Friday, the White House blog announced the creation of
"A National Program Office for Enhancing Online Trust and Privacy"
This activity will be based on the National Strategy for
Trusted Identities in Cyberspace, which is available in draft form
There was a comment period, which is now closed (and the comments have now been
The draft action items include
Develop a Shared, Comprehensive Public/Private Sector Implementation Plan
Work Among the Public/Private Sectors to Implement Enhanced Privacy
Coordinate the Development and Refinement of Risk Models and Interoperability
Standards that cover interoperability requirements, trustmark criteria, and
accreditation will pave a path that supports choice across solutions,
ultimately accelerating Identity Ecosystem adoption. All detailed actions
associated with Identity Ecosystem standards will build on existing efforts
undertaken by the Federal Government, trust framework providers, private
sector, standards bodies, and international organizations.
Standards established within the Identity Ecosystem will require incorporation
of privacy guidelines. They should also require, to the extent feasible,
adoption of protocols that minimize the ability to link or aggregate
transactions and transaction data across Identity Ecosystem participants and
relying parties, while maintaining individual transaction history, integrity,
and auditability. Standards development, adoption, or enhancement will
support autonomy and choice among Identity Ecosystem providers and flexibility
within industry sectors, while facilitating cross-sector and international
What is proposed is apparently something like an official version of the
existing Certificate system, and apparently will involve technical standards
This is an area where the IETF has some expertise, and also should have some
concerns. I must admit that statements such as this
"The Governance Layer enables unaffiliated entities to trust each other’s
digital identities. A Governance Authority will establish the criteria for
assessing and certifying Accrediting Authorities, who in turn assess and
certify service providers. In addition, the Governance Authority will control
the rules for trustmarks that indicate the service provider’s standing as a
participant within the Identity Ecosystem."
make me nervous.
Has the IETF (presumably, the IAB) considered a response to this proposal ?
Should it ?
Ietf mailing list