ietf
[Top] [All Lists]

Re: National Strategy for Trusted Identities in Cyberspace

2011-01-10 12:52:28
Hi Marshall, 

the comment period last year was very short; too short for us to reply at the 
time when we learned about it. Other groups had problems getting their feedback 
in as well. 

The work they are looking into is related to web identity management protocols 
and trust frameworks. There are technical aspects as well as policy parts to 
the larger body of work. 

To provide a comparison I would pick the credit card industry. There are 
technical standards (such as a completely insecure "authentication mechanism") 
but there are also security best current practices (such as the PCI DSS work), 
an architecture how the different actors (such as merchants, acquirer, payment 
networks, issuers, and banks) interact, and regulation (banking laws, liability 
guarantees for unauthorized credit and debit card charges), policies regarding 
levels of authentication assurances, etc. 

From the technical work a lot centers around OpenID and SAML profiles. Other 
protocols would be relevant to the exchange of data but the work has not 
progressed so far yet. 
 
You raised the question whether the IETF/IAB should have a look at this topic. 
Maybe not a bad idea and the next IETF meeting is upcoming to talk about it. 
And "yes", there are also interesting privacy questions. 

Ciao
Hannes

PS: There are similar efforts outside the US (such as in Europe). They do not, 
however, receive so much press attention. 

On Jan 10, 2011, at 6:50 PM, Marshall Eubanks wrote:

Friday, the White House blog announced the creation of 

"A National Program Office for Enhancing Online Trust and Privacy"

http://www.whitehouse.gov/blog/2011/01/07/national-program-office-enhancing-online-trust-and-privacy

This activity will be based on the National Strategy for
Trusted Identities in Cyberspace, which is available in draft form

http://www.dhs.gov/xlibrary/assets/ns_tic.pdf

There was a comment period, which is now closed (and the comments have now 
been taken down)

http://www.msnbc.msn.com/id/37943900/

http://www.nstic.ideascale.com/

The draft action items include

Action 2:
Develop a Shared, Comprehensive Public/Private Sector Implementation Plan

Action 4:
Work Among the Public/Private Sectors to Implement Enhanced Privacy
Protections

Action 5:
Coordinate the Development and Refinement of Risk Models and Interoperability
Standards

Standards that cover interoperability requirements, trustmark criteria, and 
accreditation will pave a path that supports choice across solutions, 
ultimately accelerating Identity Ecosystem adoption. All detailed actions 
associated with Identity Ecosystem standards will build on existing efforts 
undertaken by the Federal Government, trust framework providers, private 
sector, standards bodies, and international organizations.

Standards established within the Identity Ecosystem will require 
incorporation of privacy guidelines. They should also require, to the extent 
feasible, adoption of protocols that minimize the ability to link or 
aggregate transactions and transaction data across Identity Ecosystem 
participants and relying parties, while maintaining individual transaction 
history, integrity, and auditability.     Standards development, adoption, or 
enhancement will support autonomy and choice among Identity Ecosystem 
providers and flexibility within industry sectors, while facilitating 
cross-sector and international interoperability.

-----

What is proposed is apparently something like an official version of the 
existing Certificate system, and apparently will involve technical standards 
setting.

This is an area where the IETF has some expertise, and also should have some 
concerns. I must admit that statements such as this

"The Governance Layer enables unaffiliated entities to trust each other’s 
digital identities. A Governance Authority will establish the criteria for 
assessing and certifying Accrediting Authorities, who in turn assess and 
certify service providers. In addition, the Governance Authority will control 
the rules for trustmarks that indicate the service provider’s standing as a 
participant within the Identity Ecosystem."

make me nervous. 

Has the IETF (presumably, the IAB) considered a response to this proposal ?  
Should it ?

Regards
Marshall
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>