known as a non-business entity, not-for-profit organization, or nonprofit institution, is a legal entity organized and operated for a collective, public or social benefit, in co ...

organisation and is technology agnostic. It is collaborative, and works across the

private Private or privates may refer to: Music * "In Private", by Dusty Springfield from the 1990 album ''Reputation'' * Private (band), a Denmark-based band * "Private" (Ryōko Hirosue song), from the 1999 album ''Private'', written and also recorded ...

and

public sector The public sector, also called the state sector, is the part of the economy composed of both public services and public enterprises. Public sectors include the public goods and governmental services such as the military, law enforcement, in ...

s. Members work together to jointly fund and participate in

pilot project A pilot study, pilot project, pilot test, or pilot experiment is a small-scale preliminary study conducted to evaluate feasibility, duration, cost, adverse events, and improve upon the study design prior to performance of a full-scale research pr ...

s (sometimes referred to as alpha projects). These pilots test business, legal and/or technical concepts or theory and their interoperability in real world

use cases In software and systems engineering, the phrase use case is a polyseme with two senses: # A usage scenario for a piece of software; often used in the plural to suggest situations where a piece of software may be useful. # A potential scenario i ...

. A

white paper A white paper is a report or guide that informs readers concisely about a complex issue and presents the issuing body's philosophy on the matter. It is meant to help readers understand an issue, solve a problem, or make a decision. A white pape ...

is published for every project.

History

Genesis

Shortly after coming into office, the Obama administration asked the

U.S. General Services Administration The General Services Administration (GSA) is an independent agency of the United States government established in 1949 to help manage and support the basic functioning of federal agencies. GSA supplies products and communications for U.S. gove ...

(GSA) how to leverage open identity technologies to allow the American public to more easily, efficiently, and safely interact with federal websites such as the

National Institute of Health The National Institutes of Health, commonly referred to as NIH (with each letter pronounced individually), is the primary agency of the United States government responsible for biomedical and public health research. It was founded in the late ...

(NIH), the

Social Security Administration The United States Social Security Administration (SSA) is an independent agency of the U.S. federal government that administers Social Security, a social insurance program consisting of retirement, disability and survivor benefits. To qualify fo ...

(SSA), and the Internal Revenue Service (IRS). At the 2009

RSA Conference The RSA Conference is a series of IT security conferences. Approximately 45,000 people attend one of the conferences each year. It was founded in 1991 as a small cryptography conference. RSA conferences take place in the United States, Europe, Asia ...

, the GSA sought to build a public/private partnership with the Open ID Foundation (OIDF) and the

Information Card Foundation Information Card Foundation (ICF) is an independent non-profit organization created in June 2008. The ICF consists of Steering Community board members and Steering Business board members. Some of the businesses include Equifax, Google, Microsoft, N ...

(ICF) in order to craft a workable identity information framework that would establish the legal and policy precedents needed to establish trust for Open ID transactions. The partnership eventually developed a trust framework model, described below. Further meetings were held at the Internet Identity Workshop in November 2009, which resulted in OIDF and ICF forming a joint steering committee. The committee's task was to study the best implementation options for the newly created framework.

Foundation

The US Chief Information Officer recommended the formation of a non-profit corporation, the Open Identity Exchange (OIX). In January 2010, the OIDF and ICF approved grants to fund the creation of the Open Identity Exchange. OIX was the first trust framework provider certified by the US Government.

Booz Allen Hamilton Booz Allen Hamilton Holding Corporation (informally Booz Allen) is the parent of Booz Allen Hamilton Inc., an American management and information technology consulting firm, headquartered in McLean, Virginia, in Greater Washington, D.C., wit ...

CA Technologies CA Technologies, formerly known as CA, Inc. and Computer Associates International, Inc., is an American multinational corporation headquartered in New York City. It is primarily known for its business-to-business (B2B) software with a product p ...

Equifax Equifax Inc. is an American multinational consumer credit reporting agency headquartered in Atlanta, Georgia and is one of the three largest consumer credit reporting agencies, along with Experian and TransUnion (together known as the "Big Thr ...

Google Google LLC () is an American Multinational corporation, multinational technology company focusing on Search Engine, search engine technology, online advertising, cloud computing, software, computer software, quantum computing, e-commerce, ar ...

