The recent announcement by the Obama administration to advance the National Strategy for Trusted Identities in Cyberspace (NSTIC) focuses a conversation on a critical topic. Digital identities are used by an increasing percentage of the United States’ and global population as part of our daily routines in conducting modern life.
Trusted identities are a fundamental requirement to do this. In much the same way as transportation systems, communications and electricity provide critical components of national infrastructure, economic development and the measurement of the potential utility we have as individuals and a society so very importantly now does identity infrastructure.
The strategy recognizes that identity is a 21st century utility and the need for it to be reliable, widely available and critical to the U.S. to continue to play a role as world leader.
In this regard the strategy put at the center of its policy goals user control and choice and a public private partnership in order to accomplish this. In order to do this it looks to define an identity ecosystem.
While IDmachines may differ over the language—a preference for use cases to define infrastructure and applications—it does believe that a process to understand the stakeholders matters. The outreach last year provided an opportunity to those who desired a voice in the process to contribute to the conversation via its draft of the strategy and a public online forum; proper steps to take in building the partnership envisioned.
As part of the process the White House has designated the Department of Commerce and identified the National Institute of Standards and Technology (NIST) as the governmental organization to lead the effort. This makes a lot of sense given existing NIST standards for identity verification and numerous other standards and special publications around computer and network security.
In doing so it is expected that NIST will continue to follow its track record of reaching out to industry and other organizations and provide standards based solutions and important guidance.
This is not new ground and there are a number of organizations and existing efforts that can be leveraged. It can look to work that was done last year by the European Commission Joint Research Centre Institute for Prospective Technological Studies and its document “The State of the Electronic Identity Market: Technology, Infrastructure, Services and Policies.” It’s one take on the identity ecosystem and a good one.
Perhaps because of their geographic reality the EU has to develop policy that takes into account the needs of federation. And while NSTIC doesn’t have to deal with federation among countries the underlying requirement for federation is a basis for trust and this is at the center of NSTIC—at least the middle of the acronym.
The report attempts to lay out the socio-economic impacts of identity, it points out that the market for electronic ID is immature and that work needs to be done to “build identification and authentication systems that people can live with, trust and use.” This is completely on target with what NSTIC is trying to accomplish.
Also in its preface the EU report points out the fact that identity is converted into credentials for access to services. This completely maps to the Federal CIO Council activities around Identity, Credential and Access Management (ICAM).
These efforts have built on the work done by NIST and FIPS 201. These efforts have lead to a framework for interoperability called Personal Identity Verification Interoperability (PIV-I). This framework provides the basis for high assurance multi-purpose identity credential and best practice for issuing these credentials and establishes a policy for certification of high assurance identity providers to commerce and citizens.
PIV-I is becoming widely adopted by industry and supported by the vendor community. At lower assurance levels a complementary framework has also been established to foster the adoption and evolution of identity providers called out in the NSTIC vision and also referenced in the EU document.
In a very real sense there is an alignment among organizations pursuing these important goals. This has fostered a number of organizations where collaboration is taking place including the Internet Engineering Task Force, Kantara Initiative, the Open Identity Exchange, the Smart Card Alliance, and the Security Industry Association among others. All of the activities here are working to address the findings in the EU report all of these organizations have either already or will play a role in the NSTIC.
NSTIC also needs to take into account the substantial body of work that has been created by dedicated individuals in the Internet Identity Workshops (IIW) and the effort to develop a Personal Data Ecosystem (PDE) definition. IIW represents a myriad of related and important identity activities. The user centric views expressed by IIW in the Identity Commons can further inform both the EU and the NSTIC as it moves ahead.
NSTIC has the opportunity to tip the balance of the conversation and focus on identity to socio-economic benefit from what is often today one of identity fraud and identity theft. In doing so trusted identities can improve the delivery and lower the cost to the public of financial services, health care, e-commerce and reduce the federal budget. It can provide jobs and economic stimulus. It improves security by fostering collaboration instead of building walls to keep out threats.
Investing in the identity infrastructure to support it should be a priority. Identity has to be done right and not just in the context of what’s required for the next public offering or multi-billion dollar business. The challenge and opportunity lies ahead. ![[end]](/resources/bullet/secureidnews-4.gif)
Quote of the above article: "And while NSTIC doesn’t have to deal with federation among countries the underlying requirement for federation is a basis for trust and this is at the center of NSTIC—at least the middle of the acronym."
Andrew McLaughlin, White House deputy chief technology officer for Internet policy is clearly not convinced [1] that increasing the number of system wide single point of failures with regard to management of identities could be defined as trustworthy. Quoting [1]:
-- These so-called certificate authorities sometimes erroneously or intentionally approve malicious websites. "We are looking at a multijurisdictional, multistakeholder problem for which there is no governmental solution," said McLaughlin, a former Google executive. "Because of the multijurisdictional and multistakeholder nature of the problem, government can't fix it and government shouldn't fix it," McLaughlin said. "You wouldn't want government to try to be your front line. We have a history of screwing things up."
This is exactly the type of federated system as described in the last draft NSTIC document...
[1] Sternstein, A. "Official says government is helpless against fake security certifications". News article, Next Gov, Oct. 2010. http://www.nextgov.com/nextgov/ng201010221367.php?oref=topnews