The following paragraphs list several authentication projects that currently exist. This list is based on input from Authentication Work Group members and is not comprehensive.

Electronic Authentication Partnership (EAP)

Building off the work of the E-Authentication Federation (see below) and other authentication federations, EAP has developed as a "multi-industry partnership working on the vital task of enabling interoperability for electronic authentication among public and private sector organizations." It is sort of a federation of federations. This group is creating a framework for accrediting and compliance testing of participating Credential Service Providers (CSPs) and Relying Parties (RPs). EAP also addresses the issue of liability.

See: http://eapartnership.org/

See Trust Framework web site: http://www.eapartnership.org/docs/Trust_Framework_010605_final.pdf

E-Authentication Federation

The E-Authentication E-Government Initiative is one of the President's 24 cross-agency E-Government Initiatives. Its mission is to put in place the necessary infrastructure to support common, unified processes and systems for government-wide use. E-Authentication recently launched the E-Authentication Federation (EAF), "a public-private partnership that enables citizens, businesses, and government employees to access online government services using log-in IDs issued by trusted third parties, both within and outside the government." Currently 13 different agency web applications are using the service. EAF has focused on the creation of policies, systems, and relationships that reuse existing credentials to meet the needs of mostly federal government-relying parties. EAF has created a framework by which a variety of Credential Service Providers – currently including federal, state, and private sector organizations – issue credentials to be trusted by Relying Parties in the federal government.

(Quotations taken from E-Authentication web site: http://www.cio.gov/eauthentication/)

Privacy: http://www.cio.gov/eauthentication/documents/EAprivacy.htm

E-Authentication Guidance for Federal Agencies (M-04-04): http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf

NIST 800-63: E-Authentication Technical Guidelines: http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf

NIST 800-53: Recommended Security Controls for Federal Information Systems: http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf

Liberty Alliance Project

In 2001, a consortium of 30 organizations formed the Liberty Alliance Project. The project's stated mission is: "to establish an open standard for federated network identity through open technical specifications." Over the past few years, they have published an "open framework for deploying and managing a variety of identity-enabled Web Services." Liberty Alliance is currently working on a framework for "deploying and managing interoperable strong authentication."

Liberty Alliance is a standards group. Liberty Alliance is represented on the EAP and involved either directly, or through efforts of members and the products and services they provide, with the other efforts.

(Quotations taken from Liberty Alliance Project web site: http://www.projectliberty.org/)

eC3

eC3 is an alliance of state and local governmental associations. Their mission is to advance the use of electronic commerce by governmental organizations. As part of this mission, they have published several white papers concerning identity management.

See: http://www.ec3.org/index.htm

SAFE-Biopharma Association

This identity management organization maintains and enforces the SAFE framework, which permits bio-pharmaceutical companies to digitally sign business-to-business and business-to-regulator transactions.

SAFE is a successfully operating federation which has solved a number of important cross-boundary issues including those of private-public sector and international boundaries. Based in the health industry, it is familiar with health issues and familiar to current industry participants. Representatives of SAFE participate in EAP.

See: http://www.safe-biopharma.org/

HSPD-12 / FIPS 201 / PIV

On August 17, 2004, President Bush issued Homeland Security Presidential Directive - 12 (HSPD-12). This directive called for a common identification standard for all federal employees and contractors. Given this directive, the National Institutes for Standards and Technology developed the Federal Information Processing Standards Publication 201 (FIPS 201), entitled Personal Identity Verification of Federal Employees and Contractors (PIV). This project will provide credentials to 10 to 12 million people at a relatively high level of verification and authentication and could be rolled out to many others through various extensions.

See: http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html

See Personal Identity Verification web site: http://csrc.nist.gov/piv-program/index.html

Real ID Act

The Real ID Act was passed in 2005 by Congress. The Act is intended to deter terrorism. Among other things, the law states that after May 11, 2008, no Federal agency may accept, for official purposes, a state driver's license as proof of identity unless that state's driver's license meets certain requirements defined by the Real ID Act. There is a debate as to whether the Act creates a national ID. The debate aside, unless the law is repealed, it will likely have a significant impact on how individuals in America manage their identities.

Real ID requires issuance of a machine readable credential based upon enhanced identity verification as well as improved security practice and technology. There will likely be many different ways to use the Real ID credentials as functions are built to extend the systems or use of the credentials and as States and/or the Federal Government extend the infrastructure. It is possible that one or more States could choose to issue further electronic credentials, PIN's, passwords, PKI certificates, etc., in conjunction with Real ID and/or join EAF or EAP to provide a channel for citizens to use the credentials across a broader range of our society.

