the comment period last year was very short; too short for us to reply at the
time when we learned about it. Other groups had problems getting their feedback
in as well.
The work they are looking into is related to web identity management protocols
and trust frameworks. There are technical aspects as well as policy parts to
the larger body of work.
To provide a comparison I would pick the credit card industry. There are
technical standards (such as a completely insecure "authentication mechanism")
but there are also security best current practices (such as the PCI DSS work),
an architecture how the different actors (such as merchants, acquirer, payment
networks, issuers, and banks) interact, and regulation (banking laws, liability
guarantees for unauthorized credit and debit card charges), policies regarding
levels of authentication assurances, etc.
From the technical work a lot centers around OpenID and SAML profiles. Other
protocols would be relevant to the exchange of data but the work has not
progressed so far yet.
You raised the question whether the IETF/IAB should have a look at this topic.
Maybe not a bad idea and the next IETF meeting is upcoming to talk about it.
And "yes", there are also interesting privacy questions.
PS: There are similar efforts outside the US (such as in Europe). They do not,
however, receive so much press attention.
On Jan 10, 2011, at 6:50 PM, Marshall Eubanks wrote:
Friday, the White House blog announced the creation of
"A National Program Office for Enhancing Online Trust and Privacy"
This activity will be based on the National Strategy for
Trusted Identities in Cyberspace, which is available in draft form
There was a comment period, which is now closed (and the comments have now
been taken down)
The draft action items include
Develop a Shared, Comprehensive Public/Private Sector Implementation Plan
Work Among the Public/Private Sectors to Implement Enhanced Privacy
Coordinate the Development and Refinement of Risk Models and Interoperability
Standards that cover interoperability requirements, trustmark criteria, and
accreditation will pave a path that supports choice across solutions,
ultimately accelerating Identity Ecosystem adoption. All detailed actions
associated with Identity Ecosystem standards will build on existing efforts
undertaken by the Federal Government, trust framework providers, private
sector, standards bodies, and international organizations.
Standards established within the Identity Ecosystem will require
incorporation of privacy guidelines. They should also require, to the extent
feasible, adoption of protocols that minimize the ability to link or
aggregate transactions and transaction data across Identity Ecosystem
participants and relying parties, while maintaining individual transaction
history, integrity, and auditability. Standards development, adoption, or
enhancement will support autonomy and choice among Identity Ecosystem
providers and flexibility within industry sectors, while facilitating
cross-sector and international interoperability.
What is proposed is apparently something like an official version of the
existing Certificate system, and apparently will involve technical standards
This is an area where the IETF has some expertise, and also should have some
concerns. I must admit that statements such as this
"The Governance Layer enables unaffiliated entities to trust each other’s
digital identities. A Governance Authority will establish the criteria for
assessing and certifying Accrediting Authorities, who in turn assess and
certify service providers. In addition, the Governance Authority will control
the rules for trustmarks that indicate the service provider’s standing as a
participant within the Identity Ecosystem."
make me nervous.
Has the IETF (presumably, the IAB) considered a response to this proposal ?
Should it ?
Ietf mailing list
Ietf mailing list