NOTICE: This OIXnet FAQ is designed to assist in understanding the concept and operation of the OIXnet Registry.
There are other proposed or operational registries relating to identity systems. Most such registries provide limited types of registration with respect to a particular identity system. OIXnet is, in essence, a registry of registries. It aims to provide, in one central location, an authoritative compilation of information regarding multiple registrations, so as to provide a one-stop shop.
OIXnet is designed to provide a neutral, public place trust framework provider (TFPs) and Communities of Interest (COIs) post their business, legal and technical policies and requirements relative to utilization of various means of asserting identity online. The initial example of this is the OpenID Foundation registering member OpenID Connect certifications at OIXnet.
The IDESG self-attestation listing is just that: a listing of entities that assert that their policies and/or practices align with, or intend to align with, the goals of the organization.
The OIXnet registry is multi-tenant, technology and policy agnostic, it offers no comment or judgment on TFPs/COIs requirements of registrants. As we understand it, the IDESG registry will operate exclusively to register compliance with the Identity Ecosystem Steering Group Trust Framework’s requirements.
OIXnet is in service to advancing online identity assertions; the IDESG listing is in service to enable entities to claim support for IDESG’s goals.
Yes. OIXnet would not, however, be listed on the IDESG registry. This is because OIXnet does not itself organize or operate a trust framework or any other online identity system, and so could not be said to be aligned with or supportive of the goals of the IDESG.
The OIXnet Registry will continue to evolve and develop over time. At present, the following documents and items of information are authorized for registration on OIXnet:
- Identity system trust frameworks (a.k.a. scheme rules or system rules)
- Self-certifications of compliance with an identity system standard, trust framework, or set of requirements
- Third-party certifications of compliance with an identity system standard, trust framework, or set of requirements
- Identity system white lists
Any established trust framework provider (TFP) or Community of Interest (COI) that have established participation guidelines and requirements may register authorized documents or identity information on OIXnet, provided that it meets the applicable requirements set by OIXnet for the type of document or information it seeks to register.
At this time, there are currently (2) registration options available to TFPs/COIs:
Option #1: TFP/COI Only Registers Information at OIXnet
In this use-case, the TFP/COI registers their trust framework requirements, scheme rules, conformance requirements, etc. at OIXnet. This is referred to as “qualified material” in the OIXnet Terms of Service. The TFP/COI does not require participants to register in this use case. These TFPs/COIs view registration as way of promoting their trusted identity system(s) while enabling interoperability.
Option #2: TFP/COI Requires Participant Registration
In this use-case, the TFP requires participating organizations to be certified and registered to participate in the trust framework. The TFP/COI registers these certifications at OIXnet on behalf of members/participants. This use-case is similar to the OpenID Connect self-certifications being registered at OIXnet.
OIX is currently piloting the OIXnet Registry. The pilot period is expected to last through 2016. OIX is working with member organizations, who as early-adopters, are helping fine tune the registry operations, business requirements and fee models during the pilot period.
The OIX Board intends to authorize registration fees sufficient to cover the costs of operating OIXnet once the corresponding pilot phase is complete. The OIXnet Registry pilot is available to members in good standing an all fees are waived during the pilot period.
OIX will continue to update the OIXnet FAQ when it becomes available.
The OIXnet Terms of Service and TFP/COI-specific information will be submitted for registration on OIXnet.
In the OIXnet Terms of Service, there is “Registrant” and “Authorizing Party” enrollment information requested.
As outlined in Q&A #16 above, there are currently two registration options available to TFPs/COIs. In Option #1 whereby the TFP/COI registers on behalf of participants, the TFP/COI is the “registrant” and the participating organization is the “authorizing party”. The participating organization is authorizing the TFP/COI to register on their behalf. In Option #2, whereby the TFP/COI is only registering information at OIXnet, the TFP/COI is the “registrant” and only provides that information. In this scenario, there is no “authorizing party”.
The capability for registrants to update their information is planned.
It is anticipated that most registrations will not expire. In some cases where it makes business sense, some registrations may have registration-specific terms. All registrations will include the date of registration.
Once a registration is accepted by OIX, it will be made public by posting on the OIXnet Registry, a publicly available website. People may view content posted on the Registry at no charge.