PayPal PayPal Holdings, Inc. is an American multinational financial technology company operating an online payments system in the majority of countries that support online money transfers, and serves as an electronic alternative to traditional paper ...

Verisign Verisign Inc. is an American company based in Reston, Virginia, United States that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the , , and gene ...

, and

Verizon Verizon Communications Inc., commonly known as Verizon, is an American multinational telecommunications conglomerate and a corporate component of the Dow Jones Industrial Average. The company is headquartered at 1095 Avenue of the Americas in ...

were all members of either OIDF and ICF, and agreed to become founding members of OIX.

Launch

The Open Identity Exchange was publicly launched at RSA 2010 and it addressed the increasing challenges of building trust in online identity as outlined below: * Relying Parties must be able to trust that the

Identity Provider An identity provider (abbreviated IdP or IDP) is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network. ...

is providing accurate data * Identity Providers must be able to trust that the Relying Party is legitimate (i.e. not a

hacker A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term ''hacker'' has become associated in popu ...

phisher Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...

, etc.) * Direct relying parties to identity provider trust agreements are a common solution, but are impossible to manage at Internet scale In 2012 the

executive director Executive director is commonly the title of the chief executive officer of a non-profit organization, government agency or international organization. The title is widely used in North American and European not-for-profit organizations, thoug ...

position was founded and

National Strategy for Trusted Identities in Cyberspace The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a US government initiative announced in April 2011 to improve the privacy, security and convenience of sensitive online transactions through collaborative efforts with the privat ...

(NSTIC) pilot projects showed the growing proof of traction and increased awareness and attention. In 2012 OIX UK was formed and throughout 2013 initial UK Cabinet Office Identity Assurance Programme (IDAP) pilots were launched and white papers published.

OIXnet

In 2014, OIX established the OIXnet trust registry, a global authoritative registry of business, legal and technical requirements needed to ensure market adoption and global interoperability. In 2014, OIDF also announced plans to register all companies self-certifying conformance to OpenID Connect via the OpenID Certification Program on OIXnet.

Purpose

It is an official online and publicly-accessible repository of documents and information relating to identity systems and identity system participants. Referred to as a “registry”, it functions as an official and centralized source of such documents and information, much like a government-operated recorder of deeds. That is, individuals and entities can register documents and information with the OIXnet registry to provide notice of their contents to the public, and members of the public seeking access to such documents or information can go to that single authoritative location to find them. The OIXnet registry is designed to provide a single comprehensive and authoritative location where documents and information relating to a specific purpose (in this case, identity systems) can be safely stored for the purpose of putting others on notice of certain facts, and from which such documents and information can be accessed by interested stakeholders seeking such information.

Early participants

OIXnet was launched in 2015. OpenID Foundation was the first registrant by registering the initial set of organizations, including

ForgeRock ForgeRock, Inc. is a multinational identity and access management software company headquartered in San Francisco, U.S.A. with offices in Bristol, London, Grenoble, Vancouver (USA), Oslo, Munich, Paris, Sydney, and Singapore. The ForgeRock Iden ...

Microsoft Microsoft Corporation is an American multinational corporation, multinational technology company, technology corporation producing Software, computer software, consumer electronics, personal computers, and related services headquartered at th ...

, NRI,

and Ping Identity, certifying conformance to

OpenID OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party identity provid ...

Connect. Additional registrations were added to OIXnet throughout 2015 and 2016 with 10 trusted identity services currently registered.

Status

The OIXnet registry is currently in pilot in 2016 registering new and diverse trust frameworks and communities of interest.

International chapters

OIX developed a chapters policy in 2015 that allows regional OIX chapters to be established. In 2016 the OIX United Kingdom Chapter was approved by OIX board and launched.

Leadership

The OIX board represents leaders in online identity in the internet, telecom and data aggregation industries concerned with both market expansion and information security.

