The National Strategy for Trusted Identities in Cyberspace
On June 25, the US Government released the National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “N-stick”) for public review and comment. NSTIC is a recognition of the need for a secure identity infrastructure to address the current fraud on the Internet, and the need to support additional applications that are not well supported by current identity systems.
While in many countries it is natural to think of the Government as the manager for one’s online identity, this makes many Americans, and indeed the US Government, very uncomfortable. NSTIC addresses this concern through an Identity Ecosystem, an accredited community of Identity Providers supporting authentication and Attribute Providers providing trustable information about users. The concept is to provide users with freedom of choice on what identity provider(s) to trust with their authentication credentials, and what attribute providers should be trusted to provide reliable information about the user.
The NSTIC comments website currently has about 300 feedback and idea items about the draft, with votes and comments on many of these ideas. It appears from many of the comments and from some press coverage that there are some misconceptions about NSTIC and what it is trying to do. Here are a few of them:
- Privacy — There is concern that this will lead to a Government-run identity system with extensive surveillance power. The idea of the Identity Ecosystem is much the opposite — the user should get to choose an Identity Provider they trust. Although it doesn’t explicitly say this, users should have the ability to use more than one, just as they might do business with more than one bank or have more than one credit card or brokerage account. It is true that Identity Providers will be subject to legal process (e.g., subpoenas) but this isn’t really any different from the non-online world.
- Existing technologies — Several of the comments suggest that the use of existing technologies such as OpenID or PGP is the solution to the problem. If that were entirely the case, we would probably have an Identity Ecosystem already. But while existing technologies will hopefully have a part in the eventual solution, none are a complete answer to the problem. Furthermore, identity management is equally a business issue: issues around liability, who pays for the service, and trust, which is fundamentally a policy/contract issue, need to be resolved in addition to the technical issues.
- Security — A centrally-located database of user credentials is a very high-value target to attack, and several comments assert that centralized management of credentials is necessarily more insecure than distributed management. If this were true for money, we would all be keeping cash in our mattresses. It is true that identity providers are going to need very high security. But this is a risk that we can insure against, and centralized identity management has the potential to detect fraud in the same way that credit card companies do–by watching for unusual behavior patterns and contacting the user if there are indications of compromise.
Of course, there are a number of unanswered questions and issues that remain in this draft document. Here are a few that should be addressed:
- How do we establish a workable business model for identity management? In several places the document mentions incentives for various things, but the form of these incentives isn’t clear. It isn’t a sustainable model for the Government to provide ongoing funding to identity management; a service is being provided here and someone needs to pay for it. Do the relying parties pay for authentication and attribute services? Does the user buy “identity theft insurance” that includes the services of an Identity Provider?
- What is the international structure of NSTIC? In today’s global business environment, the interoperability of the technical components and the ability to extend the trust relationships across international boundaries is critical.
- How does the governance structure work? NSTIC describes a model where the participants are accredited by a number of entities that are certified by a Governance Authority. It would be good to know who the Governance Authority is, but it is really the parties to the transaction that decide to accept the accreditation of other parties in the transaction. What additional value does the Governance Authority bring to this, and does it create new problems in international situations?
- Is there a provision for low-value transactions as well? The Government tends to deal in high-value transactions (access to sensitive information, large amounts of money, etc.), so it is natural that there would be a lot of focus on making sure that NSTIC is secure enough for these uses. However, many real-world transactions are very low value/risk, and they should not be burdened with requirements aimed at more onerous uses. “Friction” is a significant problem for these low value transactions; if it’s too inconvenient to “buy” a song on the Web, a lot fewer will be “sold”. If one has to do two-factor authentication to make a comment on someone’s blog, the comment will probably just not be made. Identity providers need to support different methods of authentication depending on the value and risk involved.
It is important that NSTIC remain focused on issues that can have a direct effect on trusted identity. Three technologies mentioned in the strategy, DNSSEC, BGPSEC, and IPSEC, fall outside that category. The Strategy should not specify particular technologies, regardless of their merits. In the short term, enabling trusted identity should not be dependent on the Internet upgrading en masse. In the long term, coupling trusted identity to specific technologies could inhibit adoption of new and better technologies and processes.
Overall, it’s very good news to see that the Government recognizes the problems we are having with managing identities online. NSTIC is a great start, and having a public discourse on its merits is important for a subject that affects people as personally as identity management. Read the draft strategy thoughtfully and provide feedback and ideas; public input is solicited through July 19.