The OIXnet Registry is available via a publicly accessible website at http://oixnet.org.
Initially the OIXnet registry will be human-readable-only. We are planning for a machine-readable service in the future.
The OIXnet registry will initially provide an index. As it evolves, it will incorporate additional functionality such as look-up and search. Of course, the contents of the OIXnet Registry is also searchable via search engines.
OIXnet is a registry. It is an official online and publicly-accessible repository of documents and information relating to identity systems and identity system participants. Referred to as a “registry”, it functions as an official and centralized source of such documents and information, much like a government-operated recorder of deeds. That is, individuals and entities can register documents and information with the OIXnet Registry to provide notice of their contents to the public, and members of the public seeking access to such documents or information can go to that single authoritative location to find them.
The OIXnet registry is designed to provide a single comprehensive and authoritative location where documents and information relating to a specific purpose (in this case, identity systems) can be safely stored for the purpose of putting others on notice of certain facts, and from which such documents and information can be accessed by interested stakeholders seeking such information.
Registration is the process by which a document or information is officially filed and recorded with a registry (such as the OIXnet Registry), and thereby made accessible by the operator of the registry for review by other interested stakeholders.
Through registration, entities can provide notice to the world of certain facts or information, and publish such information through a single recognized source. It allows participants and users of identity systems to post relevant documents and information about the operation of their systems, their capabilities, and/or their performance, and provides other interested parties with centralized access to that information for purposes of using and relying on such systems and/or participants.
Certification is a process by which someone reviews, tests, assesses, and validates that a particular product or service conforms to a particular standard or set of requirements, and then issues a certification document attesting to the fact of such conformance. Certification can be done by the entity that owns the particular product or service being certified (self-certification), or can be done by a specially accredited and trustworthy third party (third-party certification).
Registration, on the other hand, is simply a public recording of a document or information. Such a recording can include a certification or self-certification document.
The value of OIXnet can be summed up in three points:
Disclosure: OIXnet provides the visibility, transparency and understandability needed to enable trust among identity system participants.
Discovery: OIXnet provides a neutral, authoritative registry of trust information to enable interoperability of identity systems and participants.
Centralized: OIXnet provides a single authoritative source of trust-related information across multiple identity systems and multiple participants. It functions as a one-stop-shop that is increasingly being recognized as an authoritative source of cross-system trust information.
OIXnet is the first registry developed by global leaders across industry sectors to enable online transactions at higher volumes, velocity and variety. The registry provides Trust Framework Providers (TFPs) and Communities of Interest (COIs) a platform to develop trust through transparency and enable increased adoption through exposure. The OIXnet registry offers identity system participants an opportunity to share trust-related information about their respective systems and deployments to encourage global interoperability.
A trust framework is an enforceable set of business, legal and technical rules and interoperability requirements governing a multiparty system.
“Who do I trust?” It’s a question we ask ourselves regularly in business and in our personal lives. OIXnet helps answer this question in relation to trusted identity systems by enhancing transparency between and among identity systems and participants while promoting accountability. How? The OIXnet registry amplifies the TFP/COI requirements by publishing and making publically available a participating organization’s attestation that they are in compliance with the requirements as set forth by the TFP/COI they participate. This transparency and access builds trust and reduces risk.
The OIXnet Registry is operated by the Open Identity Exchange, a non-profit 501(c)(6) corporation. Further information is available on its website at: www.openidentityexchange.org.
OIX is taking a prudent and measured approach is rolling out the OIXnet Registry.
We started with the OpenID Connect self-certification pilot whereby the OpenID Foundation is registering self-certifications at OIXnet. These registrations are published at http://oixnet.org/openid-certifications/. The OpenID Foundation rolled-out its self-certification program out in phases and started registering early adopters in April 2015 that include ForgeRock, Google, Microsoft, Nomura Research Institute, PayPal, and Ping Identity.
The OIXnet Registry is currently a pilot registering new and diverse trust frameworks and communities of interest. The plan is to continue the momentum of new pilot registrations at OIXnet in 2017 and then to make the registry and pricing available to all potential registrants later in the year.