[LINK] ArsT: ' ... US rolls out Internet identity plan'

[Roger Clarke]

[The US has given up on a national eGovernment id for citizens, but 
hopes that NIST can broker a federated id scheme run by the private 
sector.

[Australia is persisting with its attempt to deliver single-login to 
government services, at
https://login.australia.gov.au/LoginServices/source/Login.jsp?finalURL=http%3A%2F%2Flogin.australia.gwy%2FLoginServices%2FAuthenticate.do 
https://login.australia.gov.au/TacService/enrolTaci.htm?_flowId=enrolment-flow&_flowExecutionKey=e1s1

[There's no FAQ, but there's a brief explanation here:
http://australia.gov.au/about/whats-new

[Comments interspersed and at the end.]


With passwords "broken," US rolls out Internet identity plan
By Nate Anderson
Last updated about 8 hours ago - dopes - 15 April 2011
ArsTechnica
http://arstechnica.com/tech-policy/news/2011/04/with-passwords-broken-us-rolls-out-internet-identity-plan.ars

At a US Chamber of Commerce event today, the federal government 
rolled out its vision for robust online credentials that it hopes 
will replace the current mess of multiple accounts and insecure 
passwords. The choice of the Chamber of Commerce wasn't an accident, 
either; the government wants to squelch any talk of a "national 
Internet ID card" and emphasize that the plan will be both voluntary 
and led by the private sector.

The National Strategy for Trusted Identities in Cyberspace (NSTIC) 
hasn't changed much since the draft plan unveiled in January, though 
the final version (PDF) contains an even stronger emphasis on NSTIC 
being a private-sector, voluntary undertaking. This point was 
stressed so many times in a background briefing call for reporters 
this morning that it's clear the government fears a potential 
backlash against its efforts.

The final version of NSTIC tries to address two problems: the fact 
that passwords are "broken" and the fact that it's almost impossible 
to prove your identity on the Internet. The future belongs to smart 
cards, cell phones, USB security sticks, and similar solutions-when 
the Department of Defense moved away from passwords to a smartcard 
security solution, it saw network intrusions drop by 46 percent.

["Passwords are 'broken'", and gave rise to n intrusions per 100,000 accounts.

[Hackers have had less time to devise assaults on the new approaches, 
but already the intrusion rate is n/2 per 100,000 accounts.]

[Ergo the new approach is *also* badly 'broken'.]

The goal of the system is simple: create the baseline tools needed 
for online commerce to thrive. Indeed, the first sentence of the 
NSTIC final report reads: "A secure cyberspace is critical to our 
prosperity." The government hopes to enable whole new classes of 
online activity, such as dealing with health records or signing 
mortgages, that today few people would trust to the Internet. It also 
hopes to slow rampant ID theft, which it claims costs more than $600 
per incident to fix.

['ID theft' in US parlance actually means 'ID fraud' (or 'ID crime'). 
Advocates get criticised for hyperbole, but government and business 
seem to be allowed to sustain this misleading use of language.]

The government hopes to facilitate this new ecosystem, one that will 
be interoperable and run largely by private parties. Under the plan, 
Internet users could go to any private credential provider of their 
choice and verify their identity, then use that credential to log in 
to any site which supports the identity ecosystem. Have one 
credential from Google and another from Verisign, but want to log in 
to Facebook? Either credential should work.

Users can choose how many credentials they acquire, what information 
is contained in each, and how much information is revealed at login.

For example, student Jane Smith could get a digital credential from 
her cell phone provider and another one from her university and use 
either of them to log-in to her bank, her e-mail, her social 
networking site, and so on, all without having to remember dozens of 
passwords. If she uses one of these credentials to log into her Web 
email, she could use only her pseudonym, "Jane573." If however she 
chose to use the credential to log-in to her bank she could prove 
that she is truly Jane Smith. People and institutions could have more 
trust online because all participating service providers will have 
agreed to consistent standards for identification, authentication, 
security, and privacy.

The program will be coordinated by the National Institute of 
Standards and Technology (NIST), the part of the Commerce Department 
that has set national standards since 1901. NIST will coordinate the 
new strategy but insists it will be led by the private sector, that 
privacy is paramount, and that consumer advocates and privacy groups 
will be part of the process.

NIST hopes to arrive at privacy standards that will give Internet 
users confidence in using such credentials, to clarify the liability 
that credentials providers will face should someone still manage to 
steal your identity, and to issue a "trustmark" that accredits 
participating credential providers and websites.

Public meetings on NSTIC begin in June, and NIST hopes to be funding 
pilot projects by 2012. Still, ordinary Internet users won't be able 
to use the system for three to five years.


[Federated ID has been around for donkey's years.  My analysis from 7 
years ago was here:

Clarke R. (2004)  'Identity Management:  The Technologies, Their 
Business Value, Their Problems, Their Prospects'  Xamax Consultancy 
Pty Ltd, March 2004, 70 pp., from 
http://www.xamax.com.au/EC/IdMngt.html (esp. pp. 13-17)

After selling a modest number of copies, it's about time I released 
an open version, now available (1.3MB of PDF) at
http://www.xamax.com.au/EC/IdMngt-Public.pdf
http://www.rogerclarke.com/EC/IdMngt-Public.pdf

Its conclusions remain valid, and I doubt if NIST has got the message yet:

"The current crop of products and proposals are shown to be seriously 
inadequate.
One problem is a deficiency in the appreciation by designers of what the
assertions are that organisations need to authenticate in order to manage their
business risks.  Most schemes also fail to distinguish between 
identities and the
entities that underlie them, and overlook the existence, and likely continued
existence, of anonymity and pseudonymity.
...
"The schemes that are attracting the most press are conceptually 
inadequate, and
have not achieved a balance among their many objectives.  The report identifies
ways in which identity management schemes could reconcile the conflicting
interests.  It draws attention to research projects that may enable 
the next round
of schemes to be more likely to succeed than the current proposals."


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University