Looking to develop some common sense rules that would better allow one authentication system to trust another, a group of companies, including a number of leading security providers, have banded together to create the Electronic Authentication Partnership (EAP).
The EAP was first announced in December 2003 by Karen Evans, administrator of the Office of Electronic Government and IT within the U.S. Office of Management and Budget. According to an EAP spokesperson, “it is designed to promote interoperability without the need for participants to bilaterally negotiate trust with every other participant.”
“Last spring there were two different studies coming to the same conclusion … the problem isn’t technology, it’s coming up with rules,” said EAP’s acting chair James Lewis, who is with the Center for Strategic and International Studies, a Washington, D.C. research firm. It was the Center that first got the ball rolling last year by hosting a series of meetings with authentication experts from the private sector and government (in cooperation with the Federal e-authentication effort).
Mr. Lewis said there was also agreement that these rules or standards should not be developed by the government, but by a public-private partnership, which led to the creation of EAP.
“We sent out a letter of intent and we got about a hundred replies,” he said. “Microsoft Passport, PingID, GSA (the U.S. Government Services Administration) and Liberty/Sun have signed letters of intent saying they will join. RSA and Verisign have said they will join. Identrus and IBM have participated and eBay has said it will participate.”
He said companies now have to bilaterally negotiate trust with every other participant, and before EAP, there was no coordination aimed at achieving interoperability between private and government systems. Also, according to EAP, with the blurring between private and government systems, a shared effort among government agencies and commercial enterprises is key to resolving these issues.
“We had already come to the conclusion that there won’t be one all encompassing authentication system,” said Mr. Lewis. “There are many people issuing credentials, so we’re just trying to come up with rules that say, ‘how does one domain manager trust the credentials from another domain?’ “
He quoted the example of credit cards being accepted by many different banks.
“A lot of problems we have had came from people saying that the easy fix was for everyone to use ‘my proprietary system,’ ” he said. Obviously, competing proprietary systems are not the correct path. “(But) we don’t want the government getting into the credential business. It’s cheaper to rely on private vendors.”
According to EAP, it hopes to “foster the interoperability of authentication systems” by:
Drafting rules for credentials and authentication systems for different assurance levels that would provide a set of criteria for evaluating credentials at each assurance level.
Developing a means to assess credentials and systems against the standard set of criteria and convey that assessment to relying parties.
Drafting ‘rules of engagement’ for relying parties that will allow them to use third party credentials. These rules would replace bilateral agreements.
Creating rules for validating credentials and defining how this validation will be handled.
“We hope to have something everyone can look at by the end of the year,” said Mr. Lewis, noting that he expects a rough outline will be completed by early September. “We’re not trying to reinvent the wheel, we’re trying to build bridges between services that already exist.”
“We’re trying to be inclusive. We’re not trying to compete with anyone,” he added. “We’re building the highway to link up the various ID systems … the circles of trust. What we’re doing complements their work. Ninety percent of doing federated authentication has already been done. We’re just supplying the glue. It’s not a technology focus. We won’t be inventing new technology.”
Currently the partnership’s contact person is Helena Sims, senior director for Public/Private Partnerships with the automated clearinghouse organization, NACHA–the Electronic Payments Association. She can be reached at [email protected] Further information on EAP is available at its web site, http://www.eapartnership.org.
According to EAP, there is currently no fee for participating in the partnership, but it is anticipated that membership dues will be levied in the future.
Current member companies include:
A&N Associates, Inc.
American Association of Motor Vehicles Administrators (AAMVA)
Experian Fraud Solutions
General Services Administration (US Government)
Parkweb Associates, LLC
Postsecondary Electronic Standards Council (PESC)
Sagem Morpho, Inc.
Visit the EAP on the web