I have heard over the past few years from friends and associates in the user-centric ID / Personal Cloud/ VRM Communities or those people who care about the future of people’s identities online say to me literally – “Well its good you are paying attention to NSTIC so I don’t have to.”
I’m writing to say the time for that choice is over. There is about 1 more year left in the process until the “outputs” become government policy under the recently released White House Cyber Security Framework (See below for the specifics).
Key items of work are progressing and the time for “our” world view showing up within the work is now and my ability to get them to be taken seriously is ZERO if I continue to be an almost lone voice expressing these key items – particularly
The functional Model Group is working on defining all the “bits” of the system. I believe this is where the “personal cloud” should be a key primary function/piece of the ecosystem. So far it has not been raised in a significant way and not be addressed by the powers that be leading the committee.
The Trust Framework work is progressing rapidly. This is the work to take existing what they call Trust Frameworks (and I think should be called Accountability Frameworks). These are where the existing rules/policies and technologies for various networks are all harmonized and then through that some how we get to a kind of mata/uber trust framework and interoperability.
The big challenge that I see is that it is all coming from existing frames within the conversation do NOT have a remotely “user centric” frame.
- I don’t hear any conversation about how individuals will be protected from their “Identity Provider” (the entity that has “all” their identity information and vouches for them at a Relying Party).
- I don’t hear any conversation about how people will be protected from over zealous relying parties asking for way to much information.
- I don’t hear any conversation about how individuals will be protected from IdP’s and RP’s being able to sell their data into the data broker industry.
- I don’t hear any conversation about how people could collect their own attributes and information in a Personal Cloud and from that center of personal sovereignty use it in the ecosystem.
I do see:
- Assertions that Relying Parties can ask for whatever they want / think they need to complete a transaction and that “the market will decide”
- Assertions that concerns about people’s rights around how they choose to name and identify themselves should be set aside for future iterations.
- I do see that one of the pilots in the last round of multi-million dollar grants went to a defense industry consortium specifically for “development of an open source, technology-neutral Trust Framework Development Guidance document”
So what should you DO?
1) Sign up to attend the April 1-3 Plenary in Mountain View (bonus you don’t have to attend in person) Link Here.
2) Sign up to watch and contribute to the Trust Framework and Functional Model Groups – please see this post OR any of a number of groups with activity.
3) Sign up to join the IDESG organization (that way you can be “official members”) of the committees and “vote” on things. See this Post.
4) Let me know you are keen on getting more involved and I can help connect you others also “diving in” right now [ kaliya AT identitywoman DOT net].
5) Bonus – Attend the Internet Identity Workshop in Mountain View May 6-8 and work with others in the user-centric community on this and other more fun issues (like building cool decentralized, empowering technologies).
This is what I referenced above it becoming government policy and practice.
As the White House announcement details below, today marked the release of the Cybersecurity Framework crafted by NIST – with input from many stakeholders – in response to President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity issued one year ago.
NSTIC is not discussed in the framework itself – but both it and the IDESG figure prominently in the Roadmap that was released as a companion to the Framework. The Roadmap highlights authentication as the first of nine different, high-priority “areas of improvement” that need to be addressed through future collaboration with particular sectors and standards-developing organizations.
The inadequacy of passwords for authentication was a key driver behind the 2011 issuance of the National Strategy for Trusted Identities in Cyberspace (NSTIC), which calls upon the private sector to collaborate on development of an Identity Ecosystem that raises the level of trust associated with the identities of individuals, organizations, networks, services, and devices online.
NSTIC is focused on consumer use cases, but the standards and policies that emerge from the privately-led Identity Ecosystem Steering Group (IDESG) established to support the NSTIC – as well as new authentication solutions that emerge from NSTIC pilots – can inform advances in authentication for critical infrastructure as well.
NSTIC will focus in these areas:
· Continue to support the development of better identity and authentication solutions through NSTIC pilots, as well as an active partnership with the IDESG;
· Support and participate in identity and authentication standards activities, seeking to advance a more complete set of standards to promote security and interoperability; this will include standards development work to address gaps that may emerge from new approaches in the NSTIC pilots.
This is a worthwhile call to action, but I take issue with a couple of the sub-points:
Protection from one’s identity provider: It is well recognized that users need to have a trust relationship with their identity provider; that’s the reason that the NSTIC Strategy emphasizes the importance of allowing the user to choose their identity provider(s). Identity providers are esssential to achieving some of the privacy goals of NSTIC (e.g., ability to assert trusted attributes anonymously), and since the identity provider is able to assert an identifier that represents the user to a relying party, the user needs to trust the IdP for that purpose anyway.
But the Identity Provider doesn’t have “all” their identity information, at least not on a persistent basis. Attribute providers contain the bulk of this information, and since they need to be authoritative for the information provided (e.g., one’s employer is authoritative for an assertion that the user is an employee), the user has less ability to choose attribute providers they trust. For this reason, the user does need some protection from attribute providers, and I am less pleased with flows that show the attribute provider communicating directly with the relying party, and not through an intermediary (such as the IdP).
Over zealous relying parties: In principle, this is handled by allowing the user to choose what is released. But we have already seen applications that ask for more than they should: apps that insist that they be able to tweet on your behalf, for example. It comes down to whether users are willing to forego some benefit (say, use of an app) because it asks for too much, and typically they don’t. But this is a real-world problem and not limited to the identity ecosystem.
Sale of data by RPs: We do need better terms of use assertion and enforcement for attributes. We also probably need better penalties than the Federal Trade Commission is currently empowered to levy. But again, IdPs should be representing their users, and if they’re doing this, users need to “vote with their feet” (which means that there needs to be a way to switch IdPs without starting over) as well as possibly lose accreditation from the Identity Ecosystem.
Personal cloud: My vision of one of the functions of an IdP is to be a referral service to trustable attribute providers. This should include personal cloud providers, probably as first preference, except in cases where there is a need for an assertion from a particular place. The personal cloud providers, of course, will need to be accredited as do the IdPs, other attribute providers, and to a somewhat lesser extent, relying parties.
See you at the Plenary!