Government relations

The OIX board met with

Howard Schmidt Howard Anthony Schmidt (October 5, 1949 – March 2, 2017) was a partner with Tom Ridge in Ridge Schmidt Cyber LLC, a consultancy company in the field of cybersecurity. He was the Cyber-Security Coordinator of the Obama Administration, operating ...

in 2011 to discuss the

public–private partnership A public–private partnership (PPP, 3P, or P3) is a long-term arrangement between a government and private sector institutions.Hodge, G. A and Greve, C. (2007), Public–Private Partnerships: An International Performance Review, Public Administ ...

envisioned in the NSTIC strategy. The UK government's Cabinet Office joined the OIX at board level, as it began the work on its Identity Assurance Programme which is now

GOV.UK Verify GOV.UK Verify was an identity assurance system developed by the British Government Digital Service (GDS) which was in operation between May 2016 and April 2023. The system was intended to provide a single trusted login across all British governme ...

. The States of Jersey joined in 2015 so they could leverage the knowledge gained during the development of the UK government identity assurance programme to hasten adaptation and adoption for Jersey.

Membership

The Open Identity Exchange currently has thirteen executive members and 50+ general members as of November 2016. Executive Members *

Barclays Barclays () is a British multinational universal bank, headquartered in London, England. Barclays operates as two divisions, Barclays UK and Barclays International, supported by a service company, Barclays Execution Services. Barclays traces ...

UK Cabinet Office The Cabinet Office is a department of His Majesty's Government responsible for supporting the prime minister and Cabinet. It is composed of various units that support Cabinet committees and which co-ordinate the delivery of government objecti ...

Experian Experian is an American–Irish multinational data analytics and consumer credit reporting company. Experian collects and aggregates information on over 1 billion people and businesses including 235 million individual U.S. consumers and more ...

International Airlines Group International Consolidated Airlines Group S.A., trading as International Airlines Group and usually shortened to IAG, is an Anglo-Spanish multinational airline holding company with its registered office in Madrid, Spain, and its global headquar ...

LexisNexis LexisNexis is a part of the RELX corporation that sells data analytics products and various databases that are accessed through online portals, including portals for computer-assisted legal research (CALR), newspaper search, and consumer info ...

Ping Identity Ping Identity Corporation is an American software company established in 2002 by Andre Durand and Bryan Field-Elliot. It is headquartered in Denver, Colorado, United States with development offices in Vancouver, British Columbia, Tel Aviv, Israel, ...

Symantec Symantec may refer to: *An American consumer software company now known as Gen Digital Inc. *A brand of enterprise security software purchased by Broadcom Inc. Broadcom Inc. is an American designer, developer, manufacturer and global supplier ...

* Timpson *

OIX UK Europe Chapter

At the beginning of 2015 the Cabinet Office requested Open Identity Exchange to begin a process of exploring the legal, business and pragmatic considerations of creating a self-sustaining UK ‘chapter’ of the Open Identity Exchange. To that point OIX UK operated as an independent UK entity able to administer ‘directed funding’ from member organisations. It had received a series of grants from the UK Cabinet Office that were used for the collaboratively funded projects. An ad-hoc board of advisers was formed of independent, experienced, public and private sector leaders who addressed policy considerations during this transition process. In addition to considering the role of OIX UK in the future, this board of advisers considered the private sector's needs for identity services, resulting in an ongoing OIX project. The Open Identity Exchange board of directors approved an OIX chapters policy at the end of 2015, allowing the formation of individual chapters affiliated with OIX in various local markets. In April 2016 the OIX UK Europe Chapter appointed its board of directors.

White Papers

The OIX White Papers deliver joint research to examine a wide range of challenges facing the open identity market and to provide possible solutions. They are written by experts in the fields of technology, particularly open identity.

OIX

*OIX: An Open Market Solution for Online Identity Assurance

Trust Frameworks

*Trust Framework Requirements and Guidelines *The Personal Network: A New Trust Model and Business Model for Personal Data *Federated Online Attribute Exchange Initiatives *Personal Levels of Assurance (PLOA) *The Three Pillars of Trust

UK Identity Assurance Programme (IDAP)

*Overview of Legal Liability in the IDAP (In development)

US National Strategy for Trusted Identities in Cyberspace (NSTIC)

*Comments on U.S. NSTIC Steering Group Draft Charter and Related Governance Issues *United States National Strategy for Trusted Identities in Cyberspace Identity Ecosystem Steering Committee Plenary and Governing Board Charter *OIX Response to "Models for a Governance Structure for the National Strategy for Trusted Identity in Cyberspace"

