Update: This blog post was written while reading the first draft released in the Summer of 2010. A lot changed from then to the publishing of the document in April 2011.
Here is my answer to the NSTIC Governence Notice of Inquiry.
And an article I wrote on Fast Company: National! Identity! Cyberspace! Why you shouldn’t freak out about NSTIC.
Interestingly in paragraph two on the White House blog it says that NSTIC stands for “National Strategy for Trusted Initiatives in Cyberspace” rather than “National Strategy for Trusted Identities in Cyberspace”.
This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.
The 2nd draft is posted on an DHS idea scale installation. There will be three weeks (until July 19th) for public comments.
The Document is 40 pages long and you can download it here. This is where citability.org would have come in handy to make comments… cause commenting in a threaded discussion on idea scale about the whole document will not be easy.
We will be hosting the Internet Identity Workshop in DC Sept 9-10 (Thursday-Friday) following Gov 2.0 Summit. See the announcement on the IIW site.
The White House post talks about the Identity Ecosystem. The document uses this phrase extensively.
I am reading it now and comments will follow here over the hour.
The subtitle is good – Creating Options for Enhanced Online Security and Privacy
Executive Summary Quotes and commentary:
In particular, the Federal Government must address the recent and alarming rise in online fraud, identity theft, and misuse of information online.
One key step in reducing online fraud and identity theft is to increase the level of trust associated with identities in cyberspace. While this Strategy recognizes the value of anonymity for many online transactions (e.g., blog postings), for other types of transactions (e.g., online banking or accessing electronic health records) it is important that the parties to that transaction have a high degree of trust that they are interacting with known entities.
This Strategy seeks to identify ways to raise the level of trust associated with the identities of individuals, organizations, services, and devices involved in certain types of online transactions. The Strategy’s vision is: Individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.
Privacy protection and voluntary participation are pillars of the Identity Ecosystem. The Identity Ecosystem protects anonymous parties by keeping their identity a secret and sharing only the information necessary to complete the transaction. For example, the Identity Ecosystem allows an individual to provide age without releasing birth date, name, address, or other identifying data. At the other end of the spectrum, the Identity Ecosystem supports transactions that require high assurance of a participant’s identity. The Identity Ecosystem reduces the risk of exploitation of information by unauthorized access through more robust access control techniques. Finally, participation in the Identity Ecosystem is voluntary for both organizations and individuals.Another pillar of the Identity Ecosystem is interoperability. The Identity Ecosystem leverages strong and interoperable technologies and processes to enable the appropriate level of trust across participants. Interoperability supports identity portability and enables service providers within the Identity Ecosystem to accept a variety of credential and identification media types. The IdentityEcosystem does not rely on the government to be the sole identity provider. Instead, interoperability enables a variety of public and private sector identity providers to participate in the IdentityEcosystem.
User-centricity will allow individuals to select the interoperable credential appropriate for the transaction.
- Develop a comprehensive Identity Ecosystem Framework
- Build and implement an interoperable identity infrastructure aligned with the Identity Ecosystem Framework
- Enhance confidence and willingness to participate in the Identity Ecosystem
- Ensure the long-term success of the Identity Ecosystem
- Designate a Federal Agency to Lead the Public/Private Sector Efforts Associated with Achieving the Goals of the Strategy
- Develop a Shared, Comprehensive Public/Private Sector Implementation Plan
- Accelerate the Expansion of Federal Services, Pilots, and Policies that Align with the Identity Ecosystem
- Work Among the Public/Private Sectors to Implement Enhanced Privacy Protections
- Coordinate the Development and Refinement of Risk Models and Interoperability Standards
- Address the Liability Concerns of Service Providers and Individuals
- Perform Outreach and Awareness Across all Stakeholders
- Continue Collaborating in International Efforts
Introduction Quotes and Commentary:
They paint a rosy picture of the future saying this about what it will be like:
They have choice in the number and types of user-friendly identity credentials they manage and use to assert their identity online. They have access to a wider array of online services to save time and effort.
In this user centric world, organizations efficiently conduct business online by trusting the identity proofing and credentials provided by other entities as well as the computing environment in which the transactions occur.
The No2ID folks are not going to like the “envision” box on the first page….
Envision It!
An individual voluntarily requests a smart identity card from her home state. The individual chooses to use the card to authenticate herself for a variety of online services, including:
- Anonymously posting blog entries, and Logging onto Internet email services using a pseudonym.
- Credit card purchases,
- Online banking,
- Accessing electronic health care records,
- Securely accessing her personal laptop computer,
To be clear, the user-centric identity community has not been focused on government-issued credentials or IDs – it has always been mostly about how people have aspects of their identities self-asserted and then validated by third parties, likely in the commercial sector not government.
The issue around identity theft is well articulated: the underlying data systems are poorly architected and change needs to happen at this level to solve the problem – not paying your bank or other entities “identity theft prevention or protection fees”
Criminals and other adversaries often exploit weak identity solutions for individuals, websites, email, and the infrastructure that the Internet utilizes. The poor identification, authentication, and authorization practices associated with these identity solutions are the focus of this Strategy.
Further, the online environment today is not user-centric; individuals tend to have little control over their own personal information. They have limited ability to utilize a single digital identity across multiple applications. Individuals also face the increasing complexity and inconvenience associated with managing the large number of user accounts, passwords, and other identity credentials required to conduct services online with disparate organizations. The collection of identity-related information across multiple providers and accounts, coupled with the sharing of personal information through the growth of social media, increases opportunities for data compromise. For example, personal data used to recover lost passwords (e.g., mother’s maiden name, the name of your first pet, etc.) is often publicly available.
[T]he Strategy does not advocate for the establishment of a national identification card. Instead, the Strategy seeks to establish an ecosystem of interoperable identity service providers and relying parties where individuals have the choice of different credentials or a single credential for different types of online transactions. Individuals should have the choice of obtaining identity credentials from either public or private sector identity providers, and they should be able to use these credentials for transactions requiring different levels of assurance across different sectors (e.g., health care, financial, and social transactions).
What are the essential characteristics of solutions that support Trusted Identities in Cyberspace?
- Technical Interoperability – The ability for different technologies to communicate and exchange data based upon well-defined and widely adopted interface standards.
- Semantic Interoperability – The ability of each end-point to communicate data and have the receiving party understand the message in the sense intended by the sending party.
- Policy Interoperability – Common business policies and processes (e.g., identity proofing and vetting) related to the transmission, receipt, and acceptance of data between systems, which a legal framework supports.
Identity Ecosystem will encourage identity solutions to utilize non-proprietary standards to help ensure interoperability.
The identity solutions identified in the vision are primarily associated with identification (establishing unique digital identities) and authentication (associating an individual with a unique identity) technologies and processes. Trusted and validated attributes provide a basis for organizations that offer online services to make authorization decisions.
- Individuals and organizations choose the providers they use and the way they conduct transactions securely.
- Participants can trust one another and have confidence that their transactions are secure.
- Individuals can conduct transactions online with multiple organizations without sacrificing privacy.
- Identity solutions are simple for individuals to use and efficient for providers.
- Identity solutions are scalable and evolve over time.
Benefits are articulated for individuals, and the private sector.
I think that the biggest problem is that the technology for supporting a vibrant identity ecosystem doesn’t exist so the USG will endup with something close to a “Real ID” (or nothing) anyway.
There is no way getting a credential in a phone that is reasonable as an example. It is not even on the vendors roadmap.
Unfortunately the same situation has effectively killed all other user-centric identity efforts; we’re stuck with using Google, Facebook and MSLive as IdPs unless something is done on the client-side.