Nico Popp is a founding board member of the OIX.  He heads product development for VeriSign Trust Seal Services, now a Symantec business. Nico was Vice President of Product for VeriSign Authentication Services where he had responsibility for the Managed PKI and strong authentication product lines. At VeriSign, Nico introduced several new products, including VeriSign Identity Protection (VIP), VeriSign Fraud Detection Service (FDS), the Personal Identity Portal (PIP) and VeriSign Trust Seal.


OIX was launched in February, 2010.  Why did Symantec, initially as VeriSign (VeriSign’s Trust Seal Services group was later acquired by Symantec), decide to be a founding member?  

At VeriSign (now Symantec), we believe that many security and trust challenges faced today (cyber-security, enterprise shift to cloud services, consumer id theft, etc) require a shift towards stronger digital identities. These issues have a business, political and social dimension.

It seems like there may be a bit of a “chicken and egg” conundrum at play here?
Eggsactly! (laughs) and that requires the private and public sectors to come together to establish rules and catalyze deployment. A collaborative (federated) approach is much needed because sharing identity raises a complex mix of privacy, reliability and trust issues across all parties involved (consumers, relying parties and identity providers).

Interesting…how will OIX help address these issues?

OIX is the organization where different parties across verticals such as federal, Telco, healthcare, FIs, can come together to address these policy challenges through the creation of vertical trust frameworks. The immediate need is to tailor to each eco-system while providing a consistent approach that in the long run, will allow us to link all the identity networks together through infrastructure and policy interoperability.

So, how have things been going since the launch of OIX?

I think there has been very good progress overall. The rapid launch of the OIX ICAM trust framework has proven that the organization can work with the US government, move with a sense of pragmatism and make things happen.  The presence of PayPal and Google from the get-go as well as the recent addition of ATT is validation that the mission, goals and objectives resonate with those who understand what is at stake.

What are the one or two key things that you believe the OIX must do really well to be successful?

First, it is about execution – the OIX needs to deliver a robust ICAM LOA2 trust framework to the US government and OIX membership as a whole needs to continue moving in steps with the NSTIC initiative especially as it begins to take the form of initial pilots.

Second, the OIX needs to attract new members, not just Internet companies, but also MNOS, MSO, financial institutions, large healthcare companies and we need some international representation too.

Those goals sort of feed into each other, don’t they?

Right – good execution strengthens relationships and will attract new members. In turn, these new members will accelerate the work and our credibility create a “virtuous circle” and good things will start happening around OIX.

How will this ultimately benefit consumers like me?

For consumers, it is about convenience, control and protection. These values have always been at the heart of the “user-centric” movement for identity, privacy and trust. If OIX is successful and these new identity systems start flourishing, new types of transaction will become possible online, like eHealth, or eVoting. Our digital privacy will be in our own hands, rather than in those who believe that privacy is dead, and we will finally have access to simple and convenient mechanisms to protect our digital self online.

Symantec is certified to the OIX ICAM trust framework. Describe your experience with the certification process.

It was fairly simple and straightforward. We had already done all the technical work to upgrade the Personal Identity Portal to the ICAM profile. We also had all the technical documentation written already for internal consumption and due to our development process requirements. As I said, this was very easy. Of course, the real fun begins with LOA2 and we are looking forward to it.

You sit on the OIX board of directors.  What value do you see from serving in this capacity?

The opportunity is to be at the forefront of the new identity movement, to understand the technology and business shift and becoming part of the solution.

What about specifically for Symantec?

We come at it from a security angle and tend to believe that identity is about to become the most fundamental tenet of security. The world of Internet and IT security is a rapidly transforming world and interestingly, most of the big trends – virtualization, cloud, Consumerization and mobile – all point to a world where the traditional IT controls are rapidly evaporating. The user devices are no longer under IT management, the network is increasingly public, the applications are becoming SAAS so outsourced, and the data is increasingly stored outside the corporate network. So, roll the clock a few years forwards, and you quickly realize that the last control for IT governance and security is identity. In other words, identity security and identity management can only increase in its importance. So, taking a front seat to understand where Internet and cloud identity is heading is a must-have for us.

What do you find most interesting about the work of the OIX?

The scope of the problem that we are dealing with is big, central to everything and potentially transformational. We think that identity is going to be a fundamental part of the Internet fabric. The technology protocols (OpeID, PAUTH 2.0, SAML) are almost there and the user experience is also coming together thanks to folks like Google, Facebook and Yahoo!.

And on the security side?

We are also making significant progress with strong authentication. The technology will be baked in into our devices and aided by large identity fraud networks ala VISA. Therefore, the last walls are mostly economic, social and political. To me, OIX provides the necessary structure for the industry to collaboratively attack these walls, one trust framework at a time. Obviously, these are huge walls, but that is also makes our work within the OIX so worthwhile.

Why should a company operating within the identity industry ecosystem consider joining the OIX?

I would turn the question around. How can you afford not to participate if you are an FI, a Telco, a Cable Operator or a Healthcare company?   Everyone I talk to seems to be experiencing something similar. Identity management is becoming increasingly strategic. It may have begun as a personalization, SSO, or a security project. However, most of these companies now understand that identity is strategic to the future of their business.

So, identity management has to become a competitive advantage to these companies?

Rules of engagement are so fundamental to any of these businesses that it is hard to imagine that one would not want a seat at the table to shape these policies, or at a minimum, to have the opportunity to monitor.

What do you foresee for the future of identity trust frameworks and OIX?

In the short run, I hope that the OIX work gets accomplished in the context of a concrete deployment, maybe in healthcare, or within any major vertical industry. Too often in identity work is being done ahead of concrete deployment. As far as OIX, I hope it can provide a common structure that facilitates the development, deployment and reuse of identity trust policies on a global basis and in a technology agnostic way.

Anything else you would like to add?

I would want to re-iterate the “raison-d’etre” of OIX. The OIX is about enabling the industry to define and operationalize policies for sharing identities within a user-centric model. Policies are not only essential to establish a baseline for trust among consumers and service providers. Policies are needed to contain the liability problem that has plagued federated identity deployment. These are the types of issues that no single company can solve alone. In fact, governmental support may also be vital since the economic models for creating strong and shared identities are hardly viable until a critical mass of service providers and consumers is achieved.  In other words, for the OIX to succeed, the industry needs to come together to tackle these complex issues. So, I hope that many more will decide join OIX with the intent to make open identity systems the reality of tomorrow’s Internet.