Identity Ecosystem? Inside Uncle Sam's "trusted identity" plan
As we reported, on Friday the United States Department of Commerce and a host of privacy and security experts met at Stanford University to discuss the mapping out of an "Identity Ecosystem" for cyberspace.
That would be a place, Commerce Secretary Gary Locke explained at the event, "where individuals and organizations can complete online transactions with greater confidence... putting greater trust in the online identities of each other... and greater trust in the infrastructure that the transactions run across."
We know what you're thinking. Locke knows it too.
"Let's be clear," he quickly added. "We are not talking about a national ID card. We are not talking about a government-controlled system. What we are talking about is enhancing online security and privacy and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities."
Indeed, no national ID card is being proposed. But judging from the draft blueprint of this concept that the Department of Homeland Security released last year, we are talking about a centralization of various forms of verification.
"This Strategy defines an Identity Ecosystem where one entity vets and establishes identities and another entity accepts them," the DHS' "National Strategy for Trusted Identities in Cyberspace," explains, leading to "an online environment where individuals, organizations, services, and devices can trust each other because authoritative sources establish and authenticate their digital identities."
The document laments that today's online environment is not "user-centric." Consumers enjoy "little control over their own personal information," and have "limited ability to utilize a single digital identity across multiple applications."
And while the system wouldn't rely on the government to be the sole provider of identities, Uncle Sam would play a crucial role in overseeing this process. Clearly, he already is.
A hospital stay
Probably the best way to illustrate the central goal of the draft National Strategy is to consider its outline of an ideal cybersecurity transaction. A woman wants medical data from a hospital where her husband has received care, the report explains. Specifically she wants to access blood test results via the hospital's website.
The hospital requires all such requests to be validated by a "strong credential" and patient approval for the data release. The woman can provide the credential via her cell phone because she and the hospital are using a "trustmark" issued by the "Ecosystem Framework."
So the consumer navigates to the hospital portal. The site authenticates itself to her device, assuring her that she isn't sending any data to a scammer. She's safe in this instance because her cell phone provider has issued a "Public Key Infrastructure" certificate, which is stored on her mobile via a "Trusted Platform Module" and verifies her identity.
Confident that the transaction is secure, the woman plugs her mobile into a computer via a USB cable. The hospital validates her credential, identity, and cell phone, checks that her husband has approved the release of the blood work, and lets her view the results.
The ecosystem's players
So there you have it: a broad, cross-platform proposal that clearly gets wireless ISPs heavily involved in creating and validating identities. The draft National Strategy outlines various key players and things in the Ecosystem.
The Individual—to be issued digital identities to complete transactions.
The Non-Person Entity (NPE)—such as organizations and services who would require authentication.
The Identity Provider—who is responsible for the processes involved in enrolling subjects (individuals and NPEs) in the system.
The Attribute Provider—who oversees the processes involved in creating, validating, and keeping up the attributes associated with identities, such as age.
The Relying Party—who makes transaction decisions based on the receipt of a subject's credentials.
The Trustmark—some kind of image, logo, badge, or seal that authenticates participation in the Identity Ecosystem. "To maintain trustmark integrity," the report explains, "the trustmark itself must be resistant to tampering and forgery; participants should be able to both visually and electronically validate its authenticity."
And finally, the Governance Authority, which oversees and maintains the Ecosystem Framework.
Getting there
The government sees itself bringing this ecosystem into existence via a series of stages—quite a few of them, in fact. First, Washington will designate a Federal agency to do the work, which seems to be the Department of Commerce right now.
Second, the agency will coordinate initial private sector support for the plan. Third, the government will create pilot Ecosystem programs involving Federal service providers.
Fourth, the test departments will integrate their own statutorily required Fair Information Practice Principles (yes, FIPPs) into the project. These FIPPs require agencies to be clear and transparent about how they use public data. The government wants to expand the concept to the private sector as well.
Fifth, participants will build privacy and interoperability standards into the process (maybe this phase should come earlier?).
In stage number six, the project will address the "liability concerns of service providers and individuals." It looks as though the project will create rules for the system that allow for the fixing of security breaches without everyone suing each other's brains out, perhaps something like the Digital Millennium Copyright Act's safe harbor provisions. The last three stages involve promoting and improving the Ecosystem, including offering loans, tax breaks, and insurance grants for early adopters.
What's next
Obviously this is not the last version of this plan, which received quite a bit of feedback following its release in late June. But it offers a pretty good idea of where the government is headed.
The final version of the strategy "will be signed by the president in the coming months," Locke promised the Stanford crowd.
"We know that you understand the basic equation: the greater the trust, the more often people will rely on the Internet for more sophisticated applications and services," his comments concluded. "We look forward to working with you to build that trust."
No comments:
Post a Comment