White Papers Published in 2016

Open Identity Exchange (OIX) White Papers focus on current issues and opportunities in emerging identity markets. OIX white papers are intended to deliver value to the identity ecosystem and take one of two perspectives: a retrospective report on the outcome of a given project or pilot or a prospective discussion on a current issue or opportunity. OIX White Papers are authored by independent domain experts and are intended as summaries for a general business audience. Recent published whitepapers include: • Use of online activity as part of the identity verification • UK private sector needs for identity assurance • Use of digital identity in peer-to-peer economy • Shared signals proof of concept • Creating a digital identity in Jersey • Just Giving and GOV.UK Verify • Creating a pensions dashboard • Could digital identities help transform consumers attitudes and behavior towards savings? • Digital identity across borders: opening a bank account in another EU country • Generating Revenue and Subscriber Benefits: An Analysis of: The ARPU of Identity

Projects

OIX projects deliver joint research to examine a wide range of challenges facing the open identity market and to provide possible solutions.

States of Jersey: Creating a Digital ID

The hypothesis was that the UK Government identity assurance model could be adapted for

Jersey Jersey ( , ; nrf, Jèrri, label=Jèrriais ), officially the Bailiwick of Jersey (french: Bailliage de Jersey, links=no; Jèrriais: ), is an island country and self-governing Crown Dependencies, Crown Dependency near the coast of north-west F ...

with the support of certified UK IdPs and potential identity assurance hub providers, to meet the requirements of SoJ. The hypothesis also considered that this would create an attractive market opportunity in Jersey for one or more of these providers.

LIGHTest Project

This is a 3-year project that started in September 2016 and is partially funded from the European Union

Horizon 2020 The Framework Programmes for Research and Technological Development, also called Framework Programmes or abbreviated FP1 to FP9, are funding programmes created by the European Union/European Commission to support and foster research in the Europea ...

research and innovation programme under G.A, No. 700321. The LIGHTest consortium consists of 14 partners from 9 European countries and coordinated by

Fraunhofer-Gesellschaft The Fraunhofer Society (german: Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V., lit=Fraunhofer Society for the Advancement of Applied Research) is a German research organization with 76institutes spread throughout Germany ...

. The project looks to reach out beyond Europe, to build a global community.
LIGHTest
(Lightweight Infrastructure for Global Heterogeneous Trust management in support of an open Ecosystem of Stakeholders and Trust schemes) The objective of LIGHTest is to create a global cross-domain trust infrastructure that renders it transparent and easy for verifiers to evaluate electronic transactions. By querying different trust authorities worldwide and combining trust aspects related to identity, business, reputation etc. it will become possible to conduct domain-specific trust decisions. This is achieved by reusing existing governance, organization, infrastructure, standards, software, community, and know-how of the existing

Domain Name System The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned ...

, combined with new innovative building blocks. This approach allows an efficient global rollout of a solution that assists decision makers in their trust decisions. By integrating mobile identities into the scheme, LIGHTest also enables domain-specific assessments on Levels of Assurance for these identities.

GOV.UK Verify

The UK Government, Cabinet Office joined the OIX at board level, as it began the work on its Identity Assurance Programme (IDAP). Through the OIX Directed Funding programme, a considerable number of projects continue to be carried out under OIX governance, the results of which have helped with the ongoing development o
GOV.UK Verify
Work continues as GDS looks at how digital identities can be used in both the public and private sector. GOV.UK Verify is built and maintained by the

Government Digital Service The Government Digital Service is a unit of the Government of the United Kingdom's Cabinet Office tasked with transforming the provision of online public services. It was formed in April 2011 to implement the "Digital by Default" strategy pro ...

(GDS), part of the Cabinet Office. The UK Government is committed to expanding GOV.UK Verify and helping to grow a market for identity assurance that will be able to meet user needs in relation to central government services, as well as for local, health and private sector services. GOV.UK Verify uses certified companies to verify your identity to government. A certified company is a private company that works to high industry and government standards when they verify your identity.

References

External links

* {{Official website, openidentityexchange.org
OIXnet
Cloud standards Password authentication Federated identity Identity management initiative Computational trust Information technology organisations based in the United Kingdom Organisations based in the City of Westminster