Shibboleth

According to its web site, Shibboleth is "standards-based, open source middleware software which provides Web Single SignOn (SSO) across or within organizational boundaries." As part of the Internet2 project, Shibboleth "is developing architectures, policy structures, practical technologies, and an open source implementation to support inter-institutional sharing of web resources subject to access controls. In addition, Shibboleth will develop a policy framework that will allow inter-operation within the higher education community." The Shibboleth federation approach is being widely adopted in this country by educational institutions and internationally by government and private sector organizations. It is working to align its policies and practices to allow interoperability with EAF, EAP and others. Examples of initiatives that have adopted Shibboleth technology include: InCommon, EduCause, and LionShare. InCommon has set up InQueue as a learning environment for participating organizations.

See: http://shibboleth.internet2.edu/

Bylaws: http://www.incommonfederation.org/docs/policies/InC_SCbylaws.html

Participant Operational Practices: http://www.incommonfederation.org/docs/policies/incommonpop.html

Federation Operating Practices and Procedures: http://www.incommonfederation.org/docs/policies/incommonfopp.html

Trust Service (WebTrust/SysTrust)

The American Institute of Certified Public Accountants initiated the WebTrust/SysTrust project. The AICPA's Trust Services are defined as "a set of professional assurance and advisory services based on a common framework (i.e., a core set of principles and criteria) to address the risks and opportunities of IT." Essentially, the project enables CPAs to offer a new service to clients: evaluating web sites that involve data transmission (e.g., personal information such as credit card numbers, birth date, health information, etc.). Web sites that meet the WebTrust/SysTrust requirements can post a "seal of approval" logo on their web sites.

See: http://www.webtrust.org/

JA-SIG Central Authentication Service (CAS)

CAS is a single sign on service offered by JA-SIG (Java Architectures). It is an open protocol that appears to be used primarily by the academic community. (It was originally created at Yale University.)

See: http://www.ja-sig.org/products/cas/

OATH

As described on its web site, OATH is "an industry-wide collaboration to develop an open reference architecture by leveraging existing open standards for the universal adoption of strong authentication." Its vision is to provide "a reference architecture for universal strong authentication across all users and all devices over all networks."

See: http://www.openauthentication.org/

American Health Information Community (AHIC) Confidentiality, Privacy & Security Work Group

The American Health Information Community (AHIC), a health IT advisory panel of the U.S. Department of Health and Human Services, in May 2006 established a cross-cutting work group on confidentiality, privacy and security. The Work Group's charge is to "make actionable confidentiality, privacy, and security recommendations to the Community on specific policies that best balance the needs between appropriate information protection and access to support, and accelerate the implementation of the consumer empowerment, chronic care, and electronic health record related breakthroughs."

See: http://www.hhs.gov/healthit/ahic/confidentiality

Healthcare Information Technology Standards Panel (HITSP)

HITSP will assist in the development of the U.S. Nationwide Health Information Network (NHIN) by selecting standards and publishing specifications to support use cases developed by AHIC and the Office of the National Coordinator for Health Information Technology (ONC). The Panel is sponsored by the American National Standards Institute (ANSI) in cooperation with strategic partners such as the Healthcare Information and Management Systems Society (HIMSS), the Advanced Technology Institute (ATI), and Booz Allen Hamilton.

See: http://www.hitsp.org

Center for Democracy and Technology (CDT)

In March 2007, the Center for Democracy and Technology released draft principles for identity in the Digital Age.

See: http://www.cdt.org/security/20070327idprinciples.pdf

PCI Security Standards Council

The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection. The PCI Security Standards Council's mission is to enhance payment account data security by fostering broad adoption of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International.

See: https://www.pcisecuritystandards.org/

Information Technology Association of America (ITAA)

ITAA provides global public policy, business networking, and national leadership to promote the continued rapid growth of the IT industry. The Association represents over 325 information technology companies. ITAA has an Identity Management Committee that was created to provide a forum for industry to work with federal, state, and global governments to develop best practices for the authentication and verification of identity, as well as to promote the use of technology to increase the security of our credentialing and access systems. Members include companies producing driver's licenses, national identity credentials, and other identity cards; managing federal, state, and local smart card and identity credentialing programs; providing biometric devices, radio frequency identification technologies, and middleware solutions; as well as performing background checks and other identity proofing services.

See: http://www.itaa.org