Questions with Eric Sachs, Product Manager at Google Security and CIO Departments

Eric Sachs has more than 15 years of experience in the areas of user identity and security for hosted Web applications. During his five-plus years at Google, he has worked as a Product Manager for many services, including the Google Account login system, Google Apps for Your Domain, social network, Google Health, Google Security, and Internal Systems. Currently Eric works with Google’s CIO on an effort to move Google’s internal systems to cloud-based technologies by leveraging the same developer tools that Google makes available publicly. As part of that work, he is involved with the development of industry standards for data interoperability, including OAuth, OpenID, and OpenSocial. Before Google, Eric was CTO and co-founder of Interliant, which provided hosted corporate email services. While at Interliant, Eric led co-development projects with both IBM and Microsoft to build platforms for hosting consumer and enterprise Web applications. Eric graduated with a B.A. in computer science in 1993 from Rice University.

Tell us about the OIX Email Attributes Trust Framework project. Specifically, what business problem is it solving?

In September, Google announced use of OpenID for simplifying the process of verifying that a user owns a particular email message.  Google found that more people complete the email verification process when this simplified method is used instead of the more complicated, more common process of accessing an email account to click on a link to verify registration. We started with Yahoo, but hope to expand it to other email providers.

What does the project mean for the future of OpenID for email verification?

In developing this feature with Yahoo, we identified a checklist of features the IDP needs to support for it to work well.  We have posted a draft version of this checklist and are using the data from our launch with Yahoo to validate that checklist.  Once the checklist is stable, we hope that other email providers will certify themselves against it so that Google can use OpenID with their users, and so that other websites can similarly use OpenID to simplify the email verification process.

For Google, this use of OpenID for email verification is a major step towards using OpenID for logins.  Google is also continuing its research on how to support OpenID logins from identity providers like Yahoo.  As part of that research we are developing a similar checklist that we hope can be used to certify other IDPs that Google (and potentially other websites) can support for logins in the future.

What are the one or two key things that you believe the OIX must do to be successful?

OIX must continue to provide a flexible organization structure to connect auditors, companies that want to be audited against a certification profile, and companies or organizations that have defined a certification profile.  A large portion of that flexibility stems from OIX investments in legal frameworks and pricing models, and I expect OIX to continue to invest in those areas.

How will the OIX ultimately benefit consumers?

OIX will benefit consumers indirectly with improved end user experiences. OIX helps accelerate service integration of two or more companies — or organizations – to provide new or better user experiences.  While end users probably will not see the OIX brand, they will hopefully find over time that the Internet becomes more secure, friendly, and powerful even as the use of passwords on the Internet is reduced, making it easier for their data to be shared between two websites.

Google was one of the first companies to be certified to OIX ICAM trust framework.  Describe your experience with the certification process.

Being one of the first, the hardest part was the lack of guidance on the different certifications steps.  Fortunately the auditor we worked with was very helpful and proactive and our experience and the OIX certification process now provide guidance to those who follow.  To give other companies a better feel of what the process involves, and how to simplify it, Google posted a summary of our experience.

You sit on the OIX board of directors. What value do you see from serving in this capacity?

As board members we can influence the strategy, direction and policies of the OIX, which serves as a solution for Internet-scale identity assurance.

What do you find most interesting about the work of the OIX?

While the OIX is still relatively new, we have been pleasantly surprised by the level of interest from organizations that want to define additional trust frameworks for varying use cases. It will be exciting to see how the OIX is able to help accelerate some of the goals those organizations are pursuing, whether it is around login systems, authorship verification, or other use cases.

Why should a company operating within the identity industry ecosystem consider joining the OIX?

The most obvious reason to join would be if a company wants to be certified against a particular trust framework or to define a framework, or to certify audit companies against a framework.  However, OIX members also participate in working groups that help us evolve the OIX, so companies that are interested in the identity ecosystem and can provide key input on the future of OIX will see value in OIX membership.

What do you foresee for the future of identity trust frameworks and OIX?

Google is heavily focused on addressing the Internet password reuse problem, especially in cases where users login with the email address of a Google-hosted mailbox.  While there are promising ways to reduce this problem, such as OpenID, we believe that broad adoption of these mechanisms will need to involve trust frameworks and organizations like the OIX to help connect all the different players.