US gov sites embrace GooHoo instant logins
Obama does OpenID
Hoping to make it easier for American citizens to log into and use federal web sites, the US government has embraced not one but two digital identity standards: OpenID and InfoCard.
Today, the nation's (first) chief information officer, Vivek Kundra, announced a pilot program that will let you log into a handful of government websites using an OpenID or an Information Card. In other words, you can log in via existing accounts you've set up with Google, Yahoo!, PayPal, and other prominent web outfits - without setting up a new username and password.
The pilot program ropes in the websites of the Center for Information Technology (CIT), the National Institutes of Health (NIH), the US Department of Health and Human Services (HHS), and related agencies. Ten big-name OpenID providers will drive seamless logins, including Yahoo!, PayPal, Google, AOL, and VeriSign. For some reason, Microsoft - an InfoCard champion - is not on the list.
The ten outfits have all passed a certification process laid down by the not-for-profit OpenID Foundation (OIDF) and Information Card Foundation (ICF), and reviewed by the federal government. Others can apply for certification as well.
The move follows the "open government memorandum" President Barack Obama released on his first day in office, insisting that government should be transparent, participatory, and collaborative. Naturally, the so-called Web 2.0 is a big part of this idealistic vision of a goldfish-bowl government. The government's OpenID embrace was announced this morning at a Washington, DC conference dubbed the Gov 2.0 Summit.
The idea is to get people interacting with blogs, surveys, social networks, and videocasts hosted on government sites. Traditionally, the US government is highly allergic to such tools, but Obama and crew are attempting to change that.
After winning election, Obama equipped his official transition site, Change.gov, for OpenID logins, letting users post comments without establishing fresh user names and passwords. This and the government's new pilot program actually goes beyond many of the big-name OpenID supporters, which host OpenID credentials but don't allow logins from users who host their credentials elsewhere.
Obama's pilot sites will begin accepting OpenID and Information Card logins in the next several weeks. ®
I get the feeling there are some misunderstandings about OpenID.
First of all, your OpenID password is only known at the OpenID provider you yourself choose. In my case, I set up my own, on my own server, in my own house (just a simple little PHP script). I consider this to be a pro, since, in this case the government, does not know my password.
Second, nothing stops you from using multiple OpenIDs for different purposes. For example, one for fun, one for work-related stuff, one for government related stuff and one for banking. There is no correlation between these IDs if you don't want it.
Third, for the government, you already have a single ID: your social security number. And it's already linked to different things, like an address, a bank account, a job, etc. So with an OpenID you just have another ID linked to this. The benefit to this is that your social security number can stay private and is not needed to log in. Instead you use an OpenID, which can only be used with strong security (e.g. a password you choose on a secure server).
Talk about transparency
So now, whenever there is a security lapse at the Center for Information Technology (CIT), the National Institutes of Health (NIH), the US Department of Health and Human Services (HHS), and related agencies, or at Yahoo!, PayPal, Google, AOL, and VeriSign, or at any other OpenID- or InfoCard-based site, my highly-sensitive government-hosted information will be at risk? Woohoo! I think they may be taking "transparency" a bit too far.
No, I want my authentication to a government site to be used ONLY for that ONE site, not other government sites, and no non-government sites. And I want that site to accept NO OTHER authentication. Actually, that's how I want authentication to ANY site. It may be more inconvenient, but it's certainly more secure.
Fuck, why not just go all out and use our Social Security Number as username and birth date as password? Logins are used to SECURE the service. When you allow authentication credentials shared with other systems, you've just eliminated the security.
I have always maintained separate credentials for talking to government websites because I don't trust them enough to not take the opportunity at some stage to go fishing around my other on-line activities. Of course, they've probably already acquired my existing logins through a bit of net snooping, but why make it too easy for them?