Today’s news about major identity initiatives in the US Federal Government is indeed great news.
But it does make me think. Kick Willemse asked the key question on an OpenID mailing list:
How about a dutch (international) OP fullfilling all criteria?
What about one in Russia or China? Would the US government accept identities asserted by an entity outside of the country? What about Iran? Before the revolution?
What about a multi-national headquartered, in, say, New York? That serves some of its identities from a data center in Mexico? If it now moved headquarters to Bermuda, when then? What if it was acquired by a Chinese company with strong ties to the Chinese government?
Given that identities last much longer than the whims of foreign relations (or M&A activities), doesn’t this open up so many different cans of worms?
The only solutions to all these issues that I can think of are:
- either the individual is in charge of identity provider selection
- or the US government becomes its own identity provider, which in general is not an unreasonable position to take (think passports)
But neither of those is foreseen in the deployments that are planned. So I’m confused where exactly this might be going …